- bundled urllib3: fix CVE-2025-66471

- bundled urllib3: fix CVE-2026-21441 Resolves: RHEL-139760, RHEL-140787
2026-01-16 12:23:32 +01:00 · 2026-01-16 12:23:32 +01:00 · f553bbea02
commit f553bbea02
parent 6932cae0b3
2 changed files with 8 additions and 10 deletions
--- a/RHEL-139760-fix-bundled-urllib3-CVE-2025-66471.patch
+++ b/RHEL-139760-fix-bundled-urllib3-CVE-2025-66471.patch
@ -1,5 +1,5 @@
 --- a/aliyun/aliyunsdkcore/vendored/requests/packages/urllib3/response.py	2023-10-17 19:42:56.000000000 +0200
-+++ b/aliyun/aliyunsdkcore/vendored/requests/packages/urllib3/response.py	2026-01-13 11:24:13.592292511 +0100
+++ b/aliyun/aliyunsdkcore/vendored/requests/packages/urllib3/response.py	2026-01-16 10:53:08.058702582 +0100
@@ -23,6 +23,7 @@
 from .exceptions import (
     BodyNotHttplibCompatible,
@ -227,20 +227,19 @@
 
 
 def _get_decoder(mode):
-@@ -624,7 +736,11 @@
+@@ -624,7 +736,10 @@
             for line in self.read_chunked(amt, decode_content=decode_content):
                 yield line
         else:
 -            while not is_fp_closed(self._fp):
 +            while (
 +                not is_fp_closed(self._fp)
-+                or len(self._decoded_buffer) > 0
 +                or (self._decoder and self._decoder.has_unconsumed_tail)
 +            ):
                 data = self.read(amt=amt, decode_content=decode_content)
 
                 if data:
-@@ -830,7 +946,10 @@
+@@ -830,7 +945,10 @@
                     break
                 chunk = self._handle_chunk(amt)
                 decoded = self._decode(
@ -254,7 +253,7 @@
                     yield decoded

 --- a/gcp/google-cloud-sdk/lib/third_party/urllib3/response.py	2023-10-17 19:42:56.000000000 +0200
-+++ b/gcp/google-cloud-sdk/lib/third_party/urllib3/response.py	2026-01-13 11:24:13.592292511 +0100
+++ b/gcp/google-cloud-sdk/lib/third_party/urllib3/response.py	2026-01-16 10:53:08.058702582 +0100
@@ -23,6 +23,7 @@
 from .exceptions import (
     BodyNotHttplibCompatible,
@ -482,20 +481,19 @@
 
 
 def _get_decoder(mode):
-@@ -624,7 +736,11 @@
+@@ -624,7 +736,10 @@
             for line in self.read_chunked(amt, decode_content=decode_content):
                 yield line
         else:
 -            while not is_fp_closed(self._fp):
 +            while (
 +                not is_fp_closed(self._fp)
-+                or len(self._decoded_buffer) > 0
 +                or (self._decoder and self._decoder.has_unconsumed_tail)
 +            ):
                 data = self.read(amt=amt, decode_content=decode_content)
 
                 if data:
-@@ -830,7 +946,10 @@
+@@ -830,7 +945,10 @@
                     break
                 chunk = self._handle_chunk(amt)
                 decoded = self._decode(
--- a/resource-agents.spec
+++ b/resource-agents.spec
@ -73,7 +73,7 @@
 Name:		resource-agents
 Summary:	Open Source HA Reusable Cluster Resource Scripts
 Version:	4.9.0
-Release:	54%{?rcver:%{rcver}}%{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}}%{?dist}.25
+Release:	54%{?rcver:%{rcver}}%{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}}%{?dist}.26
 License:	GPLv2+ and LGPLv2+
 URL:		https://github.com/ClusterLabs/resource-agents
 %if 0%{?fedora} || 0%{?centos_version} || 0%{?rhel}
@ -1051,7 +1051,7 @@ ccs_update_schema > /dev/null 2>&1 ||:
 %{_usr}/lib/ocf/lib/heartbeat/OCF_*.pm

 %changelog
-* Wed Jan 14 2026 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-54.25
+* Fri Jan 16 2026 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-54.26
 - bundled urllib3: fix CVE-2025-66471
 - bundled urllib3: fix CVE-2026-21441