- bundled urllib3: fix CVE-2025-66471

- bundled urllib3: fix CVE-2026-21441 Resolves: RHEL-139760, RHEL-140787
2026-01-20 09:49:57 +01:00 · 2026-01-20 09:49:57 +01:00 · 61308bf3f5
commit 61308bf3f5
parent f553bbea02
2 changed files with 68 additions and 12 deletions
--- a/RHEL-139760-fix-bundled-urllib3-CVE-2025-66471.patch
+++ b/RHEL-139760-fix-bundled-urllib3-CVE-2025-66471.patch
@ -1,5 +1,5 @@
--- a/aliyun/aliyunsdkcore/vendored/requests/packages/urllib3/response.py	2023-10-17 19:42:56.000000000 +0200
-+++ b/aliyun/aliyunsdkcore/vendored/requests/packages/urllib3/response.py	2026-01-16 10:53:08.058702582 +0100
+--- a/aliyun/aliyunsdkcore/vendored/requests/packages/urllib3/response.py	2026-01-20 10:46:57.006470161 +0100
+++ b/aliyun/aliyunsdkcore/vendored/requests/packages/urllib3/response.py	2026-01-20 10:55:44.090084896 +0100
@@ -23,6 +23,7 @@
 from .exceptions import (
     BodyNotHttplibCompatible,
@ -187,7 +187,7 @@
 
         def flush(self):
             if hasattr(self._obj, "flush"):
-@@ -141,10 +228,35 @@
+@@ -151,10 +238,35 @@
     def flush(self):
         return self._decoders[0].flush()
 
@ -227,7 +227,35 @@
 
 
 def _get_decoder(mode):
-@@ -624,7 +736,10 @@
+@@ -405,16 +517,25 @@
+     if brotli is not None:
+         DECODER_ERROR_CLASSES += (brotli.error,)
+ 
+-    def _decode(self, data, decode_content, flush_decoder):
+    def _decode(
+        self,
+        data: bytes,
+        decode_content: bool,
+        flush_decoder: bool,
+        max_length: int = None,
+    ) -> bytes:
+         """
+         Decode the data passed in and potentially flush the decoder.
+         """
+         if not decode_content:
+             return data
+ 
+        if max_length is None or flush_decoder:
+            max_length = -1
+
+         try:
+             if self._decoder:
+-                data = self._decoder.decompress(data)
+                data = self._decoder.decompress(data, max_length=max_length)
+         except self.DECODER_ERROR_CLASSES as e:
+             content_encoding = self.headers.get("content-encoding", "").lower()
+             raise DecodeError(
+@@ -634,7 +755,10 @@
             for line in self.read_chunked(amt, decode_content=decode_content):
                 yield line
         else:
@ -239,7 +267,7 @@
                 data = self.read(amt=amt, decode_content=decode_content)
 
                 if data:
-@@ -830,7 +945,10 @@
+@@ -840,7 +964,10 @@
                     break
                 chunk = self._handle_chunk(amt)
                 decoded = self._decode(
@ -252,8 +280,8 @@
                 if decoded:
                     yield decoded

--- a/gcp/google-cloud-sdk/lib/third_party/urllib3/response.py	2023-10-17 19:42:56.000000000 +0200
-+++ b/gcp/google-cloud-sdk/lib/third_party/urllib3/response.py	2026-01-16 10:53:08.058702582 +0100
+--- a/gcp/google-cloud-sdk/lib/third_party/urllib3/response.py	2026-01-20 10:46:57.006470161 +0100
+++ b/gcp/google-cloud-sdk/lib/third_party/urllib3/response.py	2026-01-20 10:55:44.090084896 +0100
@@ -23,6 +23,7 @@
 from .exceptions import (
     BodyNotHttplibCompatible,
@ -441,7 +469,7 @@
 
         def flush(self):
             if hasattr(self._obj, "flush"):
-@@ -141,10 +228,35 @@
+@@ -151,10 +238,35 @@
     def flush(self):
         return self._decoders[0].flush()
 
@ -481,7 +509,35 @@
 
 
 def _get_decoder(mode):
-@@ -624,7 +736,10 @@
+@@ -405,16 +517,25 @@
+     if brotli is not None:
+         DECODER_ERROR_CLASSES += (brotli.error,)
+ 
+-    def _decode(self, data, decode_content, flush_decoder):
+    def _decode(
+        self,
+        data: bytes,
+        decode_content: bool,
+        flush_decoder: bool,
+        max_length: int = None,
+    ) -> bytes:
+         """
+         Decode the data passed in and potentially flush the decoder.
+         """
+         if not decode_content:
+             return data
+ 
+        if max_length is None or flush_decoder:
+            max_length = -1
+
+         try:
+             if self._decoder:
+-                data = self._decoder.decompress(data)
+                data = self._decoder.decompress(data, max_length=max_length)
+         except self.DECODER_ERROR_CLASSES as e:
+             content_encoding = self.headers.get("content-encoding", "").lower()
+             raise DecodeError(
+@@ -634,7 +755,10 @@
             for line in self.read_chunked(amt, decode_content=decode_content):
                 yield line
         else:
@ -493,7 +549,7 @@
                 data = self.read(amt=amt, decode_content=decode_content)
 
                 if data:
-@@ -830,7 +945,10 @@
+@@ -840,7 +964,10 @@
                     break
                 chunk = self._handle_chunk(amt)
                 decoded = self._decode(
--- a/resource-agents.spec
+++ b/resource-agents.spec
@ -73,7 +73,7 @@
 Name:		resource-agents
 Summary:	Open Source HA Reusable Cluster Resource Scripts
 Version:	4.9.0
-Release:	54%{?rcver:%{rcver}}%{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}}%{?dist}.26
+Release:	54%{?rcver:%{rcver}}%{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}}%{?dist}.27
 License:	GPLv2+ and LGPLv2+
 URL:		https://github.com/ClusterLabs/resource-agents
 %if 0%{?fedora} || 0%{?centos_version} || 0%{?rhel}
@ -1051,7 +1051,7 @@ ccs_update_schema > /dev/null 2>&1 ||:
 %{_usr}/lib/ocf/lib/heartbeat/OCF_*.pm

 %changelog
-* Fri Jan 16 2026 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-54.26
+* Tue Jan 20 2026 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-54.27
 - bundled urllib3: fix CVE-2025-66471
 - bundled urllib3: fix CVE-2026-21441