diff --git a/RHEL-44923-aliyun-gcp-fix-bundled-urllib3-CVE-2024-37891.patch b/RHEL-44923-aliyun-gcp-fix-bundled-urllib3-CVE-2024-37891.patch new file mode 100644 index 0000000..4d0ac31 --- /dev/null +++ b/RHEL-44923-aliyun-gcp-fix-bundled-urllib3-CVE-2024-37891.patch @@ -0,0 +1,48 @@ +From accff72ecc2f6cf5a76d9570198a93ac7c90270e Mon Sep 17 00:00:00 2001 +From: Quentin Pradet +Date: Mon, 17 Jun 2024 11:09:06 +0400 +Subject: [PATCH] Merge pull request from GHSA-34jh-p97f-mpxf + +* Strip Proxy-Authorization header on redirects + +* Fix test_retry_default_remove_headers_on_redirect + +* Set release date +--- + CHANGES.rst | 5 +++++ + src/urllib3/util/retry.py | 4 +++- + test/test_retry.py | 6 ++++- + test/with_dummyserver/test_poolmanager.py | 27 ++++++++++++++++++++--- + 4 files changed, 37 insertions(+), 5 deletions(-) + +diff --git a/aliyun/aliyunsdkcore/vendored/requests/packages/urllib3/util/retry.py b/aliyun/aliyunsdkcore/vendored/requests/packages/urllib3/util/retry.py +index 7a76a4a6ad..0456cceba4 100644 +--- a/aliyun/aliyunsdkcore/vendored/requests/packages/urllib3/util/retry.py ++++ b/aliyun/aliyunsdkcore/vendored/requests/packages/urllib3/util/retry.py +@@ -189,7 +189,9 @@ class Retry: + RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503]) + + #: Default headers to be used for ``remove_headers_on_redirect`` +- DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"]) ++ DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset( ++ ["Cookie", "Authorization", "Proxy-Authorization"] ++ ) + + #: Default maximum backoff time. + DEFAULT_BACKOFF_MAX = 120 + +diff --git a/gcp/google-cloud-sdk/lib/third_party/urllib3/util/retry.py b/gcp/google-cloud-sdk/lib/third_party/urllib3/util/retry.py +index 7a76a4a6ad..0456cceba4 100644 +--- a/gcp/google-cloud-sdk/lib/third_party/urllib3/util/retry.py ++++ b/gcp/google-cloud-sdk/lib/third_party/urllib3/util/retry.py +@@ -189,7 +189,9 @@ class Retry: + RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503]) + + #: Default headers to be used for ``remove_headers_on_redirect`` +- DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"]) ++ DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset( ++ ["Cookie", "Authorization", "Proxy-Authorization"] ++ ) + + #: Default maximum backoff time. + DEFAULT_BACKOFF_MAX = 120 diff --git a/resource-agents.spec b/resource-agents.spec index 5fc0d9f..74f5304 100644 --- a/resource-agents.spec +++ b/resource-agents.spec @@ -73,7 +73,7 @@ Name: resource-agents Summary: Open Source HA Reusable Cluster Resource Scripts Version: 4.9.0 -Release: 54%{?rcver:%{rcver}}%{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}}%{?dist}.1 +Release: 54%{?rcver:%{rcver}}%{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}}%{?dist}.2 License: GPLv2+ and LGPLv2+ URL: https://github.com/ClusterLabs/resource-agents %if 0%{?fedora} || 0%{?centos_version} || 0%{?rhel} @@ -174,6 +174,7 @@ Patch1006: python3-syntax-fixes.patch Patch1007: aliyuncli-python3-fixes.patch Patch1008: bz1935422-python-pygments-fix-CVE-2021-20270.patch Patch1009: bz1943464-python-pygments-fix-CVE-2021-27291.patch +Patch1010: RHEL-44923-aliyun-gcp-fix-bundled-urllib3-CVE-2024-37891.patch Obsoletes: heartbeat-resources <= %{version} Provides: heartbeat-resources = %{version} @@ -700,6 +701,11 @@ mv %{buildroot}/%{_bindir}/aliyuncli %{buildroot}/%{_bindir}/aliyuncli-ra # aliyun_completer / aliyun_zsh_complete.sh rm %{buildroot}/%{_bindir}/aliyun_* popd + +# regular patch doesnt work in build-section +pushd %{buildroot}/usr/lib/%{name}/%{bundled_lib_dir} +/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=2 < %{PATCH1010} +popd %endif ## tree fixup @@ -993,6 +999,11 @@ ccs_update_schema > /dev/null 2>&1 ||: %{_usr}/lib/ocf/lib/heartbeat/OCF_*.pm %changelog +* Wed Jun 26 2024 Oyvind Albrigtsen - 4.9.0-54.2 +- bundled urllib3: fix CVE-2024-37891 + + Resolves: RHEL-44923 + * Thu May 30 2024 Oyvind Albrigtsen - 4.9.0-54.1 - AWS agents: retry failed metadata requests to avoid instantly failing when there is a hiccup in the network or metadata service