import CS python-urllib3-1.26.5-6.el9

2024-09-30 16:27:49 +00:00 · 2024-09-30 16:27:49 +00:00 · e667aa738c
commit e667aa738c
parent ec7298bb7d
3 changed files with 123 additions and 1 deletions
--- a/SOURCES/Add-server_hostname-to-SSL_KEYWORDS.patch
+++ b/SOURCES/Add-server_hostname-to-SSL_KEYWORDS.patch
@ -0,0 +1,38 @@
 From f1d40fd07f7b5d9cf846a18fb5a920b4be07dfc5 Mon Sep 17 00:00:00 2001
 From: Hasan Ramezani <hasan.r67@gmail.com>
 Date: Thu, 20 Jan 2022 15:56:02 +0100
 Subject: [PATCH] [1.26] Add server_hostname to SSL_KEYWORDS
 ---
 src/urllib3/poolmanager.py                | 1 +
 test/with_dummyserver/test_poolmanager.py | 5 +++++
 2 files changed, 6 insertions(+)
 diff --git a/src/urllib3/poolmanager.py b/src/urllib3/poolmanager.py
 index 3a31a285bf..ca4ec34118 100644
 --- a/src/urllib3/poolmanager.py
 +++ b/src/urllib3/poolmanager.py
@@ -34,6 +34,7 @@
     "ca_cert_dir",
     "ssl_context",
     "key_password",
 +    "server_hostname",
 )
 # All known keyword arguments that could be provided to the pool manager, its
 diff --git a/test/with_dummyserver/test_poolmanager.py b/test/with_dummyserver/test_poolmanager.py
 index d877cc99ac..fa07a372a9 100644
 --- a/test/with_dummyserver/test_poolmanager.py
 +++ b/test/with_dummyserver/test_poolmanager.py
@@ -346,6 +346,11 @@ def test_http_with_ssl_keywords(self):
             r = http.request("GET", "http://%s:%s/" % (self.host, self.port))
             assert r.status == 200
 +    def test_http_with_server_hostname(self):
 +        with PoolManager(server_hostname="example.com") as http:
 +            r = http.request("GET", "http://%s:%s/" % (self.host, self.port))
 +            assert r.status == 200
 +
     def test_http_with_ca_cert_dir(self):
         with PoolManager(ca_certs="REQUIRED", ca_cert_dir="/nosuchdir") as http:
             r = http.request("GET", "http://%s:%s/" % (self.host, self.port))
--- a/SOURCES/CVE-2024-37891.patch
+++ b/SOURCES/CVE-2024-37891.patch
@ -0,0 +1,66 @@
 From 3606f6166c000213f1e1e9bace3c12f924dd0132 Mon Sep 17 00:00:00 2001
 From: Quentin Pradet <quentin.pradet@gmail.com>
 Date: Wed, 26 Jun 2024 15:56:34 +0200
 Subject: [PATCH] Merge pull request from GHSA-34jh-p97f-mpxf
 * [1.26] Strip Proxy-Authorization header on redirects
 * Set release date
 ---
 src/urllib3/util/retry.py     | 4 +++-
 test/test_retry.py            | 6 +++++-
 test/test_retry_deprecated.py | 6 +++++-
 3 files changed, 13 insertions(+), 3 deletions(-)
 diff --git a/src/urllib3/util/retry.py b/src/urllib3/util/retry.py
 index 63c02ee..42fa619 100644
 --- a/src/urllib3/util/retry.py
 +++ b/src/urllib3/util/retry.py
@@ -217,7 +217,9 @@ class Retry(object):
     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
     #: Default headers to be used for ``remove_headers_on_redirect``
 -    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
 +    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(
 +        ["Cookie", "Authorization", "Proxy-Authorization"]
 +    )
     #: Maximum backoff time.
     BACKOFF_MAX = 120
 diff --git a/test/test_retry.py b/test/test_retry.py
 index e9270bb..cf60bf1 100644
 --- a/test/test_retry.py
 +++ b/test/test_retry.py
@@ -293,7 +293,11 @@ class TestRetry(object):
     def test_retry_default_remove_headers_on_redirect(self):
         retry = Retry()
 -        assert retry.remove_headers_on_redirect == {"authorization", "cookie"}
 +        assert retry.remove_headers_on_redirect == {
 +            "authorization",
 +            "proxy-authorization",
 +            "cookie",
 +        }
     def test_retry_set_remove_headers_on_redirect(self):
         retry = Retry(remove_headers_on_redirect=["X-API-Secret"])
 diff --git a/test/test_retry_deprecated.py b/test/test_retry_deprecated.py
 index d18f94c..a107f7b 100644
 --- a/test/test_retry_deprecated.py
 +++ b/test/test_retry_deprecated.py
@@ -295,7 +295,11 @@ class TestRetry(object):
     def test_retry_default_remove_headers_on_redirect(self):
         retry = Retry()
 -        assert retry.remove_headers_on_redirect == {"authorization", "cookie"}
 +        assert retry.remove_headers_on_redirect == {
 +            "authorization",
 +            "proxy-authorization",
 +            "cookie",
 +        }
     def test_retry_set_remove_headers_on_redirect(self):
         retry = Retry(remove_headers_on_redirect=["X-API-Secret"])
 -- 
 2.44.0
--- a/SPECS/python-urllib3.spec
+++ b/SPECS/python-urllib3.spec
@ -6,7 +6,7 @@
 Name:           python-%{srcname}
 Version:        1.26.5
-Release:        5%{?dist}
+Release:        6%{?dist}
 Summary:        Python HTTP library with thread-safe connection pooling and file post
 License:        MIT
@ -32,6 +32,17 @@ Patch1: CVE-2023-43804.patch
 # Upstream fix: https://github.com/urllib3/urllib3/commit/4e98d57809dacab1cbe625fddeec1a290c478ea9
 Patch2: CVE-2023-45803.patch
 # PoolManager.urlopen fails with TypeError for http connection if the PoolManager is instantiated with server_hostname
 # Tracking bug: https://issues.redhat.com/browse/RHEL-39285
 # Upstream fix: https://github.com/urllib3/urllib3/commit/f1d40fd07f7b5d9cf846a18fb5a920b4be07dfc5
 Patch3: Add-server_hostname-to-SSL_KEYWORDS.patch
 # CVE-2024-37891
 # Proxy-authorization request header is not stripped during cross-origin redirects.
 # Tracking bug: https://issues.redhat.com/browse/RHEL-43172
 # Upstream fix: https://github.com/urllib3/urllib3/commit/40b6d1605814dd1db0a46e202d6e56f2e4c9a468
 Patch4: CVE-2024-37891.patch
 %description
 Python HTTP module with connection pooling and file POST abilities.
@ -134,6 +145,13 @@ ln -s %{python3_sitelib}/__pycache__/six.cpython-%{python3_version_nodots}.pyc \
 %changelog
 * Tue Jun 18 2024 Tomáš Hrnčiar <thrnciar@redhat.com> - 1.26.5-6
 - Security fix for CVE-2024-37891
 - Backport upstream patch to fix TypeError for http connection if the PoolManager
 - is instantiated with server_hostname
 Resolves: RHEL-43172
 Resolves: RHEL-39285
 * Tue Dec 12 2023 Lumír Balhar <lbalhar@redhat.com> - 1.26.5-5
 - Security fix for CVE-2023-45803
 Resolves: RHEL-16874