backport-CVE-2020-14422.patch

@@ -1,43 +0,0 @@
-From b30ee26e366bf509b7538d79bfec6c6d38d53f28 Mon Sep 17 00:00:00 2001
-From: Ravi Teja P <rvteja92@gmail.com>
-Date: Mon, 29 Jun 2020 23:09:29 +0530
-Subject: [PATCH] bpo-41004: Resolve hash collisions for IPv4Interface and
- IPv6Interface (GH-21033)
- 
-The __hash__() methods of classes IPv4Interface and IPv6Interface had issue
-of generating constant hash values of 32 and 128 respectively causing hash collisions.
-The fix uses the hash() function to generate hash values for the objects
-instead of XOR operation
- 
-Reference:https://github.com/python/cpython/commit/b30ee26e366bf509b7538d79bfec6c6d38d53f28
-Conflict:NA
- 
----
- src/pip/_vendor/ipaddress.py | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
- 
-diff --git a/src/pip/_vendor/ipaddress.py b/src/pip/_vendor/ipaddress.py
-index 3e6f9e499..19dfc4cdb 100644
---- a/src/pip/_vendor/ipaddress.py
-+++ b/src/pip/_vendor/ipaddress.py
-@@ -1536,7 +1536,7 @@ class IPv4Interface(IPv4Address):
-             return False
- 
-     def __hash__(self):
--        return self._ip ^ self._prefixlen ^ int(self.network.network_address)
-+        return hash((self._ip, self._prefixlen, int(self.network.network_address)))
- 
-     __reduce__ = _IPAddressBase.__reduce__
- 
-@@ -2229,7 +2229,7 @@ class IPv6Interface(IPv6Address):
-             return False
- 
-     def __hash__(self):
--        return self._ip ^ self._prefixlen ^ int(self.network.network_address)
-+        return hash((self._ip, self._prefixlen, int(self.network.network_address)))
- 
-     __reduce__ = _IPAddressBase.__reduce__
- 
--- 
-2.21.0
-

backport-CVE-2021-33503.patch

@@ -1,42 +0,0 @@
-From 2d4a3fee6de2fa45eb82169361918f759269b4ec Mon Sep 17 00:00:00 2001
-From: Seth Michael Larson <sethmichaellarson@gmail.com>
-Date: Wed, 26 May 2021 10:43:12 -0500
-Subject: [PATCH] Improve performance of sub-authority splitting in URL
-
----
- src/pip/_vendor/urllib3/util/url.py |  8 +++++---
- 1 files changed, 5 insertions(+), 3 deletions(-)
-
-diff --git a/src/pip/_vendor/urllib3/util/url.py b/src/pip/_vendor/urllib3/util/url.py
-index 6ff238f..81a03da 100644
---- a/src/pip/_vendor/urllib3/util/url.py
-+++ b/src/pip/_vendor/urllib3/util/url.py
-@@ -63,12 +63,12 @@ IPV6_ADDRZ_RE = re.compile("^" + IPV6_ADDRZ_PAT + "$")
- BRACELESS_IPV6_ADDRZ_RE = re.compile("^" + IPV6_ADDRZ_PAT[2:-2] + "$")
- ZONE_ID_RE = re.compile("(" + ZONE_ID_PAT + r")\]$")
- 
--SUBAUTHORITY_PAT = (u"^(?:(.*)@)?(%s|%s|%s)(?::([0-9]{0,5}))?$") % (
-+_HOST_PORT_PAT = ("^(%s|%s|%s)(?::([0-9]{0,5}))?$") % (
-     REG_NAME_PAT,
-     IPV4_PAT,
-     IPV6_ADDRZ_PAT,
- )
--SUBAUTHORITY_RE = re.compile(SUBAUTHORITY_PAT, re.UNICODE | re.DOTALL)
-+_HOST_PORT_RE = re.compile(_HOST_PORT_PAT, re.UNICODE | re.DOTALL)
- 
- UNRESERVED_CHARS = set(
-     "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789._-~"
-@@ -365,7 +365,9 @@ def parse_url(url):
-             scheme = scheme.lower()
- 
-         if authority:
--            auth, host, port = SUBAUTHORITY_RE.match(authority).groups()
-+            auth, _, host_port = authority.rpartition("@")
-+            auth = auth or None
-+            host, port = _HOST_PORT_RE.match(host_port).groups()
-             if auth and normalize_uri:
-                 auth = _encode_invalid_chars(auth, USERINFO_CHARS)
-             if port == "":
--- 
-1.8.3.1
-

backport-CVE-2023-43804-added-the-Cookie-to-the-list-of-headers.patch

@@ -1,31 +0,0 @@
-From 01220354d389cd05474713f8c982d05c9b17aafb Mon Sep 17 00:00:00 2001
-From: Seth Michael Larson <sethmichaellarson@gmail.com>
-Date: Mon, 2 Oct 2023 11:43:46 -0500
-Subject: [PATCH] Backport GHSA-v845-jxx5-vc9f (#3139)
-
-Co-authored-by: Quentin Pradet <quentin.pradet@gmail.com>
-Co-authored-by: Illia Volochii <illia.volochii@gmail.com>
-
-Conflict:Files test_retry.py,test_retry_deprecated.py ,and test_poolmaner.py do not exit.Therefore,no test case is involved.
-Reference:https://github.com/urllib3/urllib3/commit/01220354d389cd05474713f8c982d05c9b17aafb
-
----
- src/pip/_vendor/urllib3/util/retry.py | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/pip/_vendor/urllib3/util/retry.py b/src/pip/_vendor/urllib3/util/retry.py
-index ee30c91..545e876 100644
---- a/src/pip/_vendor/urllib3/util/retry.py
-+++ b/src/pip/_vendor/urllib3/util/retry.py
-@@ -154,7 +154,7 @@ class Retry(object):
- 
-     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
- 
--    DEFAULT_REDIRECT_HEADERS_BLACKLIST = frozenset(["Authorization"])
-+    DEFAULT_REDIRECT_HEADERS_BLACKLIST = frozenset(["Cookie","Authorization"])
- 
-     #: Maximum backoff time.
-     BACKOFF_MAX = 120
--- 
-2.33.0
-

backport-CVE-2023-45803-Made-body-stripped-from-HTTP-requests.patch

@@ -1,98 +0,0 @@
-From b594c5ceaca38e1ac215f916538fb128e3526a36 Mon Sep 17 00:00:00 2001
-From: Illia Volochii <illia.volochii@gmail.com>
-Date: Tue, 17 Oct 2023 19:35:39 +0300
-Subject: [PATCH] Merge pull request from GHSA-g4mx-q9vg-27p4
-
-Conflict:Files dummyserver/handlers.py, test/with_dummyserver/test_connectionpool.py
-and test/with_dummyserver/test_poolmanager.py do not exist. Therefore, no dummy server
-and test case is involved.
-Reference:https://github.com/urllib3/urllib3/commit/b594c5ceaca38e1ac215f916538fb128e3526a36
-
----
- src/pip/_vendor/urllib3/_collections.py   | 18 ++++++++++++++++++
- src/pip/_vendor/urllib3/connectionpool.py |  6 +++++-
- src/pip/_vendor/urllib3/poolmanager.py    |  7 +++++--
- 3 files changed, 28 insertions(+), 3 deletions(-)
-
-diff --git a/src/pip/_vendor/urllib3/_collections.py b/src/pip/_vendor/urllib3/_collections.py
-index 019d151..8b3f0f7 100644
---- a/src/pip/_vendor/urllib3/_collections.py
-+++ b/src/pip/_vendor/urllib3/_collections.py
-@@ -267,6 +267,24 @@ class HTTPHeaderDict(MutableMapping):
-         else:
-             return vals[1:]
- 
-+    def _prepare_for_method_change(self):
-+        """
-+        Remove content-specific header fields before changing the request
-+        method to GET or HEAD according to RFC 9110, Section 15.4.
-+        """
-+        content_specific_headers = [
-+            "Content-Encoding",
-+            "Content-Language",
-+            "Content-Location",
-+            "Content-Type",
-+            "Content-Length",
-+            "Digest",
-+            "Last-Modified",
-+        ]
-+        for header in content_specific_headers:
-+            self.discard(header)
-+        return self
-+
-     # Backwards compatibility for httplib
-     getheaders = getlist
-     getallmatchingheaders = getlist
-diff --git a/src/pip/_vendor/urllib3/connectionpool.py b/src/pip/_vendor/urllib3/connectionpool.py
-index 5f044db..539eb04 100644
---- a/src/pip/_vendor/urllib3/connectionpool.py
-+++ b/src/pip/_vendor/urllib3/connectionpool.py
-@@ -7,7 +7,7 @@ import warnings
- from socket import error as SocketError, timeout as SocketTimeout
- import socket
- 
--
-+from ._collections import HTTPHeaderDict
- from .exceptions import (
-     ClosedPoolError,
-     ProtocolError,
-@@ -769,7 +769,11 @@ class HTTPConnectionPool(ConnectionPool, RequestMethods):
-         redirect_location = redirect and response.get_redirect_location()
-         if redirect_location:
-             if response.status == 303:
-+                # Change the method according to RFC 9110, Section 15.4.4.
-                 method = "GET"
-+                # And lose the body not to transfer anything sensitive.
-+                body = None
-+                headers = HTTPHeaderDict(headers)._prepare_for_method_change()
- 
-             try:
-                 retries = retries.increment(method, url, response=response, _pool=self)
-diff --git a/src/pip/_vendor/urllib3/poolmanager.py b/src/pip/_vendor/urllib3/poolmanager.py
-index e2bd3bd..c30c5e0 100644
---- a/src/pip/_vendor/urllib3/poolmanager.py
-+++ b/src/pip/_vendor/urllib3/poolmanager.py
-@@ -4,7 +4,7 @@ import functools
- import logging
- import warnings
- 
--from ._collections import RecentlyUsedContainer
-+from ._collections import HTTPHeaderDict, RecentlyUsedContainer
- from .connectionpool import HTTPConnectionPool, HTTPSConnectionPool
- from .connectionpool import port_by_scheme
- from .exceptions import (
-@@ -342,9 +342,12 @@ class PoolManager(RequestMethods):
-         # Support relative URLs for redirecting.
-         redirect_location = urljoin(url, redirect_location)
- 
--        # RFC 7231, Section 6.4.4
-         if response.status == 303:
-+            # Change the method according to RFC 9110, Section 15.4.4.
-             method = "GET"
-+            # And lose the body not to transfer anything sensitive.
-+            kw["body"] = None
-+            kw["headers"] = HTTPHeaderDict(kw["headers"])._prepare_for_method_change()
- 
-         retries = kw.get("retries")
-         if not isinstance(retries, Retry):
---

backport-CVE-2024-37891-Strip-Proxy-Authorization-header-on-redirects.patch

@@ -1,31 +0,0 @@
-From accff72ecc2f6cf5a76d9570198a93ac7c90270e Mon Sep 17 00:00:00 2001
-From: Quentin Pradet <quentin.pradet@gmail.com>
-Date: Mon, 17 Jun 2024 11:09:06 +0400
-Subject: [PATCH] Merge pull request from GHSA-34jh-p97f-mpxf
-
-* Strip Proxy-Authorization header on redirects
-
-Conflict:Files test/test_retry.py and test/with_dummyserver/test_poolmanager.py do not
-exist. Therefore, no test case is involved.
-Reference:https://github.com/urllib3/urllib3/commit/accff72ecc2f6cf5a76d9570198a93ac7c90270e
-
----
- src/pip/_vendor/urllib3/util/retry.py | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/src/pip/_vendor/urllib3/util/retry.py b/src/pip/_vendor/urllib3/util/retry.py
-index 545e876..b4a2d3d 100644
---- a/src/pip/_vendor/urllib3/util/retry.py
-+++ b/src/pip/_vendor/urllib3/util/retry.py
-@@ -154,7 +154,9 @@ class Retry(object):
- 
-     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
- 
--    DEFAULT_REDIRECT_HEADERS_BLACKLIST = frozenset(["Cookie","Authorization"])
-+    DEFAULT_REDIRECT_HEADERS_BLACKLIST = frozenset(
-+        ["Cookie", "Authorization", "Proxy-Authorization"]
-+    )
- 
-     #: Maximum backoff time.
-     BACKOFF_MAX = 120
--- 

backport-fix-vulnerable-regex.patch

@@ -1,25 +0,0 @@
-From 254e668eef34ca21005634a2bdba9d9a74deaa26 Mon Sep 17 00:00:00 2001
-From: M00nL1ght <69127692+SCH227@users.noreply.github.com>
-Date: Tue, 30 Aug 2022 05:51:29 +0300
-Subject: [PATCH] Fix vulnerable regex
-
-Implement exclusive RE searches to avoid backtracking
----
- src/pip/_internal/models/wheel.py | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/pip/_internal/models/wheel.py b/src/pip/_internal/models/wheel.py
-index 35c70375539..a5dc12bdd63 100644
---- a/src/pip/_internal/models/wheel.py
-+++ b/src/pip/_internal/models/wheel.py
-@@ -13,8 +13,8 @@ class Wheel:
-     """A wheel file"""
- 
-     wheel_file_re = re.compile(
--        r"""^(?P<namever>(?P<name>.+?)-(?P<ver>.*?))
--        ((-(?P<build>\d[^-]*?))?-(?P<pyver>.+?)-(?P<abi>.+?)-(?P<plat>.+?)
-+        r"""^(?P<namever>(?P<name>[^\s-]+?)-(?P<ver>[^\s-]*?))
-+        ((-(?P<build>\d[^-]*?))?-(?P<pyver>[^\s-]+?)-(?P<abi>[^\s-]+?)-(?P<plat>[^\s-]+?)
-         \.whl|\.dist-info)$""",
-         re.VERBOSE
-     )

python-pip.spec

@@ -7,7 +7,7 @@ pip is the package installer for Python. You can use pip to install packages fro
 %global bashcompdir %(b=$(pkg-config --variable=completionsdir bash-completion 2>/dev/null); echo ${b:-%{_sysconfdir}/bash_completion.d})
 Name:           python-%{srcname}
 Version:        20.2.2
-Release:        9
+Release:        4
 Summary:        A tool for installing and managing Python packages
 License:        MIT and Python and ASL 2.0 and BSD and ISC and LGPLv2 and MPLv2.0 and (ASL 2.0 or BSD)
 URL:            http://www.pip-installer.org
@@ -18,12 +18,6 @@ Patch2:         emit-a-warning-when-running-with-root-privileges.patch
 Patch3:         remove-existing-dist-only-if-path-conflicts.patch
 Patch6000:      dummy-certifi.patch
 Patch6001:      backport-CVE-2021-3572.patch
-Patch6002:      backport-CVE-2021-33503.patch
-Patch6003:      backport-CVE-2020-14422.patch
-Patch6004:      backport-fix-vulnerable-regex.patch
-Patch6005:      backport-CVE-2023-43804-added-the-Cookie-to-the-list-of-headers.patch
-Patch6006:      backport-CVE-2023-45803-Made-body-stripped-from-HTTP-requests.patch
-Patch6007:      backport-CVE-2024-37891-Strip-Proxy-Authorization-header-on-redirects.patch
 
 Source1:	pip-allow-older-versions.patch
 
@@ -161,21 +155,6 @@ install -p dist/%{python_wheelname} -t %{buildroot}%{python_wheeldir}
 %{python_wheeldir}/%{python_wheelname}
 
 %changelog
-* Sat Jul 13 2024 yangyuan <yangyuan32@huawei.com> - 20.2.2-9
-- Fix CVE-2023-45803 and CVE-2024-37891
-
-* Wed Jun 26 2024 zhangruifang <zhangruifang@h-partners.com> - 20.2.2-8
-- Fix CVE-2023-43804
-
-* Wed Dec 13 2023 yanglongkang <yanglongkang@h-partners.com> - 20.2.2-7
-- Fix vulnerable regex
-
-* Fri Sep 16 2022 yanglongkang<yanglongkang@h-partners.com> - 20.2.2-6
-- fix CVE-2020-14422
-
-* Fri Sep 09 2022 renhongxun<renhongxun@h-partners.com> - 20.2.2-5
-- fix CVE-2021-33503
-
 * Sat Aug 23 2021 shixuantong<shixuantong@huawei.com> - 20.2.2-4
 - delete bounded certificate