Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package python-urllib3_1 for
openSUSE:Factory checked in at 2026-05-21 18:24:30
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python-urllib3_1 (Old)
and /work/SRC/openSUSE:Factory/.python-urllib3_1.new.2084 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-urllib3_1"
Thu May 21 18:24:30 2026 rev:14 rq:1353971 version:1.26.20
Changes:
--------
--- /work/SRC/openSUSE:Factory/python-urllib3_1/python-urllib3_1.changes
2026-01-26 10:44:47.625927800 +0100
+++
/work/SRC/openSUSE:Factory/.python-urllib3_1.new.2084/python-urllib3_1.changes
2026-05-21 18:24:33.923726152 +0200
@@ -1,0 +2,8 @@
+Tue May 19 08:39:33 UTC 2026 - Daniel Garcia <[email protected]>
+
+- CVE-2026-44431: sensitive information disclosure due to sensitive
+ headers being forwarded across origins in proxied low-level redirects
+ (bsc#1265267)
+ Add patch CVE-2026-44431.patch
+
+-------------------------------------------------------------------
New:
----
CVE-2026-44431.patch
----------(New B)----------
New: (bsc#1265267)
Add patch CVE-2026-44431.patch
----------(New E)----------
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python-urllib3_1.spec ++++++
--- /var/tmp/diff_new_pack.OUHoe7/_old 2026-05-21 18:24:36.839845852 +0200
+++ /var/tmp/diff_new_pack.OUHoe7/_new 2026-05-21 18:24:36.843846016 +0200
@@ -46,6 +46,8 @@
Patch4: CVE-2025-66418.patch
# PATCH-FIX-UPSTREAM CVE-2026-21441.patch bsc#1256331
gh#urllib3/urllib3@8864ac4
Patch5: CVE-2026-21441.patch
+# PATCH-FIX-UPSTREAM CVE-2026-44431.patch bsc#1265267
+Patch6: CVE-2026-44431.patch
BuildRequires: %{python_module base >= 3.7}
BuildRequires: %{python_module pip}
BuildRequires: %{python_module setuptools}
++++++ CVE-2026-44431.patch ++++++
>From 5ec0de499b9166ca71c65ab04f2a7e4eb0d66fcc Mon Sep 17 00:00:00 2001
From: Illia Volochii <[email protected]>
Date: Thu, 7 May 2026 18:40:31 +0300
Subject: [PATCH] Merge commit from fork
* Remove sensitive headers in proxy pools too
* Add a changelog entry
* Check retries history in tests
Co-authored-by: Copilot <[email protected]>
---------
Co-authored-by: Copilot <[email protected]>
---
dummyserver/asgi_proxy.py | 1 +
src/urllib3/connectionpool.py | 12 ++++
.../test_proxy_poolmanager.py | 72 +++++++++++++++++++
4 files changed, 88 insertions(+)
create mode 100644 changelog/GHSA-qccp-gfcp-xxvc.bugfix.rst
Index: urllib3-1.26.20/src/urllib3/connectionpool.py
===================================================================
--- urllib3-1.26.20.orig/src/urllib3/connectionpool.py
+++ urllib3-1.26.20/src/urllib3/connectionpool.py
@@ -853,6 +853,18 @@ class HTTPConnectionPool(ConnectionPool,
body = None
headers = HTTPHeaderDict(headers)._prepare_for_method_change()
+ # Strip headers marked as unsafe to forward to the redirected
location.
+ # Check remove_headers_on_redirect to avoid a potential network
call within
+ # self.is_same_host() which may use socket.gethostbyname() in the
future.
+ if retries.remove_headers_on_redirect and not self.is_same_host(
+ redirect_location
+ ):
+ new_headers = headers.copy() # type: ignore[union-attr]
+ for header in headers:
+ if header.lower() in retries.remove_headers_on_redirect:
+ new_headers.pop(header, None)
+ headers = new_headers
+
try:
retries = retries.increment(method, url, response=response,
_pool=self)
except MaxRetryError:
Index: urllib3-1.26.20/test/with_dummyserver/test_proxy_poolmanager.py
===================================================================
--- urllib3-1.26.20.orig/test/with_dummyserver/test_proxy_poolmanager.py
+++ urllib3-1.26.20/test/with_dummyserver/test_proxy_poolmanager.py
@@ -21,6 +21,7 @@ import trustme
from dummyserver.server import DEFAULT_CA, HAS_IPV6, get_unreachable_address
from dummyserver.testcase import HTTPDummyProxyTestCase,
IPv6HTTPDummyProxyTestCase
from urllib3._collections import HTTPHeaderDict
+from urllib3.util.retry import RequestHistory
from urllib3.connectionpool import VerifiedHTTPSConnection, connection_from_url
from urllib3.exceptions import (
ConnectTimeoutError,
@@ -277,6 +278,77 @@ class TestHTTPProxyManager(HTTPDummyProx
)
assert r._pool.host != self.http_host_alt
+ _sensitive_headers = {
+ "Authorization": "foo",
+ "Proxy-Authorization": "bar",
+ "Cookie": "foo=bar",
+ }
+
+ @pytest.mark.parametrize(
+ "sensitive_headers",
+ (_sensitive_headers, {k.lower(): v for k, v in
_sensitive_headers.items()}),
+ ids=("capitalized", "lowercase"),
+ )
+ def test_cross_host_redirect_remove_headers_via_proxy_manager(
+ self, sensitive_headers: dict[str, str]
+ ) -> None:
+ headers_url = f"{self.http_url_alt}/headers"
+ initial_url = f"{self.http_url}/redirect?target={headers_url}"
+ with proxy_from_url(self.proxy_url) as proxy_mgr:
+ r = proxy_mgr.request(
+ "GET", initial_url, headers=sensitive_headers, retries=1
+ )
+ assert r.status == 200
+ assert r.retries is not None
+ assert r.retries.history == (
+ RequestHistory(
+ method="GET",
+ url=initial_url,
+ error=None,
+ status=303,
+ redirect_location=headers_url,
+ ),
+ )
+ data = r.json()
+ for header in sensitive_headers:
+ assert header not in data
+
+ @pytest.mark.parametrize(
+ "sensitive_headers",
+ (_sensitive_headers, {k.lower(): v for k, v in
_sensitive_headers.items()}),
+ ids=("capitalized", "lowercase"),
+ )
+ def test_cross_host_redirect_remove_headers_via_pool(
+ self, sensitive_headers: dict[str, str]
+ ) -> None:
+ headers_url = f"{self.http_url_alt}/headers"
+ initial_url = f"{self.http_url}/redirect?target={headers_url}"
+ with proxy_from_url(self.proxy_url) as proxy_mgr:
+ pool = proxy_mgr.connection_from_url(self.http_url)
+ r = pool.urlopen(
+ "GET",
+ initial_url,
+ headers=sensitive_headers,
+ retries=1,
+ redirect=True,
+ assert_same_host=False,
+ preload_content=True,
+ )
+ assert r.status == 200
+ assert r.retries is not None
+ assert r.retries.history == (
+ RequestHistory(
+ method="GET",
+ url=initial_url,
+ error=None,
+ status=303,
+ redirect_location=headers_url,
+ ),
+ )
+ data = r.json()
+ for header in sensitive_headers:
+ assert header not in data
+
def test_cross_protocol_redirect(self):
with proxy_from_url(self.proxy_url, ca_certs=DEFAULT_CA) as http:
cross_protocol_location = "%s/echo?a=b" % self.https_url
