SOURCES/CVE-2024-37891.patch

@@ -1,39 +0,0 @@
-From 584378407efb03cef247320b541388f460cb72a2 Mon Sep 17 00:00:00 2001
-From: Lumir Balhar <lbalhar@redhat.com>
-Date: Mon, 1 Jul 2024 12:40:39 +0200
-Subject: [PATCH] CVE-2024-37891
-
----
- src/urllib3/util/retry.py | 2 +-
- test/test_retry.py        | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/urllib3/util/retry.py b/src/urllib3/util/retry.py
-index c4a687c..8b86956 100644
---- a/src/urllib3/util/retry.py
-+++ b/src/urllib3/util/retry.py
-@@ -151,7 +151,7 @@ class Retry(object):
- 
-     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
- 
--    DEFAULT_REDIRECT_HEADERS_BLACKLIST = frozenset(['Cookie', 'Authorization'])
-+    DEFAULT_REDIRECT_HEADERS_BLACKLIST = frozenset(['Cookie', 'Authorization', 'Proxy-Authorization'])
- 
-     #: Maximum backoff time.
-     BACKOFF_MAX = 120
-diff --git a/test/test_retry.py b/test/test_retry.py
-index c6bba74..a525028 100644
---- a/test/test_retry.py
-+++ b/test/test_retry.py
-@@ -253,7 +253,7 @@ class TestRetry(object):
-     def test_retry_default_remove_headers_on_redirect(self):
-         retry = Retry()
- 
--        assert retry.remove_headers_on_redirect == {'authorization', 'cookie'}
-+        assert retry.remove_headers_on_redirect == {'authorization', 'proxy-authorization', 'cookie'}
- 
-     def test_retry_set_remove_headers_on_redirect(self):
-         retry = Retry(remove_headers_on_redirect=['x-api-secret'])
--- 
-2.45.2
-

SOURCES/CVE-2025-66418.patch

@@ -1,75 +0,0 @@
-From dbb1dc2ef9a6c36e7b9139151d4db2ffab69eceb Mon Sep 17 00:00:00 2001
-From: Illia Volochii <illia.volochii@gmail.com>
-Date: Fri, 5 Dec 2025 16:41:33 +0200
-Subject: [PATCH] Security fix for CVE-2025-66418
-
-* Add a hard-coded limit for the decompression chain
-
-* Reuse new list
-
-(cherry picked from commit 24d7b67eac89f94e11003424bcf0d8f7b72222a8)
----
- changelog/GHSA-gm62-xv2j-4w53.security.rst |  4 ++++
- src/urllib3/response.py                    | 12 +++++++++++-
- test/test_response.py                      | 10 ++++++++++
- 3 files changed, 25 insertions(+), 1 deletion(-)
- create mode 100644 changelog/GHSA-gm62-xv2j-4w53.security.rst
-
-diff --git a/changelog/GHSA-gm62-xv2j-4w53.security.rst b/changelog/GHSA-gm62-xv2j-4w53.security.rst
-new file mode 100644
-index 00000000..6646eaa3
---- /dev/null
-+++ b/changelog/GHSA-gm62-xv2j-4w53.security.rst
-@@ -0,0 +1,4 @@
-+Fixed a security issue where an attacker could compose an HTTP response with
-+virtually unlimited links in the ``Content-Encoding`` header, potentially
-+leading to a denial of service (DoS) attack by exhausting system resources
-+during decoding. The number of allowed chained encodings is now limited to 5.
-diff --git a/src/urllib3/response.py b/src/urllib3/response.py
-index 60bd98c9..ba366eef 100644
---- a/src/urllib3/response.py
-+++ b/src/urllib3/response.py
-@@ -163,8 +163,18 @@ class MultiDecoder(object):
-         they were applied.
-     """
- 
-+    # Maximum allowed number of chained HTTP encodings in the
-+    # Content-Encoding header.
-+    max_decode_links = 5
-+
-     def __init__(self, modes):
--        self._decoders = [_get_decoder(m.strip()) for m in modes.split(',')]
-+        encodings = [m.strip() for m in modes.split(",")]
-+        if len(encodings) > self.max_decode_links:
-+            raise DecodeError(
-+                "Too many content encodings in the chain: "
-+                f"{len(encodings)} > {self.max_decode_links}"
-+            )
-+        self._decoders = [_get_decoder(e) for e in encodings]
- 
-     def flush(self):
-         return self._decoders[0].flush()
-diff --git a/test/test_response.py b/test/test_response.py
-index 347276e8..bd083b7f 100644
---- a/test/test_response.py
-+++ b/test/test_response.py
-@@ -467,6 +467,16 @@ class TestResponse(object):
-         assert r.read(9 * 37) == b"foobarbaz" * 37
-         assert r.read() == b""
- 
-+    def test_read_multi_decoding_too_many_links(self):
-+        fp = BytesIO(b"foo")
-+        with pytest.raises(
-+            DecodeError, match="Too many content encodings in the chain: 6 > 5"
-+        ):
-+            HTTPResponse(
-+                fp,
-+                headers={"content-encoding": "gzip, deflate, br, zstd, gzip, deflate"},
-+            )
-+
-     def test_body_blob(self):
-         resp = HTTPResponse(b'foo')
-         assert resp.data == b'foo'
--- 
-2.52.0
-

SOURCES/CVE-2026-21441.patch

@@ -1,219 +0,0 @@
-From 5474aa5a56209bf0378201d8305584a0f51f91c7 Mon Sep 17 00:00:00 2001
-From: Ousret <ahmed.tahri@cloudnursery.dev>
-Date: Thu, 17 Nov 2022 01:40:19 +0100
-Subject: [PATCH 1/2] Prevent issue in HTTPResponse().read() when
- decoded_content is True and then False Provided it has initialized eligible
- decoder(decompressor) and did decode once
-
-(cherry picked from commit cefd1dbba6a20ea4f017e6e472f9ada3a8a743e0)
----
- changelog/2800.bugfix.rst |  1 +
- src/urllib3/response.py   | 13 +++++++++++++
- test/test_response.py     | 35 +++++++++++++++++++++++++++++++++++
- 3 files changed, 49 insertions(+)
- create mode 100644 changelog/2800.bugfix.rst
-
-diff --git a/changelog/2800.bugfix.rst b/changelog/2800.bugfix.rst
-new file mode 100644
-index 00000000..9dcf1eec
---- /dev/null
-+++ b/changelog/2800.bugfix.rst
-@@ -0,0 +1 @@
-+Prevented issue in HTTPResponse().read() when decoded_content is True and then False.
-\ No newline at end of file
-diff --git a/src/urllib3/response.py b/src/urllib3/response.py
-index ba366eef..6c8823be 100644
---- a/src/urllib3/response.py
-+++ b/src/urllib3/response.py
-@@ -331,6 +331,7 @@ class HTTPResponse(io.IOBase):
-         self.reason = reason
-         self.strict = strict
-         self.decode_content = decode_content
-+        self._has_decoded_content = False
-         self.retries = retries
-         self.enforce_content_length = enforce_content_length
- 
-@@ -481,12 +482,19 @@ class HTTPResponse(io.IOBase):
-         """
-         Decode the data passed in and potentially flush the decoder.
-         """
-+        if not decode_content and self._has_decoded_content:
-+            raise RuntimeError(
-+                "Calling read(decode_content=False) is not supported after "
-+                "read(decode_content=True) was called."
-+            )
-+
-         if max_length is None or flush_decoder:
-             max_length = -1
- 
-         try:
-             if decode_content and self._decoder:
-                 data = self._decoder.decompress(data, max_length=max_length)
-+                self._has_decoded_content = True
-         except (IOError, zlib.error) as e:
-             content_encoding = self.headers.get('content-encoding', '').lower()
-             raise DecodeError(
-@@ -670,6 +678,11 @@ class HTTPResponse(io.IOBase):
-         else:
-             # do not waste memory on buffer when not decoding
-             if not decode_content:
-+                if self._has_decoded_content:
-+                    raise RuntimeError(
-+                        "Calling read(decode_content=False) is not supported after "
-+                        "read(decode_content=True) was called."
-+                    )
-                 return data
- 
-             decoded_data = self._decode(
-diff --git a/test/test_response.py b/test/test_response.py
-index bd083b7f..4b04e409 100644
---- a/test/test_response.py
-+++ b/test/test_response.py
-@@ -560,6 +560,41 @@ class TestResponse(object):
-         while not br.closed:
-             br.read(5)
- 
-+    def test_read_with_illegal_mix_decode_toggle(self):
-+        compress = zlib.compressobj(6, zlib.DEFLATED, -zlib.MAX_WBITS)
-+        data = compress.compress(b"foo")
-+        data += compress.flush()
-+
-+        fp = BytesIO(data)
-+
-+        resp = HTTPResponse(
-+            fp, headers={"content-encoding": "deflate"}, preload_content=False
-+        )
-+
-+        assert resp.read(1) == b"f"
-+
-+        with pytest.raises(
-+            RuntimeError,
-+            match=(
-+                r"Calling read\(decode_content=False\) is not supported after "
-+                r"read\(decode_content=True\) was called"
-+            ),
-+        ):
-+            resp.read(1, decode_content=False)
-+
-+    def test_read_with_mix_decode_toggle(self):
-+        compress = zlib.compressobj(6, zlib.DEFLATED, -zlib.MAX_WBITS)
-+        data = compress.compress(b"foo")
-+        data += compress.flush()
-+
-+        fp = BytesIO(data)
-+
-+        resp = HTTPResponse(
-+            fp, headers={"content-encoding": "deflate"}, preload_content=False
-+        )
-+        resp.read(1, decode_content=False)
-+        assert resp.read(1, decode_content=True) == b"o"
-+
-     def test_streaming(self):
-         fp = BytesIO(b'foo')
-         resp = HTTPResponse(fp, preload_content=False)
--- 
-2.52.0
-
-
-From 018e71279b1b9ba9319943dbe47762d2dad631d0 Mon Sep 17 00:00:00 2001
-From: Illia Volochii <illia.volochii@gmail.com>
-Date: Wed, 7 Jan 2026 18:07:30 +0200
-Subject: [PATCH 2/2] Security fix for CVE-2026-21441
-
-* Stop decoding response content during redirects needlessly
-* Rename the new query parameter
-* Add a changelog entry
-
-(cherry picked from commit 8864ac407bba8607950025e0979c4c69bc7abc7b)
----
- CHANGES.rst                                  |  3 +++
- dummyserver/handlers.py                      |  8 +++++++-
- src/urllib3/connectionpool.py                |  6 +++++-
- test/with_dummyserver/test_connectionpool.py | 19 +++++++++++++++++++
- 4 files changed, 34 insertions(+), 2 deletions(-)
-
-diff --git a/CHANGES.rst b/CHANGES.rst
-index cf315aaf..5673a58e 100644
---- a/CHANGES.rst
-+++ b/CHANGES.rst
-@@ -8,6 +8,9 @@ Backports
-   compressed HTTP content ("decompression bombs") leading to excessive resource
-   consumption even when a small amount of data was requested. Reading small
-   chunks of compressed data is safer and much more efficient now.
-+- Fixed a high-severity security issue where decompression-bomb safeguards of
-+  the streaming API were bypassed when HTTP redirects were followed.
-+  (`GHSA-38jv-5279-wg99 <https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99>`__)
- 
- 
- 1.24.2 (2019-04-17)
-diff --git a/dummyserver/handlers.py b/dummyserver/handlers.py
-index f570d881..c0dd4e4a 100644
---- a/dummyserver/handlers.py
-+++ b/dummyserver/handlers.py
-@@ -170,9 +170,15 @@ class TestingApp(RequestHandler):
-         status = request.params.get('status', '303 See Other')
-         if len(status) == 3:
-             status = '%s Redirect' % status.decode('latin-1')
-+        compressed = request.params.get('compressed') == b'true'
- 
-         headers = [('Location', target)]
--        return Response(status=status, headers=headers)
-+        if compressed:
-+            headers.append(('Content-Encoding', 'gzip'))
-+            data = gzip.compress(b'foo')
-+        else:
-+            data = b''
-+        return Response(data, status=status, headers=headers)
- 
-     def not_found(self, request):
-         return Response('Not found', status='404 Not Found')
-diff --git a/src/urllib3/connectionpool.py b/src/urllib3/connectionpool.py
-index ad6303c1..5f66cd25 100644
---- a/src/urllib3/connectionpool.py
-+++ b/src/urllib3/connectionpool.py
-@@ -671,7 +671,11 @@ class HTTPConnectionPool(ConnectionPool, RequestMethods):
-             try:
-                 # discard any remaining response body, the connection will be
-                 # released back to the pool once the entire response is read
--                response.read()
-+                response.read(
-+                    # Do not spend resources decoding the content unless
-+                    # decoding has already been initiated.
-+                    decode_content=response._has_decoded_content,
-+                )
-             except (TimeoutError, HTTPException, SocketError, ProtocolError,
-                     BaseSSLError, SSLError) as e:
-                 pass
-diff --git a/test/with_dummyserver/test_connectionpool.py b/test/with_dummyserver/test_connectionpool.py
-index 5faa0638..a2673e05 100644
---- a/test/with_dummyserver/test_connectionpool.py
-+++ b/test/with_dummyserver/test_connectionpool.py
-@@ -413,6 +413,25 @@ class TestConnectionPool(HTTPDummyServerTestCase):
-         self.assertEqual(r.status, 200)
-         self.assertEqual(r.data, b'Dummy server!')
- 
-+    @mock.patch("urllib3.response.GzipDecoder.decompress")
-+    def test_no_decoding_with_redirect_when_preload_disabled(
-+        self, gzip_decompress
-+    ):
-+        """
-+        Test that urllib3 does not attempt to decode a gzipped redirect
-+        response when `preload_content` is set to `False`.
-+        """
-+        with HTTPConnectionPool(self.host, self.port) as pool:
-+            # Three requests are expected: two redirects and one final / 200 OK.
-+            response = pool.request(
-+                "GET",
-+                "/redirect",
-+                fields={"target": "/redirect?compressed=true", "compressed": "true"},
-+                preload_content=False,
-+            )
-+        assert response.status == 200
-+        gzip_decompress.assert_not_called()
-+
-     def test_bad_connect(self):
-         pool = HTTPConnectionPool('badhost.invalid', self.port)
-         try:
--- 
-2.52.0
-

SPECS/python-urllib3.spec

@@ -2,7 +2,7 @@
 
 Name:           python-%{srcname}
 Version:        1.24.2
-Release:        9%{?dist}
+Release:        7%{?dist}
 Summary:        Python HTTP library with thread-safe connection pooling and file post
 
 License:        MIT
@@ -48,17 +48,6 @@ Patch4: CVE-2023-43804.patch
 # Upstream fix: https://github.com/urllib3/urllib3/commit/4e98d57809dacab1cbe625fddeec1a290c478ea9
 Patch5: CVE-2023-45803.patch
 
-# CVE-2024-37891
-# Added the `Proxy-Authorization` header to the list of headers to strip from requests
-# when redirecting to a different host.
-# Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2024-37891
-# Upstream fix: https://github.com/urllib3/urllib3/commit/40b6d1605814dd1db0a46e202d6e56f2e4c9a468
-Patch6: CVE-2024-37891.patch
-
-Patch7: CVE-2025-66471.patch
-Patch8: CVE-2025-66418.patch
-Patch9: CVE-2026-21441.patch
-
 %description
 Python HTTP module with connection pooling and file POST abilities.
 
@@ -83,7 +72,13 @@ Python3 HTTP module with connection pooling and file POST abilities.
 
 
 %prep
-%autosetup -p1 -n %{srcname}-%{version}
+%setup -q -n %{srcname}-%{version}
+
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
+%patch5 -p1
 
 # Make sure that the RECENT_DATE value doesn't get too far behind what the current date is.
 # RECENT_DATE must not be older that 2 years from the build time, or else test_recent_date
@@ -159,16 +154,6 @@ popd
 
 
 %changelog
-* Wed Dec 17 2025 Miro Hrončok <mhroncok@redhat.com> - 1.24.2-9
-- Security fix for CVE-2025-66471
-- Security fix for CVE-2025-66418
-- Security fix for CVE-2026-21441
-Resolves: RHEL-139410
-
-* Mon Jul 01 2024 Lumír Balhar <lbalhar@redhat.com> - 1.24.2-8
-- Security fix for CVE-2024-37891
-Resolves: RHEL-45334
-
 * Tue Dec 12 2023 Lumír Balhar <lbalhar@redhat.com> - 1.24.2-7
 - Security fix for CVE-2023-45803
 Resolves: RHEL-16872