import UBI python-urllib3-1.26.5-8.el9_8
This commit is contained in:
parent
9562c8fa97
commit
d30f684bd5
57
SOURCES/CVE-2026-44431.patch
Normal file
57
SOURCES/CVE-2026-44431.patch
Normal file
@ -0,0 +1,57 @@
|
|||||||
|
From 90da7b0eeef49a141ea91360dd919c3739e96445 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Illia Volochii <illia.volochii@gmail.com>
|
||||||
|
Date: Wed, 3 Jun 2026 15:55:18 +0200
|
||||||
|
Subject: [PATCH] CVE-2026-44431
|
||||||
|
|
||||||
|
* Remove sensitive headers in proxy pools too
|
||||||
|
|
||||||
|
* Add a changelog entry
|
||||||
|
|
||||||
|
* Check retries history in tests
|
||||||
|
|
||||||
|
Co-authored-by: Copilot <copilot@github.com>
|
||||||
|
|
||||||
|
---------
|
||||||
|
|
||||||
|
Co-authored-by: Copilot <copilot@github.com>
|
||||||
|
---
|
||||||
|
changelog/GHSA-qccp-gfcp-xxvc.bugfix.rst | 3 +++
|
||||||
|
src/urllib3/connectionpool.py | 12 ++++++++++++
|
||||||
|
2 files changed, 15 insertions(+)
|
||||||
|
create mode 100644 changelog/GHSA-qccp-gfcp-xxvc.bugfix.rst
|
||||||
|
|
||||||
|
diff --git a/changelog/GHSA-qccp-gfcp-xxvc.bugfix.rst b/changelog/GHSA-qccp-gfcp-xxvc.bugfix.rst
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..bac765e
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/changelog/GHSA-qccp-gfcp-xxvc.bugfix.rst
|
||||||
|
@@ -0,0 +1,3 @@
|
||||||
|
+Fixed HTTP pools created using ``ProxyManager.connection_from_url`` to strip
|
||||||
|
+sensitive headers specified in ``Retry.remove_headers_on_redirect`` when
|
||||||
|
+redirecting to a different host.
|
||||||
|
diff --git a/src/urllib3/connectionpool.py b/src/urllib3/connectionpool.py
|
||||||
|
index 8f9ebb5..923a5d9 100644
|
||||||
|
--- a/src/urllib3/connectionpool.py
|
||||||
|
+++ b/src/urllib3/connectionpool.py
|
||||||
|
@@ -807,6 +807,18 @@ class HTTPConnectionPool(ConnectionPool, RequestMethods):
|
||||||
|
body = None
|
||||||
|
headers = HTTPHeaderDict(headers)._prepare_for_method_change()
|
||||||
|
|
||||||
|
+ # Strip headers marked as unsafe to forward to the redirected location.
|
||||||
|
+ # Check remove_headers_on_redirect to avoid a potential network call within
|
||||||
|
+ # self.is_same_host() which may use socket.gethostbyname() in the future.
|
||||||
|
+ if retries.remove_headers_on_redirect and not self.is_same_host(
|
||||||
|
+ redirect_location
|
||||||
|
+ ):
|
||||||
|
+ new_headers = headers.copy() # type: ignore[union-attr]
|
||||||
|
+ for header in headers:
|
||||||
|
+ if header.lower() in retries.remove_headers_on_redirect:
|
||||||
|
+ new_headers.pop(header, None)
|
||||||
|
+ headers = new_headers
|
||||||
|
+
|
||||||
|
try:
|
||||||
|
retries = retries.increment(method, url, response=response, _pool=self)
|
||||||
|
except MaxRetryError:
|
||||||
|
--
|
||||||
|
2.54.0
|
||||||
|
|
||||||
137
SOURCES/CVE-2026-44432.patch
Normal file
137
SOURCES/CVE-2026-44432.patch
Normal file
@ -0,0 +1,137 @@
|
|||||||
|
From 377ecb4c3bb1bc5e196f13ed7418c3d4b6380afc Mon Sep 17 00:00:00 2001
|
||||||
|
From: Illia Volochii <illia.volochii@gmail.com>
|
||||||
|
Date: Wed, 3 Jun 2026 13:02:33 +0200
|
||||||
|
Subject: [PATCH] CVE-2026-44432
|
||||||
|
|
||||||
|
* Avoid any decoding in `HTTPResponse.drain_conn`
|
||||||
|
|
||||||
|
* Add a comment
|
||||||
|
|
||||||
|
* Simplify `drain_conn`
|
||||||
|
|
||||||
|
* Add tests
|
||||||
|
|
||||||
|
* Add additional checks to the test
|
||||||
|
|
||||||
|
* Fix full decompression on the 2nd small read from response using Brotli
|
||||||
|
|
||||||
|
* Add a changelog entry
|
||||||
|
|
||||||
|
* Inverse the order in the changelog entry
|
||||||
|
|
||||||
|
* Mention `stream` call
|
||||||
|
---
|
||||||
|
changelog/GHSA-mf9v-mfxr-j63j.bugfix.rst | 7 +++++++
|
||||||
|
src/urllib3/response.py | 17 +++++++++++------
|
||||||
|
test/test_response.py | 24 +++++++++++++++++++++---
|
||||||
|
3 files changed, 39 insertions(+), 9 deletions(-)
|
||||||
|
create mode 100644 changelog/GHSA-mf9v-mfxr-j63j.bugfix.rst
|
||||||
|
|
||||||
|
diff --git a/changelog/GHSA-mf9v-mfxr-j63j.bugfix.rst b/changelog/GHSA-mf9v-mfxr-j63j.bugfix.rst
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..ac70af8
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/changelog/GHSA-mf9v-mfxr-j63j.bugfix.rst
|
||||||
|
@@ -0,0 +1,7 @@
|
||||||
|
+Fixed two high-severity security issues where decompression-bomb safeguards of the streaming API were bypassed:
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+1. When ``HTTPResponse.drain_conn()`` was called after the response had been read and decompressed partially.
|
||||||
|
+2. During the second ``HTTPResponse.read(amt=N)`` or ``HTTPResponse.stream(amt=N)`` call when the response was decompressed using the official `Brotli <https://pypi.org/project/brotli/>`__ library.
|
||||||
|
+
|
||||||
|
+See `GHSA-mf9v-mfxr-j63j <https://github.com/urllib3/urllib3/security/advisories/GHSA-mf9v-mfxr-j63j>`__ for details.
|
||||||
|
diff --git a/src/urllib3/response.py b/src/urllib3/response.py
|
||||||
|
index 1357d65..76c56d2 100644
|
||||||
|
--- a/src/urllib3/response.py
|
||||||
|
+++ b/src/urllib3/response.py
|
||||||
|
@@ -480,13 +480,14 @@ class HTTPResponse(io.IOBase):
|
||||||
|
Unread data in the HTTPResponse connection blocks the connection from being released back to the pool.
|
||||||
|
"""
|
||||||
|
try:
|
||||||
|
- self.read(
|
||||||
|
- # Do not spend resources decoding the content unless
|
||||||
|
- # decoding has already been initiated.
|
||||||
|
- decode_content=self._has_decoded_content,
|
||||||
|
- )
|
||||||
|
+ self._raw_read()
|
||||||
|
except (HTTPError, SocketError, BaseSSLError, HTTPException):
|
||||||
|
pass
|
||||||
|
+ if self._has_decoded_content:
|
||||||
|
+ # `_raw_read` skips decompression, so we should clean up the
|
||||||
|
+ # decoder to avoid keeping unnecessary data in memory.
|
||||||
|
+ self._decoded_buffer = BytesQueueBuffer()
|
||||||
|
+ self._decoder = None
|
||||||
|
|
||||||
|
@property
|
||||||
|
def data(self):
|
||||||
|
@@ -800,7 +801,11 @@ class HTTPResponse(io.IOBase):
|
||||||
|
if amt is not None:
|
||||||
|
cache_content = False
|
||||||
|
|
||||||
|
- if self._decoder and self._decoder.has_unconsumed_tail:
|
||||||
|
+ if (
|
||||||
|
+ self._decoder
|
||||||
|
+ and self._decoder.has_unconsumed_tail
|
||||||
|
+ and len(self._decoded_buffer) < amt
|
||||||
|
+ ):
|
||||||
|
decoded_data = self._decode(
|
||||||
|
b"",
|
||||||
|
decode_content,
|
||||||
|
diff --git a/test/test_response.py b/test/test_response.py
|
||||||
|
index 597ce46..b0539e5 100644
|
||||||
|
--- a/test/test_response.py
|
||||||
|
+++ b/test/test_response.py
|
||||||
|
@@ -469,22 +469,33 @@ class TestResponse(object):
|
||||||
|
pytest.skip(f"Proper {request.node.callspec.id} decoder is not available")
|
||||||
|
|
||||||
|
name, compressed_data = data
|
||||||
|
- limit = 1024 * 1024 # 1 MiB
|
||||||
|
+ limit1 = 1024 * 1024 # 1 MiB
|
||||||
|
+ # We test with two read calls because the second call may be
|
||||||
|
+ # able to use the internal buffer filled by the first call, and
|
||||||
|
+ # we want to ensure that full decompression is never triggered
|
||||||
|
+ # by the second call. The limit for the second call is lowered
|
||||||
|
+ # to make sure that the internal buffer is used for the Brotli
|
||||||
|
+ # case specifically https://github.com/google/brotli/issues/1396
|
||||||
|
+ limit2 = 1024 # 1 KiB
|
||||||
|
if read_method in ("read_chunked", "stream"):
|
||||||
|
httplib_r = httplib.HTTPResponse(MockSock) # type: ignore[arg-type]
|
||||||
|
+ httplib_r.chunked = True
|
||||||
|
+ httplib_r.chunk_left = 1
|
||||||
|
httplib_r.fp = MockChunkedEncodingResponse([compressed_data]) # type: ignore[assignment]
|
||||||
|
r = HTTPResponse(
|
||||||
|
httplib_r,
|
||||||
|
preload_content=False,
|
||||||
|
headers={"transfer-encoding": "chunked", "content-encoding": name},
|
||||||
|
)
|
||||||
|
- next(getattr(r, read_method)(amt=limit, decode_content=True))
|
||||||
|
+ for limit in (limit1, limit2):
|
||||||
|
+ next(getattr(r, read_method)(amt=limit, decode_content=True))
|
||||||
|
else:
|
||||||
|
fp = BytesIO(compressed_data)
|
||||||
|
r = HTTPResponse(
|
||||||
|
fp, headers={"content-encoding": name}, preload_content=False
|
||||||
|
)
|
||||||
|
- getattr(r, read_method)(amt=limit, decode_content=True)
|
||||||
|
+ for limit in (limit1, limit2):
|
||||||
|
+ getattr(r, read_method)(amt=limit, decode_content=True)
|
||||||
|
|
||||||
|
# Check that the internal decoded buffer is empty unless brotli
|
||||||
|
# is used.
|
||||||
|
@@ -494,6 +505,13 @@ class TestResponse(object):
|
||||||
|
if name != "br" or brotli.__name__ == "brotlicffi":
|
||||||
|
assert len(r._decoded_buffer) == 0
|
||||||
|
|
||||||
|
+ # Check that memory usage is still within the limit while the
|
||||||
|
+ # connection is being drained, meaning that the call does not
|
||||||
|
+ # decompress the whole content.
|
||||||
|
+ r.drain_conn()
|
||||||
|
+ assert r._decoder is None
|
||||||
|
+ assert len(r._decoded_buffer) == 0
|
||||||
|
+
|
||||||
|
def test_multi_decoding_deflate_deflate(self):
|
||||||
|
data = zlib.compress(zlib.compress(b"foo"))
|
||||||
|
|
||||||
|
--
|
||||||
|
2.54.0
|
||||||
|
|
||||||
@ -6,7 +6,7 @@
|
|||||||
|
|
||||||
Name: python-%{srcname}
|
Name: python-%{srcname}
|
||||||
Version: 1.26.5
|
Version: 1.26.5
|
||||||
Release: 6%{?dist}.1
|
Release: 8%{?dist}
|
||||||
Summary: Python HTTP library with thread-safe connection pooling and file post
|
Summary: Python HTTP library with thread-safe connection pooling and file post
|
||||||
|
|
||||||
License: MIT
|
License: MIT
|
||||||
@ -46,6 +46,9 @@ Patch4: CVE-2024-37891.patch
|
|||||||
Patch5: CVE-2025-66471.patch
|
Patch5: CVE-2025-66471.patch
|
||||||
Patch6: CVE-2025-66418.patch
|
Patch6: CVE-2025-66418.patch
|
||||||
Patch7: CVE-2026-21441.patch
|
Patch7: CVE-2026-21441.patch
|
||||||
|
Patch8: CVE-2026-44431.patch
|
||||||
|
Patch9: CVE-2026-44432.patch
|
||||||
|
|
||||||
|
|
||||||
%description
|
%description
|
||||||
Python HTTP module with connection pooling and file POST abilities.
|
Python HTTP module with connection pooling and file POST abilities.
|
||||||
@ -149,11 +152,15 @@ ln -s %{python3_sitelib}/__pycache__/six.cpython-%{python3_version_nodots}.pyc \
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Wed Dec 17 2025 Miro Hrončok <mhroncok@redhat.com> - 1.26.5-6.1
|
* Wed Jun 03 2026 Tomáš Hrnčiar <thrnciar@redhat.com> - 1.26.5-8
|
||||||
|
- Security fix for CVE-2026-44431 and CVE-2026-44432
|
||||||
|
Resolves: RHEL-184816, RHEL-185123
|
||||||
|
|
||||||
|
* Tue Jan 27 2026 Miro Hrončok <mhroncok@redhat.com> - 1.26.5-7
|
||||||
- Security fix for CVE-2025-66471
|
- Security fix for CVE-2025-66471
|
||||||
- Security fix for CVE-2025-66418
|
- Security fix for CVE-2025-66418
|
||||||
- Security fix for CVE-2026-21441
|
- Security fix for CVE-2026-21441
|
||||||
Resolves: RHEL-139401
|
Resolves: RHEL-142750, RHEL-139398, RHEL-142767
|
||||||
|
|
||||||
* Tue Jun 18 2024 Tomáš Hrnčiar <thrnciar@redhat.com> - 1.26.5-6
|
* Tue Jun 18 2024 Tomáš Hrnčiar <thrnciar@redhat.com> - 1.26.5-6
|
||||||
- Security fix for CVE-2024-37891
|
- Security fix for CVE-2024-37891
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user