diff --git a/SOURCES/CVE-2020-26137.patch b/SOURCES/CVE-2020-26137.patch new file mode 100644 index 0000000..1ca32a8 --- /dev/null +++ b/SOURCES/CVE-2020-26137.patch @@ -0,0 +1,37 @@ +diff --git a/src/urllib3/connection.py b/src/urllib3/connection.py +index 02b3665..1ab1890 100644 +--- a/src/urllib3/connection.py ++++ b/src/urllib3/connection.py +@@ -1,4 +1,5 @@ + from __future__ import absolute_import ++import re + import datetime + import logging + import os +@@ -61,6 +62,8 @@ port_by_scheme = { + # after 2016-01-01 (today - 2 years) AND before 2017-07-01 (today - 6 months) + RECENT_DATE = datetime.date(2017, 6, 30) + ++_CONTAINS_CONTROL_CHAR_RE = re.compile(r"[^-!#$%&'*+.^_`|~0-9a-zA-Z]") ++ + + class DummyConnection(object): + """Used to detect a failed ConnectionCls import.""" +@@ -181,6 +184,17 @@ class HTTPConnection(_HTTPConnection, object): + conn = self._new_conn() + self._prepare_conn(conn) + ++ def putrequest(self, method, url, *args, **kwargs): ++ """Send a request to the server""" ++ match = _CONTAINS_CONTROL_CHAR_RE.search(method) ++ if match: ++ raise ValueError( ++ "Method cannot contain non-token characters %r (found at least %r)" ++ % (method, match.group()) ++ ) ++ ++ return _HTTPConnection.putrequest(self, method, url, *args, **kwargs) ++ + def request_chunked(self, method, url, body=None, headers=None): + """ + Alternative to the common request method, which sends the diff --git a/SPECS/python-urllib3.spec b/SPECS/python-urllib3.spec index 6cd889b..3d1d787 100644 --- a/SPECS/python-urllib3.spec +++ b/SPECS/python-urllib3.spec @@ -2,7 +2,7 @@ Name: python-%{srcname} Version: 1.24.2 -Release: 4%{?dist} +Release: 5%{?dist} Summary: Python HTTP library with thread-safe connection pooling and file post License: MIT @@ -21,11 +21,17 @@ BuildArch: noarch # - Superfluous commits were omitted (flake8 checks, travis settings, macos patch) # * https://github.com/urllib3/urllib3/pull/1593 Patch1: CVE-2019-11236.patch + # Enable post-handshake authentication for TLS 1.3 # - https://github.com/urllib3/urllib3/issues/1634 # - https://bugzilla.redhat.com/show_bug.cgi?id=1726743 Patch2: Enable_TLS_1.3_post-handshake_authentication.patch +# CVE-2020-26137 +# CRLF injection via HTTP request method +# Resolved upstream: https://github.com/urllib3/urllib3/pull/1800 +Patch3: CVE-2020-26137.patch + %description Python HTTP module with connection pooling and file POST abilities. @@ -54,6 +60,7 @@ Python3 HTTP module with connection pooling and file POST abilities. %patch1 -p1 %patch2 -p1 +%patch3 -p1 # Make sure that the RECENT_DATE value doesn't get too far behind what the current date is. # RECENT_DATE must not be older that 2 years from the build time, or else test_recent_date @@ -129,6 +136,10 @@ popd %changelog +* Mon Nov 09 2020 Charalampos Stratakis - 1.24.2-5 +- Security fix for CVE-2020-26137 +Resolves: rhbz#1883889 + * Wed Oct 30 2019 Anna Khaitovich - 1.24.2-4 - Update RECENT_DATE dynamically Resolves: rhbz#1761380