From 61308bf3f53db754ad712539aa3843fedeaaa69e Mon Sep 17 00:00:00 2001
From: Oyvind Albrigtsen <oalbrigt@redhat.com>
Date: Tue, 20 Jan 2026 09:49:57 +0100
Subject: [PATCH] - bundled urllib3: fix CVE-2025-66471 - bundled urllib3: fix
 CVE-2026-21441

  Resolves: RHEL-139760, RHEL-140787
---
 ...0-fix-bundled-urllib3-CVE-2025-66471.patch | 76 ++++++++++++++++---
 resource-agents.spec                          |  4 +-
 2 files changed, 68 insertions(+), 12 deletions(-)

diff --git a/RHEL-139760-fix-bundled-urllib3-CVE-2025-66471.patch b/RHEL-139760-fix-bundled-urllib3-CVE-2025-66471.patch
index af37480..15f540c 100644
--- a/RHEL-139760-fix-bundled-urllib3-CVE-2025-66471.patch
+++ b/RHEL-139760-fix-bundled-urllib3-CVE-2025-66471.patch
@@ -1,5 +1,5 @@
---- a/aliyun/aliyunsdkcore/vendored/requests/packages/urllib3/response.py	2023-10-17 19:42:56.000000000 +0200
-+++ b/aliyun/aliyunsdkcore/vendored/requests/packages/urllib3/response.py	2026-01-16 10:53:08.058702582 +0100
+--- a/aliyun/aliyunsdkcore/vendored/requests/packages/urllib3/response.py	2026-01-20 10:46:57.006470161 +0100
++++ b/aliyun/aliyunsdkcore/vendored/requests/packages/urllib3/response.py	2026-01-20 10:55:44.090084896 +0100
 @@ -23,6 +23,7 @@
  from .exceptions import (
      BodyNotHttplibCompatible,
@@ -187,7 +187,7 @@
  
          def flush(self):
              if hasattr(self._obj, "flush"):
-@@ -141,10 +228,35 @@
+@@ -151,10 +238,35 @@
      def flush(self):
          return self._decoders[0].flush()
  
@@ -227,7 +227,35 @@
  
  
  def _get_decoder(mode):
-@@ -624,7 +736,10 @@
+@@ -405,16 +517,25 @@
+     if brotli is not None:
+         DECODER_ERROR_CLASSES += (brotli.error,)
+ 
+-    def _decode(self, data, decode_content, flush_decoder):
++    def _decode(
++        self,
++        data: bytes,
++        decode_content: bool,
++        flush_decoder: bool,
++        max_length: int = None,
++    ) -> bytes:
+         """
+         Decode the data passed in and potentially flush the decoder.
+         """
+         if not decode_content:
+             return data
+ 
++        if max_length is None or flush_decoder:
++            max_length = -1
++
+         try:
+             if self._decoder:
+-                data = self._decoder.decompress(data)
++                data = self._decoder.decompress(data, max_length=max_length)
+         except self.DECODER_ERROR_CLASSES as e:
+             content_encoding = self.headers.get("content-encoding", "").lower()
+             raise DecodeError(
+@@ -634,7 +755,10 @@
              for line in self.read_chunked(amt, decode_content=decode_content):
                  yield line
          else:
@@ -239,7 +267,7 @@
                  data = self.read(amt=amt, decode_content=decode_content)
  
                  if data:
-@@ -830,7 +945,10 @@
+@@ -840,7 +964,10 @@
                      break
                  chunk = self._handle_chunk(amt)
                  decoded = self._decode(
@@ -252,8 +280,8 @@
                  if decoded:
                      yield decoded
 
---- a/gcp/google-cloud-sdk/lib/third_party/urllib3/response.py	2023-10-17 19:42:56.000000000 +0200
-+++ b/gcp/google-cloud-sdk/lib/third_party/urllib3/response.py	2026-01-16 10:53:08.058702582 +0100
+--- a/gcp/google-cloud-sdk/lib/third_party/urllib3/response.py	2026-01-20 10:46:57.006470161 +0100
++++ b/gcp/google-cloud-sdk/lib/third_party/urllib3/response.py	2026-01-20 10:55:44.090084896 +0100
 @@ -23,6 +23,7 @@
  from .exceptions import (
      BodyNotHttplibCompatible,
@@ -441,7 +469,7 @@
  
          def flush(self):
              if hasattr(self._obj, "flush"):
-@@ -141,10 +228,35 @@
+@@ -151,10 +238,35 @@
      def flush(self):
          return self._decoders[0].flush()
  
@@ -481,7 +509,35 @@
  
  
  def _get_decoder(mode):
-@@ -624,7 +736,10 @@
+@@ -405,16 +517,25 @@
+     if brotli is not None:
+         DECODER_ERROR_CLASSES += (brotli.error,)
+ 
+-    def _decode(self, data, decode_content, flush_decoder):
++    def _decode(
++        self,
++        data: bytes,
++        decode_content: bool,
++        flush_decoder: bool,
++        max_length: int = None,
++    ) -> bytes:
+         """
+         Decode the data passed in and potentially flush the decoder.
+         """
+         if not decode_content:
+             return data
+ 
++        if max_length is None or flush_decoder:
++            max_length = -1
++
+         try:
+             if self._decoder:
+-                data = self._decoder.decompress(data)
++                data = self._decoder.decompress(data, max_length=max_length)
+         except self.DECODER_ERROR_CLASSES as e:
+             content_encoding = self.headers.get("content-encoding", "").lower()
+             raise DecodeError(
+@@ -634,7 +755,10 @@
              for line in self.read_chunked(amt, decode_content=decode_content):
                  yield line
          else:
@@ -493,7 +549,7 @@
                  data = self.read(amt=amt, decode_content=decode_content)
  
                  if data:
-@@ -830,7 +945,10 @@
+@@ -840,7 +964,10 @@
                      break
                  chunk = self._handle_chunk(amt)
                  decoded = self._decode(
diff --git a/resource-agents.spec b/resource-agents.spec
index d1db658..90f4592 100644
--- a/resource-agents.spec
+++ b/resource-agents.spec
@@ -73,7 +73,7 @@
 Name:		resource-agents
 Summary:	Open Source HA Reusable Cluster Resource Scripts
 Version:	4.9.0
-Release:	54%{?rcver:%{rcver}}%{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}}%{?dist}.26
+Release:	54%{?rcver:%{rcver}}%{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}}%{?dist}.27
 License:	GPLv2+ and LGPLv2+
 URL:		https://github.com/ClusterLabs/resource-agents
 %if 0%{?fedora} || 0%{?centos_version} || 0%{?rhel}
@@ -1051,7 +1051,7 @@ ccs_update_schema > /dev/null 2>&1 ||:
 %{_usr}/lib/ocf/lib/heartbeat/OCF_*.pm
 
 %changelog
-* Fri Jan 16 2026 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-54.26
+* Tue Jan 20 2026 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-54.27
 - bundled urllib3: fix CVE-2025-66471
 - bundled urllib3: fix CVE-2026-21441