- bundled urllib3: fix CVE-2024-37891

Resolves: RHEL-44923

RHEL-44923-aliyun-gcp-fix-bundled-urllib3-CVE-2024-37891.patch

@@ -0,0 +1,48 @@
+From accff72ecc2f6cf5a76d9570198a93ac7c90270e Mon Sep 17 00:00:00 2001
+From: Quentin Pradet <quentin.pradet@gmail.com>
+Date: Mon, 17 Jun 2024 11:09:06 +0400
+Subject: [PATCH] Merge pull request from GHSA-34jh-p97f-mpxf
+
+* Strip Proxy-Authorization header on redirects
+
+* Fix test_retry_default_remove_headers_on_redirect
+
+* Set release date
+---
+ CHANGES.rst                               |  5 +++++
+ src/urllib3/util/retry.py                 |  4 +++-
+ test/test_retry.py                        |  6 ++++-
+ test/with_dummyserver/test_poolmanager.py | 27 ++++++++++++++++++++---
+ 4 files changed, 37 insertions(+), 5 deletions(-)
+
+diff --git a/aliyun/aliyunsdkcore/vendored/requests/packages/urllib3/util/retry.py b/aliyun/aliyunsdkcore/vendored/requests/packages/urllib3/util/retry.py
+index 7a76a4a6ad..0456cceba4 100644
+--- a/aliyun/aliyunsdkcore/vendored/requests/packages/urllib3/util/retry.py
++++ b/aliyun/aliyunsdkcore/vendored/requests/packages/urllib3/util/retry.py
+@@ -189,7 +189,9 @@ class Retry:
+     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
+ 
+     #: Default headers to be used for ``remove_headers_on_redirect``
+-    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
++    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(
++        ["Cookie", "Authorization", "Proxy-Authorization"]
++    )
+ 
+     #: Default maximum backoff time.
+     DEFAULT_BACKOFF_MAX = 120
+
+diff --git a/gcp/google-cloud-sdk/lib/third_party/urllib3/util/retry.py b/gcp/google-cloud-sdk/lib/third_party/urllib3/util/retry.py
+index 7a76a4a6ad..0456cceba4 100644
+--- a/gcp/google-cloud-sdk/lib/third_party/urllib3/util/retry.py
++++ b/gcp/google-cloud-sdk/lib/third_party/urllib3/util/retry.py
+@@ -189,7 +189,9 @@ class Retry:
+     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
+ 
+     #: Default headers to be used for ``remove_headers_on_redirect``
+-    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
++    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(
++        ["Cookie", "Authorization", "Proxy-Authorization"]
++    )
+ 
+     #: Default maximum backoff time.
+     DEFAULT_BACKOFF_MAX = 120

resource-agents.spec

@@ -73,7 +73,7 @@
 Name:		resource-agents
 Summary:	Open Source HA Reusable Cluster Resource Scripts
 Version:	4.9.0
-Release:	54%{?rcver:%{rcver}}%{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}}%{?dist}.1
+Release:	54%{?rcver:%{rcver}}%{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}}%{?dist}.2
 License:	GPLv2+ and LGPLv2+
 URL:		https://github.com/ClusterLabs/resource-agents
 %if 0%{?fedora} || 0%{?centos_version} || 0%{?rhel}
@@ -174,6 +174,7 @@ Patch1006:	python3-syntax-fixes.patch
 Patch1007:	aliyuncli-python3-fixes.patch
 Patch1008:	bz1935422-python-pygments-fix-CVE-2021-20270.patch
 Patch1009:	bz1943464-python-pygments-fix-CVE-2021-27291.patch
+Patch1010:	RHEL-44923-aliyun-gcp-fix-bundled-urllib3-CVE-2024-37891.patch
 
 Obsoletes:	heartbeat-resources <= %{version}
 Provides:	heartbeat-resources = %{version}
@@ -700,6 +701,11 @@ mv %{buildroot}/%{_bindir}/aliyuncli %{buildroot}/%{_bindir}/aliyuncli-ra
 # aliyun_completer / aliyun_zsh_complete.sh
 rm %{buildroot}/%{_bindir}/aliyun_*
 popd
+
+# regular patch doesnt work in build-section
+pushd %{buildroot}/usr/lib/%{name}/%{bundled_lib_dir}
+/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=2 < %{PATCH1010}
+popd
 %endif
 
 ## tree fixup
@@ -993,6 +999,11 @@ ccs_update_schema > /dev/null 2>&1 ||:
 %{_usr}/lib/ocf/lib/heartbeat/OCF_*.pm
 
 %changelog
+* Wed Jun 26 2024 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-54.2
+- bundled urllib3: fix CVE-2024-37891
+
+  Resolves: RHEL-44923
+
 * Thu May 30 2024 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-54.1
 - AWS agents: retry failed metadata requests to avoid instantly
   failing when there is a hiccup in the network or metadata service