Control: forcemerge 1126002 -1 Hi,
On Tue, Jan 20, 2026 at 01:08:58PM +0100, Slavko wrote: > Package: python3-urllib3 > Severity: serious > Version: 1.26.12-1+deb12u2 > > Hi, > > recent security upgrade breaks httplib3 usage and throws exception: > > AttributeError: 'HTTPResponse' object has no attribute > '_has_decoded_content'. Did you mean: 'decode_content'? > > I call it from requests, but IMO it doesn't matter. As i found, that > particular problem is introduced by CVE-2026-21441.patch, which > contains: > > - self.read() > + self.read( > + # Do not spend resources decoding the content unless > + # decoding has already been initiated. > + decode_content=self._has_decoded_content, > + ) > > But that is only place, where "_has_decoded_content" is in this > version of urllib. I can only guess, that this is patch is either > incomplete, or this part is not appropriate. Yes, see the already filled #1126002. The patch is a bad packport and will be fixed in a regression update. Regards, Salvatore
