CVE-2024-37891 - urllib3 in pulpcore repository

Would it be possible to get a version of urllib3 distributed with pulpcore that has a fix for CVE-2024-37891?

https://access.redhat.com/security/cve/CVE-2024-37891

Problem:
python3.11-urllib3-1.26.18-3.el9.noarch.rpm is being flagged as affected by CVE-2024-37891

Expected outcome:
Provide fixed version python3.11-urllib3-1.26.19

Foreman and Proxy versions:
Foreman 3.12 / Pulpcore 3.49

Foreman and Proxy plugin versions:
N/A

Distribution and version:
RHEL9

Other relevant data:

In Nightly is already urllib3 2.2.3, so it perhaps only needs a backport to the supported versions. If this is not compatible there is 1.26.20 which could be build instead. @Odilhao can you have a look please?

@Odilhao Can you provide any input about what is going to happen to that urllib3 package in pulpcore 3.49, please?

Just as follow-up: version 2.2.3 was merged to github an 17.10. and the packages was released later on the same day.

2 Likes