diff options
Diffstat (limited to 'RHEL-43562-fix-bundled-urllib3-CVE-2024-37891.patch')
| -rw-r--r-- | RHEL-43562-fix-bundled-urllib3-CVE-2024-37891.patch | 96 |
1 files changed, 96 insertions, 0 deletions
diff --git a/RHEL-43562-fix-bundled-urllib3-CVE-2024-37891.patch b/RHEL-43562-fix-bundled-urllib3-CVE-2024-37891.patch new file mode 100644 index 0000000..2c2de0e --- /dev/null +++ b/RHEL-43562-fix-bundled-urllib3-CVE-2024-37891.patch @@ -0,0 +1,96 @@ +From accff72ecc2f6cf5a76d9570198a93ac7c90270e Mon Sep 17 00:00:00 2001 +From: Quentin Pradet <quentin.pradet@gmail.com> +Date: Mon, 17 Jun 2024 11:09:06 +0400 +Subject: [PATCH] Merge pull request from GHSA-34jh-p97f-mpxf + +* Strip Proxy-Authorization header on redirects + +* Fix test_retry_default_remove_headers_on_redirect + +* Set release date +--- + CHANGES.rst | 5 +++++ + src/urllib3/util/retry.py | 4 +++- + test/test_retry.py | 6 ++++- + test/with_dummyserver/test_poolmanager.py | 27 ++++++++++++++++++++--- + 4 files changed, 37 insertions(+), 5 deletions(-) + +diff --git a/awscli/urllib3/util/retry.py b/awscli/urllib3/util/retry.py +index 7a76a4a6ad..0456cceba4 100644 +--- a/awscli/urllib3/util/retry.py ++++ b/awscli/urllib3/util/retry.py +@@ -189,7 +189,9 @@ class Retry: + RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503]) + + #: Default headers to be used for ``remove_headers_on_redirect`` +- DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"]) ++ DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset( ++ ["Cookie", "Authorization", "Proxy-Authorization"] ++ ) + + #: Default maximum backoff time. + DEFAULT_BACKOFF_MAX = 120 + +diff --git a/aws/urllib3/util/retry.py b/aws/urllib3/util/retry.py +index 7a76a4a6ad..0456cceba4 100644 +--- a/aws/urllib3/util/retry.py ++++ b/aws/urllib3/util/retry.py +@@ -189,7 +189,9 @@ class Retry: + RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503]) + + #: Default headers to be used for ``remove_headers_on_redirect`` +- DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"]) ++ DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset( ++ ["Cookie", "Authorization", "Proxy-Authorization"] ++ ) + + #: Default maximum backoff time. + DEFAULT_BACKOFF_MAX = 120 + +diff --git a/azure/urllib3/util/retry.py b/azure/urllib3/util/retry.py +index 7a76a4a6ad..0456cceba4 100644 +--- a/azure/urllib3/util/retry.py ++++ b/azure/urllib3/util/retry.py +@@ -189,7 +189,9 @@ class Retry: + RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503]) + + #: Default headers to be used for ``remove_headers_on_redirect`` +- DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"]) ++ DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset( ++ ["Cookie", "Authorization", "Proxy-Authorization"] ++ ) + + #: Default maximum backoff time. + DEFAULT_BACKOFF_MAX = 120 + +diff --git a/google/urllib3/util/retry.py b/google/urllib3/util/retry.py +index 7a76a4a6ad..0456cceba4 100644 +--- a/google/urllib3/util/retry.py ++++ b/google/urllib3/util/retry.py +@@ -189,7 +189,9 @@ class Retry: + RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503]) + + #: Default headers to be used for ``remove_headers_on_redirect`` +- DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"]) ++ DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset( ++ ["Cookie", "Authorization", "Proxy-Authorization"] ++ ) + + #: Default maximum backoff time. + DEFAULT_BACKOFF_MAX = 120 + +diff --git a/kubevirt/urllib3/util/retry.py b/kubevirt/urllib3/util/retry.py +index 7a76a4a6ad..0456cceba4 100644 +--- a/kubevirt/urllib3/util/retry.py ++++ b/kubevirt/urllib3/util/retry.py +@@ -189,7 +189,9 @@ class Retry: + RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503]) + + #: Default headers to be used for ``remove_headers_on_redirect`` +- DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"]) ++ DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset( ++ ["Cookie", "Authorization", "Proxy-Authorization"] ++ ) + + #: Default maximum backoff time. + DEFAULT_BACKOFF_MAX = 120 |