Fix CVE-2023-43804

2024-06-26 09:46:16 +08:00 · 2024-06-26 09:46:16 +08:00 · 416ee760e4
commit 416ee760e4
parent c8768ff000
2 changed files with 36 additions and 1 deletions
--- a/backport-CVE-2023-43804-added-the-Cookie-to-the-list-of-headers.patch
+++ b/backport-CVE-2023-43804-added-the-Cookie-to-the-list-of-headers.patch
@ -0,0 +1,31 @@
+From 01220354d389cd05474713f8c982d05c9b17aafb Mon Sep 17 00:00:00 2001
+From: Seth Michael Larson <sethmichaellarson@gmail.com>
+Date: Mon, 2 Oct 2023 11:43:46 -0500
+Subject: [PATCH] Backport GHSA-v845-jxx5-vc9f (#3139)
+
+Co-authored-by: Quentin Pradet <quentin.pradet@gmail.com>
+Co-authored-by: Illia Volochii <illia.volochii@gmail.com>
+
+Conflict:Files test_retry.py,test_retry_deprecated.py ,and test_poolmaner.py do not exit.Therefore,no test case is involved.
+Reference:https://github.com/urllib3/urllib3/commit/01220354d389cd05474713f8c982d05c9b17aafb
+
+---
+ src/pip/_vendor/urllib3/util/retry.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/pip/_vendor/urllib3/util/retry.py b/src/pip/_vendor/urllib3/util/retry.py
+index ee30c91..545e876 100644
+--- a/src/pip/_vendor/urllib3/util/retry.py
+++ b/src/pip/_vendor/urllib3/util/retry.py
+@@ -154,7 +154,7 @@ class Retry(object):
+ 
+     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
+ 
+-    DEFAULT_REDIRECT_HEADERS_BLACKLIST = frozenset(["Authorization"])
+    DEFAULT_REDIRECT_HEADERS_BLACKLIST = frozenset(["Cookie","Authorization"])
+ 
+     #: Maximum backoff time.
+     BACKOFF_MAX = 120
+-- 
+2.33.0
+
--- a/python-pip.spec
+++ b/python-pip.spec
@ -7,7 +7,7 @@ pip is the package installer for Python. You can use pip to install packages fro
 %global bashcompdir %(b=$(pkg-config --variable=completionsdir bash-completion 2>/dev/null); echo ${b:-%{_sysconfdir}/bash_completion.d})
 Name:           python-%{srcname}
 Version:        20.2.2
-Release:        7
+Release:        8
 Summary:        A tool for installing and managing Python packages
 License:        MIT and Python and ASL 2.0 and BSD and ISC and LGPLv2 and MPLv2.0 and (ASL 2.0 or BSD)
 URL:            http://www.pip-installer.org
@ -21,6 +21,7 @@ Patch6001:      backport-CVE-2021-3572.patch
 Patch6002:      backport-CVE-2021-33503.patch
 Patch6003:      backport-CVE-2020-14422.patch
 Patch6004:      backport-fix-vulnerable-regex.patch
+Patch6005:      backport-CVE-2023-43804-added-the-Cookie-to-the-list-of-headers.patch

 Source1:	pip-allow-older-versions.patch

@ -158,6 +159,9 @@ install -p dist/%{python_wheelname} -t %{buildroot}%{python_wheeldir}
 %{python_wheeldir}/%{python_wheelname}

 %changelog
+* Wed Jun 26 2024 zhangruifang <zhangruifang@h-partners.com> - 20.2.2-8
+- Fix CVE-2023-43804
+
 * Wed Dec 13 2023 yanglongkang <yanglongkang@h-partners.com> - 20.2.2-7
 - Fix vulnerable regex