diff --git a/1.26.18.tar.gz b/1.26.18.tar.gz deleted file mode 100644 index 61208b3126ab5c336c508da53aef0b3f3bafe5fb..0000000000000000000000000000000000000000 Binary files a/1.26.18.tar.gz and /dev/null differ diff --git a/1.26.19.tar.gz b/1.26.19.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..265fcd71cb8d5b2ae7fe90d19714dc71fb4bd950 Binary files /dev/null and b/1.26.19.tar.gz differ diff --git a/backport-CVE-2024-37891-Strip-Proxy-Authorization-header-on-redirects.patch b/backport-CVE-2024-37891-Strip-Proxy-Authorization-header-on-redirects.patch deleted file mode 100644 index dd9c8f32cc2921503b3fa168b55af638568f2ab6..0000000000000000000000000000000000000000 --- a/backport-CVE-2024-37891-Strip-Proxy-Authorization-header-on-redirects.patch +++ /dev/null @@ -1,72 +0,0 @@ -From accff72ecc2f6cf5a76d9570198a93ac7c90270e Mon Sep 17 00:00:00 2001 -From: Quentin Pradet -Date: Mon, 17 Jun 2024 11:09:06 +0400 -Subject: [PATCH] Merge pull request from GHSA-34jh-p97f-mpxf - -* Strip Proxy-Authorization header on redirects - -* Fix test_retry_default_remove_headers_on_redirect - -* Set release date - -Conflict:test/with_dummyserver/test_poolmanager.py hsa not been modified -because it has been deleted in the pre-phase of the spec file -Reference:https://github.com/urllib3/urllib3/commit/accff72ecc2f6cf5a76d9570198a93ac7c90270e - ---- - CHANGES.rst | 5 +++++ - src/urllib3/util/retry.py | 4 +++- - test/test_retry.py | 6 +++++- - 3 files changed, 13 insertions(+), 2 deletions(-) - -diff --git a/CHANGES.rst b/CHANGES.rst -index 3a0a4f0..eba0814 100644 ---- a/CHANGES.rst -+++ b/CHANGES.rst -@@ -1,6 +1,11 @@ - Changes - ======= - -+2.2.2 (2024-06-17) -+================== -+ -+- Added the ``Proxy-Authorization`` header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via ``Retry.remove_headers_on_redirect``. -+ - 1.26.18 (2023-10-17) - -------------------- - -diff --git a/src/urllib3/util/retry.py b/src/urllib3/util/retry.py -index 60ef6c4..9a1e90d 100644 ---- a/src/urllib3/util/retry.py -+++ b/src/urllib3/util/retry.py -@@ -235,7 +235,9 @@ class Retry(object): - RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503]) - - #: Default headers to be used for ``remove_headers_on_redirect`` -- DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"]) -+ DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset( -+ ["Cookie", "Authorization", "Proxy-Authorization"] -+ ) - - #: Maximum backoff time. - DEFAULT_BACKOFF_MAX = 120 -diff --git a/test/test_retry.py b/test/test_retry.py -index 6475f2a..a0463e4 100644 ---- a/test/test_retry.py -+++ b/test/test_retry.py -@@ -296,7 +296,11 @@ class TestRetry(object): - def test_retry_default_remove_headers_on_redirect(self): - retry = Retry() - -- assert retry.remove_headers_on_redirect == {"authorization", "cookie"} -+ assert retry.remove_headers_on_redirect == { -+ "authorization", -+ "proxy-authorization", -+ "cookie", -+ } - - def test_retry_set_remove_headers_on_redirect(self): - retry = Retry(remove_headers_on_redirect=["X-API-Secret"]) --- -2.33.0 - diff --git a/python-urllib3.spec b/python-urllib3.spec index 51d96ce184985cfa85e55c4ff34aa85bb853f2d8..75c6ae428d472e580fa6b32b645a2873df3a3d4a 100644 --- a/python-urllib3.spec +++ b/python-urllib3.spec @@ -2,8 +2,8 @@ %bcond_without tests Name: python-%{srcname} -Version: 1.26.18 -Release: 2 +Version: 1.26.19 +Release: 1 Summary: Sanity-friendly HTTP client for Python License: MIT URL: https://urllib3.readthedocs.io @@ -12,8 +12,6 @@ Source1: ssl_match_hostname_py3.py Patch0001: remove_mock.patch -Patch6000: backport-CVE-2024-37891-Strip-Proxy-Authorization-header-on-redirects.patch - BuildArch: noarch %description @@ -78,6 +76,12 @@ PYTHONPATH=%{buildroot}%{python3_sitelib}:%{python3_sitelib} %{__python3} -m pyt %{python3_sitelib}/urllib3-*.egg-info %changelog +* Fri Jul 19 2024 liweigang - 1.26.19-1 +- Type: enhancement +- ID: NA +- SUG: NA +- DESC: update python-urllib3 to version 1.26.19 + * Tue Jun 25 2024 chengyechun - 1.26.18-2 - Type:CVE - CVE:CVE-2024-37891