Skip to content

[AUTO-CHERRYPICK] [AutoPR- Security] Patch python-urllib3 for CVE-2026-21441 [HIGH] - branch 3.0-dev #15514

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
CBL-Mariner-Bot merged 1 commit into from
Jan 15, 2026
+94 −1
Merged

[AUTO-CHERRYPICK] [AutoPR- Security] Patch python-urllib3 for CVE-2026-21441 [HIGH] - branch 3.0-dev #15514

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
89 changes: 89 additions & 0 deletions SPECS/python-urllib3/CVE-2026-21441.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,89 @@
From 8864ac407bba8607950025e0979c4c69bc7abc7b Mon Sep 17 00:00:00 2001
From: Illia Volochii <[email protected]>
Date: Wed, 7 Jan 2026 18:07:30 +0200
Subject: [PATCH] Merge commit from fork

* Stop decoding response content during redirects needlessly

* Rename the new query parameter

* Add a changelog entry

Upstream patch Reference: https://github.com/urllib3/urllib3/commit/8864ac407bba8607950025e0979c4c69bc7abc7b.patch
---
dummyserver/handlers.py | 9 ++++++++-
src/urllib3/response.py | 6 +++++-
test/with_dummyserver/test_connectionpool.py | 19 +++++++++++++++++++
3 files changed, 32 insertions(+), 2 deletions(-)

diff --git a/dummyserver/handlers.py b/dummyserver/handlers.py
index 86201a1..2bef080 100644
--- a/dummyserver/handlers.py
+++ b/dummyserver/handlers.py
@@ -205,8 +205,15 @@ class TestingApp(RequestHandler):
if len(status) == 3:
status = f"{status} Redirect"

+ compressed = params.get("compressed") == b"true"
+
headers = [("Location", target)]
- return Response(status=status, headers=headers)
+ if compressed:
+ headers.append(("Content-Encoding", "gzip"))
+ data = gzip.compress(b"foo")
+ else:
+ data = b""
+ return Response(body=data, status=status, headers=headers)

def not_found(self, request: httputil.HTTPServerRequest) -> Response:
return Response("Not found", status="404 Not Found")
diff --git a/src/urllib3/response.py b/src/urllib3/response.py
index a06ecfb..6ddcbd6 100644
--- a/src/urllib3/response.py
+++ b/src/urllib3/response.py
@@ -773,7 +773,11 @@ class HTTPResponse(BaseHTTPResponse):
Unread data in the HTTPResponse connection blocks the connection from being released back to the pool.
"""
try:
- self.read()
+ self.read(
+ # Do not spend resources decoding the content unless
+ # decoding has already been initiated.
+ decode_content=self._has_decoded_content,
+ )
except (HTTPError, OSError, BaseSSLError, HTTPException):
pass

diff --git a/test/with_dummyserver/test_connectionpool.py b/test/with_dummyserver/test_connectionpool.py
index ebfaf38..4f82136 100644
--- a/test/with_dummyserver/test_connectionpool.py
+++ b/test/with_dummyserver/test_connectionpool.py
@@ -480,6 +480,25 @@ class TestConnectionPool(HTTPDummyServerTestCase):
assert r.status == 200
assert r.data == b"Dummy server!"

+ @mock.patch("urllib3.response.GzipDecoder.decompress")
+ def test_no_decoding_with_redirect_when_preload_disabled(
+ self, gzip_decompress: mock.MagicMock
+ ) -> None:
+ """
+ Test that urllib3 does not attempt to decode a gzipped redirect
+ response when `preload_content` is set to `False`.
+ """
+ with HTTPConnectionPool(self.host, self.port) as pool:
+ # Three requests are expected: two redirects and one final / 200 OK.
+ response = pool.request(
+ "GET",
+ "/redirect",
+ fields={"target": "/redirect?compressed=true", "compressed": "true"},
+ preload_content=False,
+ )
+ assert response.status == 200
+ gzip_decompress.assert_not_called()
+
def test_303_redirect_makes_request_lose_body(self) -> None:
with HTTPConnectionPool(self.host, self.port) as pool:
response = pool.request(
--
2.43.0

6 changes: 5 additions & 1 deletion SPECS/python-urllib3/python-urllib3.spec
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
Summary: A powerful, sanity-friendly HTTP client for Python.
Name: python-urllib3
Version: 2.0.7
Release: 3%{?dist}
Release: 4%{?dist}
License: MIT
Vendor: Microsoft Corporation
Distribution: Azure Linux
Expand All @@ -15,6 +15,7 @@ Patch2: CVE-2024-37891.patch
Patch3: CVE-2025-50181.patch
Patch4: CVE-2025-66418.patch
Patch5: CVE-2025-66471.patch
Patch6: CVE-2026-21441.patch

%description
A powerful, sanity-friendly HTTP client for Python.
Expand Down Expand Up @@ -86,6 +87,9 @@ skiplist+=" or test_respect_retry_after_header_sleep"
%{python3_sitelib}/*

%changelog
* Fri Jan 09 2026 Azure Linux Security Servicing Account <[email protected]> - 2.0.7-4
- Patch for CVE-2026-21441

* Wed Dec 10 2025 Azure Linux Security Servicing Account <[email protected]> - 2.0.7-3
- Patch for CVE-2025-66418, CVE-2025-66471

Expand Down
Loading