Skip to content

[AutoPR- Security] Patch python-urllib3 for CVE-2026-44431 [HIGH] #17258

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jslobodzian merged 1 commit into from
May 19, 2026
+43 −1
Merged

[AutoPR- Security] Patch python-urllib3 for CVE-2026-44431 [HIGH] #17258

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 38 additions & 0 deletions SPECS/python-urllib3/CVE-2026-44431.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
From 06a21d526f844601f99cf549cf8e670506243aff Mon Sep 17 00:00:00 2001
From: AllSpark <allspark@microsoft.com>
Date: Fri, 15 May 2026 15:53:36 +0000
Subject: [PATCH] Backport: Strip sensitive headers on cross-host redirects for
ProxyManager pools; add changelog entry

Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Upstream-reference: AI Backport of https://github.com/urllib3/urllib3/commit/5ec0de499b9166ca71c65ab04f2a7e4eb0d66fcc.patch
---
src/urllib3/connectionpool.py | 12 ++++++++++++
1 file changed, 12 insertions(+)

diff --git a/src/urllib3/connectionpool.py b/src/urllib3/connectionpool.py
index c6ca390..c946c7b 100644
--- a/src/urllib3/connectionpool.py
+++ b/src/urllib3/connectionpool.py
@@ -900,6 +900,18 @@ class HTTPConnectionPool(ConnectionPool, RequestMethods):
body = None
headers = HTTPHeaderDict(headers)._prepare_for_method_change()

+ # Strip headers marked as unsafe to forward to the redirected location.
+ # Check remove_headers_on_redirect to avoid a potential network call within
+ # self.is_same_host() which may use socket.gethostbyname() in the future.
+ if retries.remove_headers_on_redirect and not self.is_same_host(
+ redirect_location
+ ):
+ new_headers = headers.copy() # type: ignore[union-attr]
+ for header in headers:
+ if header.lower() in retries.remove_headers_on_redirect:
+ new_headers.pop(header, None)
+ headers = new_headers
+
try:
retries = retries.increment(method, url, response=response, _pool=self)
except MaxRetryError:
--
2.45.4

6 changes: 5 additions & 1 deletion SPECS/python-urllib3/python-urllib3.spec
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
Summary: A powerful, sanity-friendly HTTP client for Python.
Name: python-urllib3
Version: 2.0.7
Release: 4%{?dist}
Release: 5%{?dist}
License: MIT
Vendor: Microsoft Corporation
Distribution: Azure Linux
Expand All @@ -16,6 +16,7 @@ Patch3: CVE-2025-50181.patch
Patch4: CVE-2025-66418.patch
Patch5: CVE-2025-66471.patch
Patch6: CVE-2026-21441.patch
Patch7: CVE-2026-44431.patch

%description
A powerful, sanity-friendly HTTP client for Python.
Expand Down Expand Up @@ -87,6 +88,9 @@ skiplist+=" or test_respect_retry_after_header_sleep"
%{python3_sitelib}/*

%changelog
* Fri May 15 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.0.7-5
- Patch for CVE-2026-44431

* Fri Jan 09 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.0.7-4
- Patch for CVE-2026-21441

Expand Down
Loading