From b9a93531ed652673351d49884cb179265821aa29 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Hrn=C4=8Diar?= Date: Wed, 26 Jun 2024 15:59:35 +0200 Subject: [PATCH] Security fix for CVE-2024-37891 Resolves: RHEL-43172 --- CVE-2024-37891.patch | 66 ++++++++++++++++++++++++++++++++++++++++++++ python-urllib3.spec | 8 ++++++ 2 files changed, 74 insertions(+) create mode 100644 CVE-2024-37891.patch diff --git a/CVE-2024-37891.patch b/CVE-2024-37891.patch new file mode 100644 index 0000000..8860e52 --- /dev/null +++ b/CVE-2024-37891.patch @@ -0,0 +1,66 @@ +From 3606f6166c000213f1e1e9bace3c12f924dd0132 Mon Sep 17 00:00:00 2001 +From: Quentin Pradet +Date: Wed, 26 Jun 2024 15:56:34 +0200 +Subject: [PATCH] Merge pull request from GHSA-34jh-p97f-mpxf + +* [1.26] Strip Proxy-Authorization header on redirects + +* Set release date +--- + src/urllib3/util/retry.py | 4 +++- + test/test_retry.py | 6 +++++- + test/test_retry_deprecated.py | 6 +++++- + 3 files changed, 13 insertions(+), 3 deletions(-) + +diff --git a/src/urllib3/util/retry.py b/src/urllib3/util/retry.py +index 63c02ee..42fa619 100644 +--- a/src/urllib3/util/retry.py ++++ b/src/urllib3/util/retry.py +@@ -217,7 +217,9 @@ class Retry(object): + RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503]) + + #: Default headers to be used for ``remove_headers_on_redirect`` +- DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"]) ++ DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset( ++ ["Cookie", "Authorization", "Proxy-Authorization"] ++ ) + + #: Maximum backoff time. + BACKOFF_MAX = 120 +diff --git a/test/test_retry.py b/test/test_retry.py +index e9270bb..cf60bf1 100644 +--- a/test/test_retry.py ++++ b/test/test_retry.py +@@ -293,7 +293,11 @@ class TestRetry(object): + def test_retry_default_remove_headers_on_redirect(self): + retry = Retry() + +- assert retry.remove_headers_on_redirect == {"authorization", "cookie"} ++ assert retry.remove_headers_on_redirect == { ++ "authorization", ++ "proxy-authorization", ++ "cookie", ++ } + + def test_retry_set_remove_headers_on_redirect(self): + retry = Retry(remove_headers_on_redirect=["X-API-Secret"]) +diff --git a/test/test_retry_deprecated.py b/test/test_retry_deprecated.py +index d18f94c..a107f7b 100644 +--- a/test/test_retry_deprecated.py ++++ b/test/test_retry_deprecated.py +@@ -295,7 +295,11 @@ class TestRetry(object): + def test_retry_default_remove_headers_on_redirect(self): + retry = Retry() + +- assert retry.remove_headers_on_redirect == {"authorization", "cookie"} ++ assert retry.remove_headers_on_redirect == { ++ "authorization", ++ "proxy-authorization", ++ "cookie", ++ } + + def test_retry_set_remove_headers_on_redirect(self): + retry = Retry(remove_headers_on_redirect=["X-API-Secret"]) +-- +2.44.0 + diff --git a/python-urllib3.spec b/python-urllib3.spec index aaf65e1..eb4e3a1 100644 --- a/python-urllib3.spec +++ b/python-urllib3.spec @@ -37,6 +37,12 @@ Patch2: CVE-2023-45803.patch # Upstream fix: https://github.com/urllib3/urllib3/commit/f1d40fd07f7b5d9cf846a18fb5a920b4be07dfc5 Patch3: Add-server_hostname-to-SSL_KEYWORDS.patch +# CVE-2024-37891 +# Proxy-authorization request header is not stripped during cross-origin redirects. +# Tracking bug: https://issues.redhat.com/browse/RHEL-43172 +# Upstream fix: https://github.com/urllib3/urllib3/commit/40b6d1605814dd1db0a46e202d6e56f2e4c9a468 +Patch4: CVE-2024-37891.patch + %description Python HTTP module with connection pooling and file POST abilities. @@ -140,8 +146,10 @@ ln -s %{python3_sitelib}/__pycache__/six.cpython-%{python3_version_nodots}.pyc \ %changelog * Tue Jun 18 2024 Tomáš Hrnčiar - 1.26.5-6 +- Security fix for CVE-2024-37891 - Backport upstream patch to fix TypeError for http connection if the PoolManager - is instantiated with server_hostname +Resolves: RHEL-43172 Resolves: RHEL-39285 * Tue Dec 12 2023 Lumír Balhar - 1.26.5-5