Security fix for CVE-2024-37891

Resolves: RHEL-43172

CVE-2024-37891.patch

@@ -0,0 +1,66 @@
+From 3606f6166c000213f1e1e9bace3c12f924dd0132 Mon Sep 17 00:00:00 2001
+From: Quentin Pradet <quentin.pradet@gmail.com>
+Date: Wed, 26 Jun 2024 15:56:34 +0200
+Subject: [PATCH] Merge pull request from GHSA-34jh-p97f-mpxf
+
+* [1.26] Strip Proxy-Authorization header on redirects
+
+* Set release date
+---
+ src/urllib3/util/retry.py     | 4 +++-
+ test/test_retry.py            | 6 +++++-
+ test/test_retry_deprecated.py | 6 +++++-
+ 3 files changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/src/urllib3/util/retry.py b/src/urllib3/util/retry.py
+index 63c02ee..42fa619 100644
+--- a/src/urllib3/util/retry.py
++++ b/src/urllib3/util/retry.py
+@@ -217,7 +217,9 @@ class Retry(object):
+     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
+ 
+     #: Default headers to be used for ``remove_headers_on_redirect``
+-    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
++    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(
++        ["Cookie", "Authorization", "Proxy-Authorization"]
++    )
+ 
+     #: Maximum backoff time.
+     BACKOFF_MAX = 120
+diff --git a/test/test_retry.py b/test/test_retry.py
+index e9270bb..cf60bf1 100644
+--- a/test/test_retry.py
++++ b/test/test_retry.py
+@@ -293,7 +293,11 @@ class TestRetry(object):
+     def test_retry_default_remove_headers_on_redirect(self):
+         retry = Retry()
+ 
+-        assert retry.remove_headers_on_redirect == {"authorization", "cookie"}
++        assert retry.remove_headers_on_redirect == {
++            "authorization",
++            "proxy-authorization",
++            "cookie",
++        }
+ 
+     def test_retry_set_remove_headers_on_redirect(self):
+         retry = Retry(remove_headers_on_redirect=["X-API-Secret"])
+diff --git a/test/test_retry_deprecated.py b/test/test_retry_deprecated.py
+index d18f94c..a107f7b 100644
+--- a/test/test_retry_deprecated.py
++++ b/test/test_retry_deprecated.py
+@@ -295,7 +295,11 @@ class TestRetry(object):
+     def test_retry_default_remove_headers_on_redirect(self):
+         retry = Retry()
+ 
+-        assert retry.remove_headers_on_redirect == {"authorization", "cookie"}
++        assert retry.remove_headers_on_redirect == {
++            "authorization",
++            "proxy-authorization",
++            "cookie",
++        }
+ 
+     def test_retry_set_remove_headers_on_redirect(self):
+         retry = Retry(remove_headers_on_redirect=["X-API-Secret"])
+-- 
+2.44.0
+

python-urllib3.spec

@@ -37,6 +37,12 @@ Patch2: CVE-2023-45803.patch
 # Upstream fix: https://github.com/urllib3/urllib3/commit/f1d40fd07f7b5d9cf846a18fb5a920b4be07dfc5
 Patch3: Add-server_hostname-to-SSL_KEYWORDS.patch
 
+# CVE-2024-37891
+# Proxy-authorization request header is not stripped during cross-origin redirects.
+# Tracking bug: https://issues.redhat.com/browse/RHEL-43172
+# Upstream fix: https://github.com/urllib3/urllib3/commit/40b6d1605814dd1db0a46e202d6e56f2e4c9a468
+Patch4: CVE-2024-37891.patch
+
 %description
 Python HTTP module with connection pooling and file POST abilities.
 
@@ -140,8 +146,10 @@ ln -s %{python3_sitelib}/__pycache__/six.cpython-%{python3_version_nodots}.pyc \
 
 %changelog
 * Tue Jun 18 2024 Tomáš Hrnčiar <thrnciar@redhat.com> - 1.26.5-6
+- Security fix for CVE-2024-37891
 - Backport upstream patch to fix TypeError for http connection if the PoolManager
 - is instantiated with server_hostname
+Resolves: RHEL-43172
 Resolves: RHEL-39285
 
 * Tue Dec 12 2023 Lumír Balhar <lbalhar@redhat.com> - 1.26.5-5