From 9d070bad59909523aaa647da5de44ffbbd3e1da7 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Tue, 2 Sep 2025 09:38:02 +0000 Subject: [PATCH] Import from CS git --- ...-fix-bundled-requests-CVE-2024-47081.patch | 47 +++++++++++++++++++ SPECS/resource-agents.spec | 13 +++-- 2 files changed, 57 insertions(+), 3 deletions(-) create mode 100644 SOURCES/RHEL-104761-aliyun-gcp-fix-bundled-requests-CVE-2024-47081.patch diff --git a/SOURCES/RHEL-104761-aliyun-gcp-fix-bundled-requests-CVE-2024-47081.patch b/SOURCES/RHEL-104761-aliyun-gcp-fix-bundled-requests-CVE-2024-47081.patch new file mode 100644 index 0000000..165ddbf --- /dev/null +++ b/SOURCES/RHEL-104761-aliyun-gcp-fix-bundled-requests-CVE-2024-47081.patch @@ -0,0 +1,47 @@ +From 57acb7c26d809cf864ec439b8bcd6364702022d5 Mon Sep 17 00:00:00 2001 +From: Nate Prewitt +Date: Wed, 25 Sep 2024 08:03:20 -0700 +Subject: [PATCH] Only use hostname to do netrc lookup instead of netloc + +--- + src/requests/utils.py | 8 +------- + 1 file changed, 1 insertion(+), 7 deletions(-) + +diff --git a/aliyun/aliyunsdkcore/vendored/requests/utils.py b/aliyun/aliyunsdkcore/vendored/requests/utils.py +index 699683e5d9..8a307ca8a0 100644 +--- a/aliyun/aliyunsdkcore/vendored/requests/utils.py ++++ b/aliyun/aliyunsdkcore/vendored/requests/utils.py +@@ -182,13 +182,7 @@ + return + + ri = urlparse(url) +- +- # Strip port numbers from netloc. This weird `if...encode`` dance is +- # used for Python 3.2, which doesn't support unicode literals. +- splitstr = b':' +- if isinstance(url, str): +- splitstr = splitstr.decode('ascii') +- host = ri.netloc.split(splitstr)[0] ++ host = ri.hostname + + try: + _netrc = netrc(netrc_path).authenticators(host) +diff --git a/gcp/google-cloud-sdk/lib/third_party/requests/utils.py b/gcp/google-cloud-sdk/lib/third_party/requests/utils.py +index 699683e5d9..8a307ca8a0 100644 +--- a/gcp/google-cloud-sdk/lib/third_party/requests/utils.py ++++ b/gcp/google-cloud-sdk/lib/third_party/requests/utils.py +@@ -236,13 +236,7 @@ def get_netrc_auth(url, raise_errors=False): + return + + ri = urlparse(url) +- +- # Strip port numbers from netloc. This weird `if...encode`` dance is +- # used for Python 3.2, which doesn't support unicode literals. +- splitstr = b':' +- if isinstance(url, str): +- splitstr = splitstr.decode('ascii') +- host = ri.netloc.split(splitstr)[0] ++ host = ri.hostname + + try: + _netrc = netrc(netrc_path).authenticators(host) diff --git a/SPECS/resource-agents.spec b/SPECS/resource-agents.spec index a9d97f8..e915125 100644 --- a/SPECS/resource-agents.spec +++ b/SPECS/resource-agents.spec @@ -73,7 +73,7 @@ Name: resource-agents Summary: Open Source HA Reusable Cluster Resource Scripts Version: 4.9.0 -Release: 54%{?rcver:%{rcver}}%{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}}%{?dist}.15 +Release: 54%{?rcver:%{rcver}}%{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}}%{?dist}.16 License: GPLv2+ and LGPLv2+ URL: https://github.com/ClusterLabs/resource-agents %if 0%{?fedora} || 0%{?centos_version} || 0%{?rhel} @@ -186,7 +186,8 @@ Patch1007: aliyuncli-python3-fixes.patch Patch1008: bz1935422-python-pygments-fix-CVE-2021-20270.patch Patch1009: bz1943464-python-pygments-fix-CVE-2021-27291.patch Patch1010: RHEL-44923-aliyun-gcp-fix-bundled-urllib3-CVE-2024-37891.patch -Patch1011: RHEL-50360-setuptools-fix-CVE-2024-6345.patch +Patch1011: RHEL-104761-aliyun-gcp-fix-bundled-requests-CVE-2024-47081.patch +Patch1012: RHEL-50360-setuptools-fix-CVE-2024-6345.patch Obsoletes: heartbeat-resources <= %{version} Provides: heartbeat-resources = %{version} @@ -728,9 +729,10 @@ popd # regular patch doesnt work in build-section pushd %{buildroot}/usr/lib/%{name}/%{bundled_lib_dir} /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=2 < %{PATCH1010} +/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH1011} popd pushd %{buildroot}/usr/lib/%{name}/%{bundled_lib_dir}/gcp/google-cloud-sdk/lib/third_party -/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH1011} +/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH1012} popd %endif @@ -1025,6 +1027,11 @@ ccs_update_schema > /dev/null 2>&1 ||: %{_usr}/lib/ocf/lib/heartbeat/OCF_*.pm %changelog +* Fri Aug 15 2025 Oyvind Albrigtsen - 4.9.0-54.16 +- bundled requests: fix CVE-2024-47081 + + Resolves: RHEL-104761 + * Tue Jul 15 2025 Oyvind Albrigtsen - 4.9.0-54.15 - ocf-shellfuncs/AWS agents: dont sleep after the final try in curl_retry()