On Wed, 2026-01-07 at 12:19 +0000, Marko, Peter wrote: > > > -----Original Message----- > > From: Paul Barker <[email protected]> > > Sent: Wednesday, January 7, 2026 12:49 > > To: [email protected]; [email protected]; > > Marko, Peter (FT D EU SK BFS1) <[email protected]> > > Subject: Re: [OE-core][whinlatter 04/11] python3-urllib3: patch > > > > On Wed, 2026-01-07 at 09:08 +0100, Yoann Congal via > > lists.openembedded.org wrote: > > > From: Peter Marko <[email protected]> > > > > > > Pick patch per [1]. > > > > > > [1] https://nvd.nist.gov/vuln/detail/CVE-2025-66471 > > > > > > Signed-off-by: Peter Marko <[email protected]> > > > --- > > > .../python3-urllib3/CVE-2025-66471.patch | 930 ++++++++++++++++++ > > > .../python/python3-urllib3_2.5.0.bb | 1 + > > > 2 files changed, 931 insertions(+) > > > create mode 100644 meta/recipes-devtools/python/python3-urllib3/CVE-2025- > > 66471.patch > > > > This seems like a very large patch for a CVE issue. The changelog entry > > in the patch also says that the API of urllib3.response.ContentDecoder > > is changed. > > > > We should look for a narrower fix, and only take this if there is no > > other option. > > I originally didn't want to patch this CVE due to this reason (and didn't > patch it in kirkstone). > But since this has landed in scarthgap, I decided for the same in whinlatter > for consistency. > Should we revert it from scartghap?
I don't think we need to rush to a decision. Have any other distros patched this CVE? I see it's still unpatched in Debian [1], and Arch Linux is on v2.6.2 already [2]. Ubuntu has taken the patch [3], we should check if they've modified it or directly taken the upstream commit. [1]: https://tracker.debian.org/pkg/python-urllib3 [2]: https://archlinux.org/packages/extra/any/python-urllib3/ [3]: https://launchpad.net/ubuntu/+source/python-urllib3/2.5.0-1ubuntu1 Jiaying Song: Any thoughts on this? You did the backport to scarthgap. Best regards, -- Paul Barker
signature.asc
Description: This is a digitally signed message part
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#228997): https://lists.openembedded.org/g/openembedded-core/message/228997 Mute This Topic: https://lists.openembedded.org/mt/117132726/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
