- bundled urllib3: fix CVE-2025-66418

Resolves: RHEL-136031
2026-01-06 10:00:58 +01:00 · 2026-01-06 10:00:58 +01:00 · 337841885c
commit 337841885c
parent 5337923d37
2 changed files with 54 additions and 1 deletions
--- a/RHEL-136031-fix-bundled-urllib3-CVE-2025-66418.patch
+++ b/RHEL-136031-fix-bundled-urllib3-CVE-2025-66418.patch
@ -0,0 +1,45 @@
+--- a/aliyun/aliyunsdkcore/vendored/requests/packages/urllib3/response.py	2023-10-17 19:42:56.000000000 +0200
+++ b/aliyun/aliyunsdkcore/vendored/requests/packages/urllib3/response.py	2026-01-02 11:19:25.583808492 +0100
+@@ -135,8 +135,18 @@
+         they were applied.
+     """
+ 
+    # Maximum allowed number of chained HTTP encodings in the
+    # Content-Encoding header.
+    max_decode_links = 5
+
+     def __init__(self, modes):
+-        self._decoders = [_get_decoder(m.strip()) for m in modes.split(",")]
+        encodings = [m.strip() for m in modes.split(",")]
+        if len(encodings) > self.max_decode_links:
+            raise DecodeError(
+                "Too many content encodings in the chain: "
+                f"{len(encodings)} > {self.max_decode_links}"
+            )
+        self._decoders = [_get_decoder(e) for e in encodings]
+ 
+     def flush(self):
+         return self._decoders[0].flush()
+
+--- a/gcp/google-cloud-sdk/lib/third_party/urllib3/response.py	2023-10-17 19:42:56.000000000 +0200
+++ b/gcp/google-cloud-sdk/lib/third_party/urllib3/response.py	2026-01-02 11:19:25.583808492 +0100
+@@ -135,8 +135,18 @@
+         they were applied.
+     """
+ 
+    # Maximum allowed number of chained HTTP encodings in the
+    # Content-Encoding header.
+    max_decode_links = 5
+
+     def __init__(self, modes):
+-        self._decoders = [_get_decoder(m.strip()) for m in modes.split(",")]
+        encodings = [m.strip() for m in modes.split(",")]
+        if len(encodings) > self.max_decode_links:
+            raise DecodeError(
+                "Too many content encodings in the chain: "
+                f"{len(encodings)} > {self.max_decode_links}"
+            )
+        self._decoders = [_get_decoder(e) for e in encodings]
+ 
+     def flush(self):
+         return self._decoders[0].flush()
--- a/resource-agents.spec
+++ b/resource-agents.spec
@ -73,7 +73,7 @@
 Name:		resource-agents
 Summary:	Open Source HA Reusable Cluster Resource Scripts
 Version:	4.9.0
-Release:	54%{?rcver:%{rcver}}%{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}}%{?dist}.23
+Release:	54%{?rcver:%{rcver}}%{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}}%{?dist}.24
 License:	GPLv2+ and LGPLv2+
 URL:		https://github.com/ClusterLabs/resource-agents
 %if 0%{?fedora} || 0%{?centos_version} || 0%{?rhel}
@ -196,6 +196,7 @@ Patch1009:	bz1943464-python-pygments-fix-CVE-2021-27291.patch
 Patch1010:	RHEL-44923-aliyun-gcp-fix-bundled-urllib3-CVE-2024-37891.patch
 Patch1011:	RHEL-104761-aliyun-gcp-fix-bundled-requests-CVE-2024-47081.patch
 Patch1012:	RHEL-50360-setuptools-fix-CVE-2024-6345.patch
+Patch1013:	RHEL-136031-fix-bundled-urllib3-CVE-2025-66418.patch

 Obsoletes:	heartbeat-resources <= %{version}
 Provides:	heartbeat-resources = %{version}
@ -750,6 +751,9 @@ popd
 pushd %{buildroot}/usr/lib/%{name}/%{bundled_lib_dir}/gcp/google-cloud-sdk/lib/third_party
 /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH1012}
 popd
+pushd %{buildroot}/usr/lib/%{name}/%{bundled_lib_dir}
+/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH1013}
+popd
 %endif

 ## tree fixup
@ -1043,6 +1047,10 @@ ccs_update_schema > /dev/null 2>&1 ||:
 %{_usr}/lib/ocf/lib/heartbeat/OCF_*.pm

 %changelog
+* Tue Jan  6 2026 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-54.24
+- bundled urllib3: fix CVE-2025-66418
+  Resolves: RHEL-136031
+
 * Fri Oct 31 2025 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-54.23
 - nfsserver: add ability to set e.g. "pipefs-directory=/run/nfs/rpc_pipefs"
  in /etc/nfs.conf to avoid issues with non-clustered Kerberized mounts