diff --git a/SOURCES/Add-server_hostname-to-SSL_KEYWORDS.patch b/SOURCES/Add-server_hostname-to-SSL_KEYWORDS.patch new file mode 100644 index 0000000..b197c40 --- /dev/null +++ b/SOURCES/Add-server_hostname-to-SSL_KEYWORDS.patch @@ -0,0 +1,38 @@ +From f1d40fd07f7b5d9cf846a18fb5a920b4be07dfc5 Mon Sep 17 00:00:00 2001 +From: Hasan Ramezani +Date: Thu, 20 Jan 2022 15:56:02 +0100 +Subject: [PATCH] [1.26] Add server_hostname to SSL_KEYWORDS + +--- + src/urllib3/poolmanager.py | 1 + + test/with_dummyserver/test_poolmanager.py | 5 +++++ + 2 files changed, 6 insertions(+) + +diff --git a/src/urllib3/poolmanager.py b/src/urllib3/poolmanager.py +index 3a31a285bf..ca4ec34118 100644 +--- a/src/urllib3/poolmanager.py ++++ b/src/urllib3/poolmanager.py +@@ -34,6 +34,7 @@ + "ca_cert_dir", + "ssl_context", + "key_password", ++ "server_hostname", + ) + + # All known keyword arguments that could be provided to the pool manager, its +diff --git a/test/with_dummyserver/test_poolmanager.py b/test/with_dummyserver/test_poolmanager.py +index d877cc99ac..fa07a372a9 100644 +--- a/test/with_dummyserver/test_poolmanager.py ++++ b/test/with_dummyserver/test_poolmanager.py +@@ -346,6 +346,11 @@ def test_http_with_ssl_keywords(self): + r = http.request("GET", "http://%s:%s/" % (self.host, self.port)) + assert r.status == 200 + ++ def test_http_with_server_hostname(self): ++ with PoolManager(server_hostname="example.com") as http: ++ r = http.request("GET", "http://%s:%s/" % (self.host, self.port)) ++ assert r.status == 200 ++ + def test_http_with_ca_cert_dir(self): + with PoolManager(ca_certs="REQUIRED", ca_cert_dir="/nosuchdir") as http: + r = http.request("GET", "http://%s:%s/" % (self.host, self.port)) diff --git a/SOURCES/CVE-2024-37891.patch b/SOURCES/CVE-2024-37891.patch new file mode 100644 index 0000000..8860e52 --- /dev/null +++ b/SOURCES/CVE-2024-37891.patch @@ -0,0 +1,66 @@ +From 3606f6166c000213f1e1e9bace3c12f924dd0132 Mon Sep 17 00:00:00 2001 +From: Quentin Pradet +Date: Wed, 26 Jun 2024 15:56:34 +0200 +Subject: [PATCH] Merge pull request from GHSA-34jh-p97f-mpxf + +* [1.26] Strip Proxy-Authorization header on redirects + +* Set release date +--- + src/urllib3/util/retry.py | 4 +++- + test/test_retry.py | 6 +++++- + test/test_retry_deprecated.py | 6 +++++- + 3 files changed, 13 insertions(+), 3 deletions(-) + +diff --git a/src/urllib3/util/retry.py b/src/urllib3/util/retry.py +index 63c02ee..42fa619 100644 +--- a/src/urllib3/util/retry.py ++++ b/src/urllib3/util/retry.py +@@ -217,7 +217,9 @@ class Retry(object): + RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503]) + + #: Default headers to be used for ``remove_headers_on_redirect`` +- DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"]) ++ DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset( ++ ["Cookie", "Authorization", "Proxy-Authorization"] ++ ) + + #: Maximum backoff time. + BACKOFF_MAX = 120 +diff --git a/test/test_retry.py b/test/test_retry.py +index e9270bb..cf60bf1 100644 +--- a/test/test_retry.py ++++ b/test/test_retry.py +@@ -293,7 +293,11 @@ class TestRetry(object): + def test_retry_default_remove_headers_on_redirect(self): + retry = Retry() + +- assert retry.remove_headers_on_redirect == {"authorization", "cookie"} ++ assert retry.remove_headers_on_redirect == { ++ "authorization", ++ "proxy-authorization", ++ "cookie", ++ } + + def test_retry_set_remove_headers_on_redirect(self): + retry = Retry(remove_headers_on_redirect=["X-API-Secret"]) +diff --git a/test/test_retry_deprecated.py b/test/test_retry_deprecated.py +index d18f94c..a107f7b 100644 +--- a/test/test_retry_deprecated.py ++++ b/test/test_retry_deprecated.py +@@ -295,7 +295,11 @@ class TestRetry(object): + def test_retry_default_remove_headers_on_redirect(self): + retry = Retry() + +- assert retry.remove_headers_on_redirect == {"authorization", "cookie"} ++ assert retry.remove_headers_on_redirect == { ++ "authorization", ++ "proxy-authorization", ++ "cookie", ++ } + + def test_retry_set_remove_headers_on_redirect(self): + retry = Retry(remove_headers_on_redirect=["X-API-Secret"]) +-- +2.44.0 + diff --git a/SPECS/python-urllib3.spec b/SPECS/python-urllib3.spec index f39293f..82a9afa 100644 --- a/SPECS/python-urllib3.spec +++ b/SPECS/python-urllib3.spec @@ -6,7 +6,7 @@ Name: python-%{srcname} Version: 1.26.5 -Release: 3%{?dist}.1 +Release: 5%{?dist}.1 Summary: Python HTTP library with thread-safe connection pooling and file post License: MIT @@ -32,6 +32,17 @@ Patch1: CVE-2023-43804.patch # Upstream fix: https://github.com/urllib3/urllib3/commit/4e98d57809dacab1cbe625fddeec1a290c478ea9 Patch2: CVE-2023-45803.patch +# PoolManager.urlopen fails with TypeError for http connection if the PoolManager is instantiated with server_hostname +# Tracking bug: https://issues.redhat.com/browse/RHEL-39285 +# Upstream fix: https://github.com/urllib3/urllib3/commit/f1d40fd07f7b5d9cf846a18fb5a920b4be07dfc5 +Patch3: Add-server_hostname-to-SSL_KEYWORDS.patch + +# CVE-2024-37891 +# Proxy-authorization request header is not stripped during cross-origin redirects. +# Tracking bug: https://issues.redhat.com/browse/RHEL-43172 +# Upstream fix: https://github.com/urllib3/urllib3/commit/40b6d1605814dd1db0a46e202d6e56f2e4c9a468 +Patch4: CVE-2024-37891.patch + %description Python HTTP module with connection pooling and file POST abilities. @@ -134,9 +145,19 @@ ln -s %{python3_sitelib}/__pycache__/six.cpython-%{python3_version_nodots}.pyc \ %changelog -* Mon Dec 18 2023 Lumír Balhar - 1.26.5-3.1 -- Security fix for CVE-2023-45803 and CVE-2023-43804 -Resolves: RHEL-16873 RHEL-19704 +* Tue Jun 18 2024 Tomáš Hrnčiar - 1.26.5-5.1 +- Security fix for CVE-2024-37891 +- Backport upstream patch to fix TypeError for http connection if the PoolManager +- is instantiated with server_hostname +Resolves: RHEL-49853 + +* Tue Dec 12 2023 Lumír Balhar - 1.26.5-5 +- Security fix for CVE-2023-45803 +Resolves: RHEL-16874 + +* Thu Oct 12 2023 Lumír Balhar - 1.26.5-4 +- Security fix for CVE-2023-43804 +Resolves: RHEL-12001 * Tue Feb 08 2022 Tomáš Hrnčiar - 1.26.5-3 - Add automatically generated Obsoletes tag with the python39- prefix