diff --git a/fix-CVE-2024-37891.patch b/fix-CVE-2024-37891.patch new file mode 100644 index 0000000000000000000000000000000000000000..dd9c8f32cc2921503b3fa168b55af638568f2ab6 --- /dev/null +++ b/fix-CVE-2024-37891.patch @@ -0,0 +1,72 @@ +From accff72ecc2f6cf5a76d9570198a93ac7c90270e Mon Sep 17 00:00:00 2001 +From: Quentin Pradet +Date: Mon, 17 Jun 2024 11:09:06 +0400 +Subject: [PATCH] Merge pull request from GHSA-34jh-p97f-mpxf + +* Strip Proxy-Authorization header on redirects + +* Fix test_retry_default_remove_headers_on_redirect + +* Set release date + +Conflict:test/with_dummyserver/test_poolmanager.py hsa not been modified +because it has been deleted in the pre-phase of the spec file +Reference:https://github.com/urllib3/urllib3/commit/accff72ecc2f6cf5a76d9570198a93ac7c90270e + +--- + CHANGES.rst | 5 +++++ + src/urllib3/util/retry.py | 4 +++- + test/test_retry.py | 6 +++++- + 3 files changed, 13 insertions(+), 2 deletions(-) + +diff --git a/CHANGES.rst b/CHANGES.rst +index 3a0a4f0..eba0814 100644 +--- a/CHANGES.rst ++++ b/CHANGES.rst +@@ -1,6 +1,11 @@ + Changes + ======= + ++2.2.2 (2024-06-17) ++================== ++ ++- Added the ``Proxy-Authorization`` header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via ``Retry.remove_headers_on_redirect``. ++ + 1.26.18 (2023-10-17) + -------------------- + +diff --git a/src/urllib3/util/retry.py b/src/urllib3/util/retry.py +index 60ef6c4..9a1e90d 100644 +--- a/src/urllib3/util/retry.py ++++ b/src/urllib3/util/retry.py +@@ -235,7 +235,9 @@ class Retry(object): + RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503]) + + #: Default headers to be used for ``remove_headers_on_redirect`` +- DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"]) ++ DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset( ++ ["Cookie", "Authorization", "Proxy-Authorization"] ++ ) + + #: Maximum backoff time. + DEFAULT_BACKOFF_MAX = 120 +diff --git a/test/test_retry.py b/test/test_retry.py +index 6475f2a..a0463e4 100644 +--- a/test/test_retry.py ++++ b/test/test_retry.py +@@ -296,7 +296,11 @@ class TestRetry(object): + def test_retry_default_remove_headers_on_redirect(self): + retry = Retry() + +- assert retry.remove_headers_on_redirect == {"authorization", "cookie"} ++ assert retry.remove_headers_on_redirect == { ++ "authorization", ++ "proxy-authorization", ++ "cookie", ++ } + + def test_retry_set_remove_headers_on_redirect(self): + retry = Retry(remove_headers_on_redirect=["X-API-Secret"]) +-- +2.33.0 + diff --git a/python-urllib3.spec b/python-urllib3.spec index 076b4dc68d843147523c600a380ffab55af20e13..5d1cca7f68cf5609f1609fdbd3d061e91350b061 100644 --- a/python-urllib3.spec +++ b/python-urllib3.spec @@ -1,4 +1,4 @@ -%define anolis_release 2 +%define anolis_release 3 %bcond_with tests %global pypi_name urllib3 @@ -11,6 +11,8 @@ URL: https://github.com/urllib3/urllib3 Source0: %{url}/archive/%{version}/%{pypi_name}-%{version}.tar.gz BuildArch: noarch +Patch1: fix-CVE-2024-37891.patch + %description Python HTTP module with connection pooling and file POST abilities. @@ -73,6 +75,9 @@ sed -i -e 's/^import mock/from unittest import mock/' \ %doc CHANGES.rst README.rst %changelog +* Wed Nov 6 2024 Xulin Gao - 1.26.18-3 +- fix CVE-2024-37891 + * Mon Mar 11 2024 Zhao Hang - 1.26.18-2 - Rebuild with python3.11