[AutoPR- Security] Patch python-urllib3 for CVE-2025-66418, CVE-2026-21441 [HIGH]

[azurelinux-security]

Auto Patch python-urllib3 for CVE-2025-66418, CVE-2026-21441.

Autosec pipeline run -> https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1022838&view=results

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

• The toolchain has been rebuilt successfully (or no changes were made to it)
• The toolchain/worker package manifests are up-to-date
• Any updated packages successfully build (or no packages were changed)
• Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
• Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
• All package sources are available
• cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
• LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
• All source files have up-to-date hashes in the *.signatures.json files
• sudo make go-tidy-all and sudo make go-test-coverage pass
• Documentation has been updated to match any changes to the build system
• Ready to merge

---

Summary

What does the PR accomplish, why was it needed?

• Auto Patch python-urllib3 for CVE-2025-66418 (HIGH), CVE-2026-21441 (HIGH).

Change Log

• CVE-2025-66418
• CVE-2026-21441

Does this affect the toolchain?

YES/NO

Associated issues

• N/A

Links to CVEs

• https://nvd.nist.gov/vuln/detail/CVE-2025-66418
• https://nvd.nist.gov/vuln/detail/CVE-2026-21441

Test Methodology

• Pipeline build id: Buddy Build URL

[akhila-guruju]

CVE-2025-66418.patch:
Patch matches with upstream patch

[akhila-guruju]

CVE-2025-21441.patch
Adjustments were made to match with our code base.
There is no app.py file in dummyserver directory. The affected code is present in handlers.py file.
In dummyserver/handlers.py
request.params.get is used instead of values.get(). As v1.26.19 codebase uses request.params.get

[akhila-guruju]

ptest failure is not a regression. Same failure occurring before and after applying patch.
python-urllib3-1.26.19-2.cm2.src.rpm-FAILED_TEST-1768215060572.log
python-urllib3-1.26.19-3.cm2.src.rpm-FAILED_TEST-1766994327918.log

[Kanishk-Bansal]

Buddy Build

[Kanishk-Bansal]

/azurepipelines run

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[realsdx]

No ptests are running for this package, test harness is broken (not related to this PR)

[realsdx]

Can we try this patch to fix the ptests?

 %check
-pip3 install --user --upgrade nox
+pip3 install --user --upgrade "nox<2024.0" "setuptools<70"
 PATH="$PATH:/root/.local/bin/"
 nox --reuse-existing-virtualenvs --sessions test-%{python3_version}

[realsdx]

Try this patch (worked locally), there was an issue with the previous patch as well:

diff --git a/SPECS/python-urllib3/CVE-2025-50181.patch b/SPECS/python-urllib3/CVE-2025-50181.patch
index dd849d027..b03e8b332 100644
--- a/SPECS/python-urllib3/CVE-2025-50181.patch
+++ b/SPECS/python-urllib3/CVE-2025-50181.patch
@@ -74,7 +74,7 @@ index 61715e9..ded7b38 100644
 +        p = PoolManager(retries=retries)
          merged = p._merge_pool_kwargs({"new_key": "value"})
 -        assert {"strict": True, "new_key": "value"} == merged
-+        assert {"strict": retries, "new_key": "value"} == merged
++        assert {"retries": retries, "new_key": "value"} == merged

      def test_merge_pool_kwargs_none(self):
          """Assert false-y values to _merge_pool_kwargs result in defaults"""
diff --git a/SPECS/python-urllib3/python-urllib3.spec b/SPECS/python-urllib3/python-urllib3.spec
index dc9180fc4..ba77aefef 100644
--- a/SPECS/python-urllib3/python-urllib3.spec
+++ b/SPECS/python-urllib3/python-urllib3.spec
@@ -1,7 +1,7 @@
 Summary:        A powerful, sanity-friendly HTTP client for Python.
 Name:           python-urllib3
 Version:        1.26.19
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -22,6 +22,8 @@ BuildRequires:  python3-setuptools
 BuildRequires:  python3-xml
 %if %{with_check}
 BuildRequires:  python3-pip
+BuildRequires:  python3-pytest
+BuildRequires:  python3-mock
 %endif
 Requires:       python3

@@ -43,9 +45,20 @@ rm -rf test/contrib/
 %py3_install

 %check
-pip3 install --user --upgrade nox
-PATH="$PATH:/root/.local/bin/"
-nox --reuse-existing-virtualenvs --sessions test-%{python3_version}
+# Install nox to handle test environment setup
+pip3 install nox
+
+# Patch dev-requirements.txt to use compatible versions with setuptools 69.x:
+# - pytest 7.x+ is compatible with newer setuptools
+# - flaky 3.8.0+ is compatible with pytest 7.x+
+sed -i 's/pytest==4.6.9.*/pytest>=7.0.0/' dev-requirements.txt
+sed -i 's/pytest==6.2.4.*/pytest>=7.0.0/' dev-requirements.txt
+sed -i 's/flaky==3.7.0/flaky>=3.8.0/' dev-requirements.txt
+
+# Run the test session for Python 3.9
+# Skip test_recent_date which uses hardcoded date that is now in the past
+# Note: test/with_dummyserver and test/contrib are removed in %prep
+nox -s test-3.9 -- -k "not test_recent_date"

 %files -n python3-urllib3
 %defattr(-,root,root,-)

[akhila-guruju]

Added suggested patch to fix ptest failures.

[realsdx]

/azurepipelines run

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[realsdx]

Buddy Build

[realsdx]

• Patch applies cleanly

• Security tag exists
• Release bump & Changelog
• Buddy Build
• Ptests harness fixed
  Signed-off-by: @realsdx

[CBL-Mariner-Bot]

Auto cherry-pick results:

• main ✅ -> [AUTO-CHERRYPICK] [AutoPR- Security] Patch python-urllib3 for CVE-2025-66418, CVE-2026-21441 [HIGH] - branch main #15540

Auto cherry-pick pipeline run -> https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1030993&view=results