packages/python-pip
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2023-43804

Browse Source
This commit is contained in:
y00574793 2024-06-19 20:08:14 +08:00
parent 274dbbd825
commit 1fd3297a6a
2 changed files with 33 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
backport-CVE-2023-43804-added-the-Cookie-to-the-list-of-headers.patch Normal file
View File

@ -0,0 +1,28 @@
From 01220354d389cd05474713f8c982d05c9b17aafb Mon Sep 17 00:00:00 2001
From: Seth Michael Larson <sethmichaellarson@gmail.com>
Date: Mon, 2 Oct 2023 11:43:46 -0500
Subject: [PATCH] Backport GHSA-v845-jxx5-vc9f (#3139)
Co-authored-by: Quentin Pradet <quentin.pradet@gmail.com>
Co-authored-by: Illia Volochii <illia.volochii@gmail.com>
Conflict:NA
Reference:https://github.com/urllib3/urllib3/commit/01220354d389cd05474713f8c982d05c9b17aafb
---
src/pip/_vendor/urllib3/util/retry.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/pip/_vendor/urllib3/util/retry.py b/src/pip/_vendor/urllib3/util/retry.py
index c7dc42f..c7c0427 100644
--- a/src/pip/_vendor/urllib3/util/retry.py
+++ b/src/pip/_vendor/urllib3/util/retry.py
@@ -217,7 +217,7 @@ class Retry(object):
RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
#: Default headers to be used for ``remove_headers_on_redirect``
- DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Authorization"])
+ DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
#: Maximum backoff time.
BACKOFF_MAX = 120

6
python-pip.spec
View File

@ -6,7 +6,7 @@ pip is the package installer for Python. You can use pip to install packages fro
%global bashcompdir %(b=$(pkg-config --variable=completionsdir bash-completion 2>/dev/null); echo ${b:-%{_sysconfdir}/bash_completion.d}) %global bashcompdir %(b=$(pkg-config --variable=completionsdir bash-completion 2>/dev/null); echo ${b:-%{_sysconfdir}/bash_completion.d})
Name: python-%{srcname} Name: python-%{srcname}
Version: 21.3.1 Version: 21.3.1
Release: 6 Release: 7
Summary: A tool for installing and managing Python packages Summary: A tool for installing and managing Python packages
License: MIT and Python and ASL 2.0 and BSD and ISC and LGPLv2 and MPLv2.0 and (ASL 2.0 or BSD) License: MIT and Python and ASL 2.0 and BSD and ISC and LGPLv2 and MPLv2.0 and (ASL 2.0 or BSD)
URL: http://www.pip-installer.org URL: http://www.pip-installer.org
@ -23,6 +23,7 @@ Patch6003: backport-0002-CVE-2024-3651.patch
Patch6004: backport-0003-CVE-2024-3651.patch Patch6004: backport-0003-CVE-2024-3651.patch
Patch6005: backport-0004-CVE-2024-3651.patch Patch6005: backport-0004-CVE-2024-3651.patch
Patch6006: backport-0005-CVE-2024-3651.patch Patch6006: backport-0005-CVE-2024-3651.patch
Patch6007: backport-CVE-2023-43804-added-the-Cookie-to-the-list-of-headers.patch
Source10: pip-allow-older-versions.patch Source10: pip-allow-older-versions.patch
@ -132,6 +133,9 @@ install -D -m0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/pip.conf
%{python_wheeldir}/%{python_wheelname} %{python_wheeldir}/%{python_wheelname}
%changelog %changelog
* Wed Jun 19 2024 yangyuan <yangyuan32@huawei.com> - 21.3.1-7
- fix CVE-2023-43804
* Wed Jun 19 2024 yangyuan <yangyuan32@huawei.com> - 21.3.1-6 * Wed Jun 19 2024 yangyuan <yangyuan32@huawei.com> - 21.3.1-6
- fix CVE-2024-3651 - fix CVE-2024-3651