Security fix for CVE-2023-43804
RHEL-12003
This commit is contained in:
		
							parent
							
								
									095ef781f4
								
							
						
					
					
						commit
						b0f7cb9371
					
				
							
								
								
									
										53
									
								
								CVE-2023-43804.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										53
									
								
								CVE-2023-43804.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,53 @@ | |||||||
|  | From 2e6a170805a8c2ea675a2a586828d7f5b53e856f Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Lumir Balhar <lbalhar@redhat.com> | ||||||
|  | Date: Fri, 13 Oct 2023 09:29:29 +0200 | ||||||
|  | Subject: [PATCH] CVE-2023-43804 | ||||||
|  | 
 | ||||||
|  | ---
 | ||||||
|  |  src/urllib3/util/retry.py     | 2 +- | ||||||
|  |  test/test_retry.py            | 2 +- | ||||||
|  |  test/test_retry_deprecated.py | 2 +- | ||||||
|  |  3 files changed, 3 insertions(+), 3 deletions(-) | ||||||
|  | 
 | ||||||
|  | diff --git a/src/urllib3/util/retry.py b/src/urllib3/util/retry.py
 | ||||||
|  | index 3398323..f727602 100644
 | ||||||
|  | --- a/src/urllib3/util/retry.py
 | ||||||
|  | +++ b/src/urllib3/util/retry.py
 | ||||||
|  | @@ -235,7 +235,7 @@ class Retry(object):
 | ||||||
|  |      RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503]) | ||||||
|  |   | ||||||
|  |      #: Default headers to be used for ``remove_headers_on_redirect`` | ||||||
|  | -    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Authorization"])
 | ||||||
|  | +    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
 | ||||||
|  |   | ||||||
|  |      #: Maximum backoff time. | ||||||
|  |      DEFAULT_BACKOFF_MAX = 120 | ||||||
|  | diff --git a/test/test_retry.py b/test/test_retry.py
 | ||||||
|  | index f170e57..d7c216b 100644
 | ||||||
|  | --- a/test/test_retry.py
 | ||||||
|  | +++ b/test/test_retry.py
 | ||||||
|  | @@ -293,7 +293,7 @@ class TestRetry(object):
 | ||||||
|  |      def test_retry_default_remove_headers_on_redirect(self): | ||||||
|  |          retry = Retry() | ||||||
|  |   | ||||||
|  | -        assert list(retry.remove_headers_on_redirect) == ["authorization"]
 | ||||||
|  | +        assert retry.remove_headers_on_redirect == {"authorization", "cookie"}
 | ||||||
|  |   | ||||||
|  |      def test_retry_set_remove_headers_on_redirect(self): | ||||||
|  |          retry = Retry(remove_headers_on_redirect=["X-API-Secret"]) | ||||||
|  | diff --git a/test/test_retry_deprecated.py b/test/test_retry_deprecated.py
 | ||||||
|  | index 20e9810..d7905cd 100644
 | ||||||
|  | --- a/test/test_retry_deprecated.py
 | ||||||
|  | +++ b/test/test_retry_deprecated.py
 | ||||||
|  | @@ -295,7 +295,7 @@ class TestRetry(object):
 | ||||||
|  |      def test_retry_default_remove_headers_on_redirect(self): | ||||||
|  |          retry = Retry() | ||||||
|  |   | ||||||
|  | -        assert list(retry.remove_headers_on_redirect) == ["authorization"]
 | ||||||
|  | +        assert retry.remove_headers_on_redirect == {"authorization", "cookie"}
 | ||||||
|  |   | ||||||
|  |      def test_retry_set_remove_headers_on_redirect(self): | ||||||
|  |          retry = Retry(remove_headers_on_redirect=["X-API-Secret"]) | ||||||
|  | -- 
 | ||||||
|  | 2.41.0 | ||||||
|  | 
 | ||||||
| @ -8,7 +8,7 @@ | |||||||
| 
 | 
 | ||||||
| Name:           python%{python3_pkgversion}-%{srcname} | Name:           python%{python3_pkgversion}-%{srcname} | ||||||
| Version:        1.26.12 | Version:        1.26.12 | ||||||
| Release:        1%{?dist} | Release:        2%{?dist} | ||||||
| Summary:        Python HTTP library with thread-safe connection pooling and file post | Summary:        Python HTTP library with thread-safe connection pooling and file post | ||||||
| 
 | 
 | ||||||
| License:        MIT | License:        MIT | ||||||
| @ -16,6 +16,15 @@ URL:            https://github.com/urllib3/urllib3 | |||||||
| Source0:        %{url}/archive/%{version}/%{srcname}-%{version}.tar.gz | Source0:        %{url}/archive/%{version}/%{srcname}-%{version}.tar.gz | ||||||
| BuildArch:      noarch | BuildArch:      noarch | ||||||
| 
 | 
 | ||||||
|  | # CVE-2023-43804 | ||||||
|  | # Added the `Cookie` header to the list of headers to strip from | ||||||
|  | # requests when redirecting to a different host. As before, different headers | ||||||
|  | # can be set via `Retry.remove_headers_on_redirect`. | ||||||
|  | # Tests backported only partially as we don't use the whole part of | ||||||
|  | # testing with dummyserver. | ||||||
|  | # Tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=2242493 | ||||||
|  | # Upstream fix: https://github.com/urllib3/urllib3/commit/01220354d389cd05474713f8c982d05c9b17aafb | ||||||
|  | Patch1: CVE-2023-43804.patch | ||||||
| 
 | 
 | ||||||
| BuildRequires:  python%{python3_pkgversion}-devel | BuildRequires:  python%{python3_pkgversion}-devel | ||||||
| BuildRequires:  python%{python3_pkgversion}-rpm-macros | BuildRequires:  python%{python3_pkgversion}-rpm-macros | ||||||
| @ -111,6 +120,10 @@ ln -s %{python3_sitelib}/__pycache__/six.cpython-%{python3_version_nodots}.pyc \ | |||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
| %changelog | %changelog | ||||||
|  | * Fri Oct 13 2023 Lumír Balhar <lbalhar@redhat.com> - 1.26.12-2 | ||||||
|  | - Security fix for CVE-2023-43804 | ||||||
|  | Resolves: RHEL-12003 | ||||||
|  | 
 | ||||||
| * Tue Nov 29 2022 Charalampos Stratakis <cstratak@redhat.com> - 1.26.12-1 | * Tue Nov 29 2022 Charalampos Stratakis <cstratak@redhat.com> - 1.26.12-1 | ||||||
| - Initial package | - Initial package | ||||||
| - Fedora contributions by: | - Fedora contributions by: | ||||||
|  | |||||||
		Loading…
	
		Reference in New Issue
	
	Block a user