From 81bb5e162b6c1501bf5f5294f001916342f1c821 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Hrn=C4=8Diar?= <thrnciar@redhat.com>
Date: Wed, 3 Jun 2026 15:58:47 +0200
Subject: [PATCH] Security fix for CVE-2026-44431 and CVE-2026-44432

- Resolves: RHEL-184816
- Resolves: RHEL-185123
---
 CVE-2026-44431.patch |  57 ++++++++++++++++++
 CVE-2026-44432.patch | 137 +++++++++++++++++++++++++++++++++++++++++++
 python-urllib3.spec  |   9 ++-
 3 files changed, 202 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2026-44431.patch
 create mode 100644 CVE-2026-44432.patch

diff --git a/CVE-2026-44431.patch b/CVE-2026-44431.patch
new file mode 100644
index 0000000..716d7b7
--- /dev/null
+++ b/CVE-2026-44431.patch
@@ -0,0 +1,57 @@
+From 90da7b0eeef49a141ea91360dd919c3739e96445 Mon Sep 17 00:00:00 2001
+From: Illia Volochii <illia.volochii@gmail.com>
+Date: Wed, 3 Jun 2026 15:55:18 +0200
+Subject: [PATCH] CVE-2026-44431
+
+* Remove sensitive headers in proxy pools too
+
+* Add a changelog entry
+
+* Check retries history in tests
+
+Co-authored-by: Copilot <copilot@github.com>
+
+---------
+
+Co-authored-by: Copilot <copilot@github.com>
+---
+ changelog/GHSA-qccp-gfcp-xxvc.bugfix.rst |  3 +++
+ src/urllib3/connectionpool.py            | 12 ++++++++++++
+ 2 files changed, 15 insertions(+)
+ create mode 100644 changelog/GHSA-qccp-gfcp-xxvc.bugfix.rst
+
+diff --git a/changelog/GHSA-qccp-gfcp-xxvc.bugfix.rst b/changelog/GHSA-qccp-gfcp-xxvc.bugfix.rst
+new file mode 100644
+index 0000000..bac765e
+--- /dev/null
++++ b/changelog/GHSA-qccp-gfcp-xxvc.bugfix.rst
+@@ -0,0 +1,3 @@
++Fixed HTTP pools created using ``ProxyManager.connection_from_url`` to strip
++sensitive headers specified in ``Retry.remove_headers_on_redirect`` when
++redirecting to a different host.
+diff --git a/src/urllib3/connectionpool.py b/src/urllib3/connectionpool.py
+index 8f9ebb5..923a5d9 100644
+--- a/src/urllib3/connectionpool.py
++++ b/src/urllib3/connectionpool.py
+@@ -807,6 +807,18 @@ class HTTPConnectionPool(ConnectionPool, RequestMethods):
+                 body = None
+                 headers = HTTPHeaderDict(headers)._prepare_for_method_change()
+ 
++            # Strip headers marked as unsafe to forward to the redirected location.
++            # Check remove_headers_on_redirect to avoid a potential network call within
++            # self.is_same_host() which may use socket.gethostbyname() in the future.
++            if retries.remove_headers_on_redirect and not self.is_same_host(
++                redirect_location
++            ):
++                new_headers = headers.copy()  # type: ignore[union-attr]
++                for header in headers:
++                    if header.lower() in retries.remove_headers_on_redirect:
++                        new_headers.pop(header, None)
++                headers = new_headers
++
+             try:
+                 retries = retries.increment(method, url, response=response, _pool=self)
+             except MaxRetryError:
+-- 
+2.54.0
+
diff --git a/CVE-2026-44432.patch b/CVE-2026-44432.patch
new file mode 100644
index 0000000..0926d34
--- /dev/null
+++ b/CVE-2026-44432.patch
@@ -0,0 +1,137 @@
+From 377ecb4c3bb1bc5e196f13ed7418c3d4b6380afc Mon Sep 17 00:00:00 2001
+From: Illia Volochii <illia.volochii@gmail.com>
+Date: Wed, 3 Jun 2026 13:02:33 +0200
+Subject: [PATCH] CVE-2026-44432
+
+* Avoid any decoding in `HTTPResponse.drain_conn`
+
+* Add a comment
+
+* Simplify `drain_conn`
+
+* Add tests
+
+* Add additional checks to the test
+
+* Fix full decompression on the 2nd small read from response using Brotli
+
+* Add a changelog entry
+
+* Inverse the order in the changelog entry
+
+* Mention `stream` call
+---
+ changelog/GHSA-mf9v-mfxr-j63j.bugfix.rst |  7 +++++++
+ src/urllib3/response.py                  | 17 +++++++++++------
+ test/test_response.py                    | 24 +++++++++++++++++++++---
+ 3 files changed, 39 insertions(+), 9 deletions(-)
+ create mode 100644 changelog/GHSA-mf9v-mfxr-j63j.bugfix.rst
+
+diff --git a/changelog/GHSA-mf9v-mfxr-j63j.bugfix.rst b/changelog/GHSA-mf9v-mfxr-j63j.bugfix.rst
+new file mode 100644
+index 0000000..ac70af8
+--- /dev/null
++++ b/changelog/GHSA-mf9v-mfxr-j63j.bugfix.rst
+@@ -0,0 +1,7 @@
++Fixed two high-severity security issues where decompression-bomb safeguards of the streaming API were bypassed:
++
++
++1. When ``HTTPResponse.drain_conn()`` was called after the response had been read and decompressed partially.
++2. During the second ``HTTPResponse.read(amt=N)`` or ``HTTPResponse.stream(amt=N)`` call when the response was decompressed using the official `Brotli <https://pypi.org/project/brotli/>`__ library.
++
++See `GHSA-mf9v-mfxr-j63j <https://github.com/urllib3/urllib3/security/advisories/GHSA-mf9v-mfxr-j63j>`__ for details.
+diff --git a/src/urllib3/response.py b/src/urllib3/response.py
+index 1357d65..76c56d2 100644
+--- a/src/urllib3/response.py
++++ b/src/urllib3/response.py
+@@ -480,13 +480,14 @@ class HTTPResponse(io.IOBase):
+         Unread data in the HTTPResponse connection blocks the connection from being released back to the pool.
+         """
+         try:
+-            self.read(
+-                # Do not spend resources decoding the content unless
+-                # decoding has already been initiated.
+-                decode_content=self._has_decoded_content,
+-            )
++            self._raw_read()
+         except (HTTPError, SocketError, BaseSSLError, HTTPException):
+             pass
++        if self._has_decoded_content:
++            # `_raw_read` skips decompression, so we should clean up the
++            # decoder to avoid keeping unnecessary data in memory.
++            self._decoded_buffer = BytesQueueBuffer()
++            self._decoder = None
+ 
+     @property
+     def data(self):
+@@ -800,7 +801,11 @@ class HTTPResponse(io.IOBase):
+         if amt is not None:
+             cache_content = False
+ 
+-            if self._decoder and self._decoder.has_unconsumed_tail:
++            if (
++                self._decoder
++                and self._decoder.has_unconsumed_tail
++                and len(self._decoded_buffer) < amt
++            ):
+                 decoded_data = self._decode(
+                     b"",
+                     decode_content,
+diff --git a/test/test_response.py b/test/test_response.py
+index 597ce46..b0539e5 100644
+--- a/test/test_response.py
++++ b/test/test_response.py
+@@ -469,22 +469,33 @@ class TestResponse(object):
+             pytest.skip(f"Proper {request.node.callspec.id} decoder is not available")
+ 
+         name, compressed_data = data
+-        limit = 1024 * 1024  # 1 MiB
++        limit1 = 1024 * 1024  # 1 MiB
++        # We test with two read calls because the second call may be
++        # able to use the internal buffer filled by the first call, and
++        # we want to ensure that full decompression is never triggered
++        # by the second call. The limit for the second call is lowered
++        # to make sure that the internal buffer is used for the Brotli
++        # case specifically https://github.com/google/brotli/issues/1396
++        limit2 = 1024  # 1 KiB
+         if read_method in ("read_chunked", "stream"):
+             httplib_r = httplib.HTTPResponse(MockSock)  # type: ignore[arg-type]
++            httplib_r.chunked = True
++            httplib_r.chunk_left = 1
+             httplib_r.fp = MockChunkedEncodingResponse([compressed_data])  # type: ignore[assignment]
+             r = HTTPResponse(
+                 httplib_r,
+                 preload_content=False,
+                 headers={"transfer-encoding": "chunked", "content-encoding": name},
+             )
+-            next(getattr(r, read_method)(amt=limit, decode_content=True))
++            for limit in (limit1, limit2):
++                next(getattr(r, read_method)(amt=limit, decode_content=True))
+         else:
+             fp = BytesIO(compressed_data)
+             r = HTTPResponse(
+                 fp, headers={"content-encoding": name}, preload_content=False
+             )
+-            getattr(r, read_method)(amt=limit, decode_content=True)
++            for limit in (limit1, limit2):
++                getattr(r, read_method)(amt=limit, decode_content=True)
+ 
+         # Check that the internal decoded buffer is empty unless brotli
+         # is used.
+@@ -494,6 +505,13 @@ class TestResponse(object):
+         if name != "br" or brotli.__name__ == "brotlicffi":
+             assert len(r._decoded_buffer) == 0
+ 
++        # Check that memory usage is still within the limit while the
++        # connection is being drained, meaning that the call does not
++        # decompress the whole content.
++        r.drain_conn()
++        assert r._decoder is None
++        assert len(r._decoded_buffer) == 0
++
+     def test_multi_decoding_deflate_deflate(self):
+         data = zlib.compress(zlib.compress(b"foo"))
+ 
+-- 
+2.54.0
+
diff --git a/python-urllib3.spec b/python-urllib3.spec
index 06abc61..202c0bf 100644
--- a/python-urllib3.spec
+++ b/python-urllib3.spec
@@ -6,7 +6,7 @@
 
 Name:           python-%{srcname}
 Version:        1.26.5
-Release:        7%{?dist}
+Release:        8%{?dist}
 Summary:        Python HTTP library with thread-safe connection pooling and file post
 
 License:        MIT
@@ -46,6 +46,9 @@ Patch4: CVE-2024-37891.patch
 Patch5: CVE-2025-66471.patch
 Patch6: CVE-2025-66418.patch
 Patch7: CVE-2026-21441.patch
+Patch8: CVE-2026-44431.patch
+Patch9: CVE-2026-44432.patch
+
 
 %description
 Python HTTP module with connection pooling and file POST abilities.
@@ -149,6 +152,10 @@ ln -s %{python3_sitelib}/__pycache__/six.cpython-%{python3_version_nodots}.pyc \
 
 
 %changelog
+* Wed Jun 03 2026 Tomáš Hrnčiar <thrnciar@redhat.com> - 1.26.5-8
+- Security fix for CVE-2026-44431 and CVE-2026-44432
+Resolves: RHEL-184816, RHEL-185123
+
 * Tue Jan 27 2026 Miro Hrončok <mhroncok@redhat.com> - 1.26.5-7
 - Security fix for CVE-2025-66471
 - Security fix for CVE-2025-66418