[AUTO-CHERRYPICK] Fix CVE-2024-37891 for python-pip :3.0 - branch 3.0-dev (#11215)

Co-authored-by: KavyaSree2610 <92566732+KavyaSree2610@users.noreply.github.com>

Author: CBL-Mariner-Bot

SPECS/python-pip/CVE-2024-37891.patch

@@ -0,0 +1,27 @@
+From 06d1284366921615eeadcb388ac7c89c3224f1cb Mon Sep 17 00:00:00 2001
+From: kavyasree <kkaitepalli@microsoft.com>
+Date: Tue, 19 Nov 2024 17:01:29 +0530
+Subject: [PATCH] Fix CVE-2024-37891
+
+---
+ src/pip/_vendor/urllib3/util/retry.py | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/pip/_vendor/urllib3/util/retry.py b/src/pip/_vendor/urllib3/util/retry.py
+index 60ef6c4..9a1e90d 100644
+--- a/src/pip/_vendor/urllib3/util/retry.py
++++ b/src/pip/_vendor/urllib3/util/retry.py
+@@ -235,7 +235,9 @@ class Retry(object):
+     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
+ 
+     #: Default headers to be used for ``remove_headers_on_redirect``
+-    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
++    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(
++        ["Cookie", "Authorization", "Proxy-Authorization"]
++    )
+ 
+     #: Maximum backoff time.
+     DEFAULT_BACKOFF_MAX = 120
+-- 
+2.34.1
+

SPECS/python-pip/python-pip.spec

@@ -5,13 +5,14 @@ A tool for installing and managing Python packages}
 Summary:        A tool for installing and managing Python packages
 Name:           python-pip
 Version:        24.2
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        MIT AND Python-2.0.1 AND Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause AND ISC AND LGPL-2.1-only AND MPL-2.0 AND (Apache-2.0 OR BSD-2-Clause)
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 Group:          Development/Tools
 URL:            https://pip.pypa.io/
 Source0:        https://github.com/pypa/pip/archive/%{version}/%{srcname}-%{version}.tar.gz
+Patch0:		CVE-2024-37891.patch
 
 BuildArch:      noarch
 
@@ -51,6 +52,9 @@ BuildRequires:  python3-wheel
 %{python3_sitelib}/pip*
 
 %changelog
+* Fri Nov 22 2024 Kavya Sree Kaitepalli <kkaitepalli@microsoft.com> - 24.2-2
+- Patch for CVE-2024-37891
+
 * Wed Oct 23 2024 Bala <balakumaran.kannan@microsoft.com> - 24.2.1
 - Upgrade to 24.2 for fixing CVE-2024-6345
 - Update build and install steps for toml based build

toolkit/resources/manifests/package/toolchain_aarch64.txt

@@ -547,7 +547,7 @@ python3-magic-5.45-1.azl3.noarch.rpm
 python3-markupsafe-2.1.3-1.azl3.aarch64.rpm
 python3-newt-0.52.23-1.azl3.aarch64.rpm
 python3-packaging-23.2-3.azl3.noarch.rpm
-python3-pip-24.2-1.azl3.noarch.rpm
+python3-pip-24.2-2.azl3.noarch.rpm
 python3-pygments-2.7.4-2.azl3.noarch.rpm
 python3-rpm-4.18.2-1.azl3.aarch64.rpm
 python3-rpm-generators-14-11.azl3.noarch.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

@@ -553,7 +553,7 @@ python3-magic-5.45-1.azl3.noarch.rpm
 python3-markupsafe-2.1.3-1.azl3.x86_64.rpm
 python3-newt-0.52.23-1.azl3.x86_64.rpm
 python3-packaging-23.2-3.azl3.noarch.rpm
-python3-pip-24.2-1.azl3.noarch.rpm
+python3-pip-24.2-2.azl3.noarch.rpm
 python3-pygments-2.7.4-2.azl3.noarch.rpm
 python3-rpm-4.18.2-1.azl3.x86_64.rpm
 python3-rpm-generators-14-11.azl3.noarch.rpm