- bundled urllib3: fix CVE-2024-37891

Resolves: RHEL-44923
This commit is contained in:
Oyvind Albrigtsen 2024-06-26 07:52:56 +02:00
parent 4518850ea0
commit 3bbd7bf742
2 changed files with 60 additions and 1 deletions

View File

@ -0,0 +1,48 @@
From accff72ecc2f6cf5a76d9570198a93ac7c90270e Mon Sep 17 00:00:00 2001
From: Quentin Pradet <quentin.pradet@gmail.com>
Date: Mon, 17 Jun 2024 11:09:06 +0400
Subject: [PATCH] Merge pull request from GHSA-34jh-p97f-mpxf
* Strip Proxy-Authorization header on redirects
* Fix test_retry_default_remove_headers_on_redirect
* Set release date
---
CHANGES.rst | 5 +++++
src/urllib3/util/retry.py | 4 +++-
test/test_retry.py | 6 ++++-
test/with_dummyserver/test_poolmanager.py | 27 ++++++++++++++++++++---
4 files changed, 37 insertions(+), 5 deletions(-)
diff --git a/aliyun/aliyunsdkcore/vendored/requests/packages/urllib3/util/retry.py b/aliyun/aliyunsdkcore/vendored/requests/packages/urllib3/util/retry.py
index 7a76a4a6ad..0456cceba4 100644
--- a/aliyun/aliyunsdkcore/vendored/requests/packages/urllib3/util/retry.py
+++ b/aliyun/aliyunsdkcore/vendored/requests/packages/urllib3/util/retry.py
@@ -189,7 +189,9 @@ class Retry:
RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
#: Default headers to be used for ``remove_headers_on_redirect``
- DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
+ DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(
+ ["Cookie", "Authorization", "Proxy-Authorization"]
+ )
#: Default maximum backoff time.
DEFAULT_BACKOFF_MAX = 120
diff --git a/gcp/google-cloud-sdk/lib/third_party/urllib3/util/retry.py b/gcp/google-cloud-sdk/lib/third_party/urllib3/util/retry.py
index 7a76a4a6ad..0456cceba4 100644
--- a/gcp/google-cloud-sdk/lib/third_party/urllib3/util/retry.py
+++ b/gcp/google-cloud-sdk/lib/third_party/urllib3/util/retry.py
@@ -189,7 +189,9 @@ class Retry:
RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
#: Default headers to be used for ``remove_headers_on_redirect``
- DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
+ DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(
+ ["Cookie", "Authorization", "Proxy-Authorization"]
+ )
#: Default maximum backoff time.
DEFAULT_BACKOFF_MAX = 120

View File

@ -73,7 +73,7 @@
Name: resource-agents Name: resource-agents
Summary: Open Source HA Reusable Cluster Resource Scripts Summary: Open Source HA Reusable Cluster Resource Scripts
Version: 4.9.0 Version: 4.9.0
Release: 54%{?rcver:%{rcver}}%{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}}%{?dist}.1 Release: 54%{?rcver:%{rcver}}%{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}}%{?dist}.2
License: GPLv2+ and LGPLv2+ License: GPLv2+ and LGPLv2+
URL: https://github.com/ClusterLabs/resource-agents URL: https://github.com/ClusterLabs/resource-agents
%if 0%{?fedora} || 0%{?centos_version} || 0%{?rhel} %if 0%{?fedora} || 0%{?centos_version} || 0%{?rhel}
@ -174,6 +174,7 @@ Patch1006: python3-syntax-fixes.patch
Patch1007: aliyuncli-python3-fixes.patch Patch1007: aliyuncli-python3-fixes.patch
Patch1008: bz1935422-python-pygments-fix-CVE-2021-20270.patch Patch1008: bz1935422-python-pygments-fix-CVE-2021-20270.patch
Patch1009: bz1943464-python-pygments-fix-CVE-2021-27291.patch Patch1009: bz1943464-python-pygments-fix-CVE-2021-27291.patch
Patch1010: RHEL-44923-aliyun-gcp-fix-bundled-urllib3-CVE-2024-37891.patch
Obsoletes: heartbeat-resources <= %{version} Obsoletes: heartbeat-resources <= %{version}
Provides: heartbeat-resources = %{version} Provides: heartbeat-resources = %{version}
@ -700,6 +701,11 @@ mv %{buildroot}/%{_bindir}/aliyuncli %{buildroot}/%{_bindir}/aliyuncli-ra
# aliyun_completer / aliyun_zsh_complete.sh # aliyun_completer / aliyun_zsh_complete.sh
rm %{buildroot}/%{_bindir}/aliyun_* rm %{buildroot}/%{_bindir}/aliyun_*
popd popd
# regular patch doesnt work in build-section
pushd %{buildroot}/usr/lib/%{name}/%{bundled_lib_dir}
/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=2 < %{PATCH1010}
popd
%endif %endif
## tree fixup ## tree fixup
@ -993,6 +999,11 @@ ccs_update_schema > /dev/null 2>&1 ||:
%{_usr}/lib/ocf/lib/heartbeat/OCF_*.pm %{_usr}/lib/ocf/lib/heartbeat/OCF_*.pm
%changelog %changelog
* Wed Jun 26 2024 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-54.2
- bundled urllib3: fix CVE-2024-37891
Resolves: RHEL-44923
* Thu May 30 2024 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-54.1 * Thu May 30 2024 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-54.1
- AWS agents: retry failed metadata requests to avoid instantly - AWS agents: retry failed metadata requests to avoid instantly
failing when there is a hiccup in the network or metadata service failing when there is a hiccup in the network or metadata service