On Wed, 2026-01-07 at 09:08 +0100, Yoann Congal via lists.openembedded.org wrote: > From: Peter Marko <[email protected]> > > Pick patch per [1]. > > [1] https://nvd.nist.gov/vuln/detail/CVE-2025-66471 > > Signed-off-by: Peter Marko <[email protected]> > --- > .../python3-urllib3/CVE-2025-66471.patch | 930 ++++++++++++++++++ > .../python/python3-urllib3_2.5.0.bb | 1 + > 2 files changed, 931 insertions(+) > create mode 100644 > meta/recipes-devtools/python/python3-urllib3/CVE-2025-66471.patch
This seems like a very large patch for a CVE issue. The changelog entry in the patch also says that the API of urllib3.response.ContentDecoder is changed. We should look for a narrower fix, and only take this if there is no other option. Thanks, -- Paul Barker
signature.asc
Description: This is a digitally signed message part
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#228993): https://lists.openembedded.org/g/openembedded-core/message/228993 Mute This Topic: https://lists.openembedded.org/mt/117130981/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
