From 9ff8fb8300f4a1c8f6acac1daef16a507de2aa05 Mon Sep 17 00:00:00 2001 From: Azure Linux Security Servicing Account Date: Tue, 19 May 2026 10:00:23 +0530 Subject: [PATCH] [AutoPR- Security] Patch python-urllib3 for CVE-2026-44431 [HIGH] (#17258) (cherry picked from commit d190b9993d97176a77e74447150f808bca55012a) --- SPECS/python-urllib3/CVE-2026-44431.patch | 38 +++++++++++++++++++++++ SPECS/python-urllib3/python-urllib3.spec | 6 +++- 2 files changed, 43 insertions(+), 1 deletion(-) create mode 100644 SPECS/python-urllib3/CVE-2026-44431.patch diff --git a/SPECS/python-urllib3/CVE-2026-44431.patch b/SPECS/python-urllib3/CVE-2026-44431.patch new file mode 100644 index 00000000000..e66fceae055 --- /dev/null +++ b/SPECS/python-urllib3/CVE-2026-44431.patch @@ -0,0 +1,38 @@ +From 06a21d526f844601f99cf549cf8e670506243aff Mon Sep 17 00:00:00 2001 +From: AllSpark +Date: Fri, 15 May 2026 15:53:36 +0000 +Subject: [PATCH] Backport: Strip sensitive headers on cross-host redirects for + ProxyManager pools; add changelog entry + +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: AI Backport of https://github.com/urllib3/urllib3/commit/5ec0de499b9166ca71c65ab04f2a7e4eb0d66fcc.patch +--- + src/urllib3/connectionpool.py | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/src/urllib3/connectionpool.py b/src/urllib3/connectionpool.py +index c6ca390..c946c7b 100644 +--- a/src/urllib3/connectionpool.py ++++ b/src/urllib3/connectionpool.py +@@ -900,6 +900,18 @@ class HTTPConnectionPool(ConnectionPool, RequestMethods): + body = None + headers = HTTPHeaderDict(headers)._prepare_for_method_change() + ++ # Strip headers marked as unsafe to forward to the redirected location. ++ # Check remove_headers_on_redirect to avoid a potential network call within ++ # self.is_same_host() which may use socket.gethostbyname() in the future. ++ if retries.remove_headers_on_redirect and not self.is_same_host( ++ redirect_location ++ ): ++ new_headers = headers.copy() # type: ignore[union-attr] ++ for header in headers: ++ if header.lower() in retries.remove_headers_on_redirect: ++ new_headers.pop(header, None) ++ headers = new_headers ++ + try: + retries = retries.increment(method, url, response=response, _pool=self) + except MaxRetryError: +-- +2.45.4 + diff --git a/SPECS/python-urllib3/python-urllib3.spec b/SPECS/python-urllib3/python-urllib3.spec index 25331f6cbdd..b3c678feb72 100644 --- a/SPECS/python-urllib3/python-urllib3.spec +++ b/SPECS/python-urllib3/python-urllib3.spec @@ -1,7 +1,7 @@ Summary: A powerful, sanity-friendly HTTP client for Python. Name: python-urllib3 Version: 2.0.7 -Release: 4%{?dist} +Release: 5%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Azure Linux @@ -16,6 +16,7 @@ Patch3: CVE-2025-50181.patch Patch4: CVE-2025-66418.patch Patch5: CVE-2025-66471.patch Patch6: CVE-2026-21441.patch +Patch7: CVE-2026-44431.patch %description A powerful, sanity-friendly HTTP client for Python. @@ -87,6 +88,9 @@ skiplist+=" or test_respect_retry_after_header_sleep" %{python3_sitelib}/* %changelog +* Fri May 15 2026 Azure Linux Security Servicing Account - 2.0.7-5 +- Patch for CVE-2026-44431 + * Fri Jan 09 2026 Azure Linux Security Servicing Account - 2.0.7-4 - Patch for CVE-2026-21441