Security fix for CVE-2023-43804

Resolves: RHEL-11992
This commit is contained in:
Lumir Balhar 2023-10-12 13:33:26 +02:00
parent 945e31f329
commit 82160f16b7
2 changed files with 55 additions and 1 deletions

39
CVE-2023-43804.patch Normal file
View File

@ -0,0 +1,39 @@
From 24603488c43a7cbaffcff7e69a72ad9bb4604acf Mon Sep 17 00:00:00 2001
From: Lumir Balhar <lbalhar@redhat.com>
Date: Thu, 12 Oct 2023 14:08:31 +0200
Subject: [PATCH] CVE-2023-43804
---
src/urllib3/util/retry.py | 2 +-
test/test_retry.py | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/urllib3/util/retry.py b/src/urllib3/util/retry.py
index 02429ee..c4a687c 100644
--- a/src/urllib3/util/retry.py
+++ b/src/urllib3/util/retry.py
@@ -151,7 +151,7 @@ class Retry(object):
RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
- DEFAULT_REDIRECT_HEADERS_BLACKLIST = frozenset(['Authorization'])
+ DEFAULT_REDIRECT_HEADERS_BLACKLIST = frozenset(['Cookie', 'Authorization'])
#: Maximum backoff time.
BACKOFF_MAX = 120
diff --git a/test/test_retry.py b/test/test_retry.py
index 7546c43..b6d52bf 100644
--- a/test/test_retry.py
+++ b/test/test_retry.py
@@ -253,7 +253,7 @@ class TestRetry(object):
def test_retry_default_remove_headers_on_redirect(self):
retry = Retry()
- assert list(retry.remove_headers_on_redirect) == ['authorization']
+ assert retry.remove_headers_on_redirect == {'authorization', 'cookie'}
def test_retry_set_remove_headers_on_redirect(self):
retry = Retry(remove_headers_on_redirect=['x-api-secret'])
--
2.41.0

View File

@ -2,7 +2,7 @@
Name: python-%{srcname} Name: python-%{srcname}
Version: 1.24.2 Version: 1.24.2
Release: 5%{?dist} Release: 6%{?dist}
Summary: Python HTTP library with thread-safe connection pooling and file post Summary: Python HTTP library with thread-safe connection pooling and file post
License: MIT License: MIT
@ -32,6 +32,16 @@ Patch2: Enable_TLS_1.3_post-handshake_authentication.patch
# Resolved upstream: https://github.com/urllib3/urllib3/pull/1800 # Resolved upstream: https://github.com/urllib3/urllib3/pull/1800
Patch3: CVE-2020-26137.patch Patch3: CVE-2020-26137.patch
# CVE-2023-43804
# Added the `Cookie` header to the list of headers to strip from
# requests when redirecting to a different host. As before, different headers
# can be set via `Retry.remove_headers_on_redirect`.
# Tests backported only partially as we don't use the whole part of
# testing with dummyserver.
# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=2242493
# Upstream fix: https://github.com/urllib3/urllib3/commit/01220354d389cd05474713f8c982d05c9b17aafb
Patch4: CVE-2023-43804.patch
%description %description
Python HTTP module with connection pooling and file POST abilities. Python HTTP module with connection pooling and file POST abilities.
@ -61,6 +71,7 @@ Python3 HTTP module with connection pooling and file POST abilities.
%patch1 -p1 %patch1 -p1
%patch2 -p1 %patch2 -p1
%patch3 -p1 %patch3 -p1
%patch4 -p1
# Make sure that the RECENT_DATE value doesn't get too far behind what the current date is. # Make sure that the RECENT_DATE value doesn't get too far behind what the current date is.
# RECENT_DATE must not be older that 2 years from the build time, or else test_recent_date # RECENT_DATE must not be older that 2 years from the build time, or else test_recent_date
@ -136,6 +147,10 @@ popd
%changelog %changelog
* Thu Oct 12 2023 Lumír Balhar <lbalhar@redhat.com> - 1.24.2-6
- Security fix for CVE-2023-43804
Resolves: RHEL-11992
* Mon Nov 09 2020 Charalampos Stratakis <cstratak@redhat.com> - 1.24.2-5 * Mon Nov 09 2020 Charalampos Stratakis <cstratak@redhat.com> - 1.24.2-5
- Security fix for CVE-2020-26137 - Security fix for CVE-2020-26137
Resolves: rhbz#1883889 Resolves: rhbz#1883889