Le 07/01/2026 à 13:32, Paul Barker a écrit : > On Wed, 2026-01-07 at 12:19 +0000, Marko, Peter wrote: >> >>> -----Original Message----- >>> From: Paul Barker <[email protected]> >>> Sent: Wednesday, January 7, 2026 12:49 >>> To: [email protected]; [email protected]; >>> Marko, Peter (FT D EU SK BFS1) <[email protected]> >>> Subject: Re: [OE-core][whinlatter 04/11] python3-urllib3: patch >>> >>> On Wed, 2026-01-07 at 09:08 +0100, Yoann Congal via >>> lists.openembedded.org wrote: >>>> From: Peter Marko <[email protected]> >>>> >>>> Pick patch per [1]. >>>> >>>> [1] https://nvd.nist.gov/vuln/detail/CVE-2025-66471 >>>> >>>> Signed-off-by: Peter Marko <[email protected]> >>>> --- >>>> .../python3-urllib3/CVE-2025-66471.patch | 930 ++++++++++++++++++ >>>> .../python/python3-urllib3_2.5.0.bb | 1 + >>>> 2 files changed, 931 insertions(+) >>>> create mode 100644 meta/recipes-devtools/python/python3-urllib3/CVE-2025- >>> 66471.patch >>> >>> This seems like a very large patch for a CVE issue. The changelog entry >>> in the patch also says that the API of urllib3.response.ContentDecoder >>> is changed. >>> >>> We should look for a narrower fix, and only take this if there is no >>> other option. >> >> I originally didn't want to patch this CVE due to this reason (and didn't >> patch it in kirkstone). >> But since this has landed in scarthgap, I decided for the same in whinlatter >> for consistency. >> Should we revert it from scartghap? > > I don't think we need to rush to a decision.
On my side, I need to do the whinlatter 5.3.1 release build on Monday. I propose to set this patch aside to not block the release and the other patches. For scarthgap, we can revert the current fix and add the "proper" fix when we have it. I'd rather avoid a patched->applicable transition on a CVE. Sounds good? > > Have any other distros patched this CVE? I see it's still unpatched in > Debian [1], and Arch Linux is on v2.6.2 already [2]. Ubuntu has taken > the patch [3], we should check if they've modified it or directly taken > the upstream commit. > > [1]: https://tracker.debian.org/pkg/python-urllib3 > [2]: https://archlinux.org/packages/extra/any/python-urllib3/ > [3]: https://launchpad.net/ubuntu/+source/python-urllib3/2.5.0-1ubuntu1 > > Jiaying Song: Any thoughts on this? You did the backport to scarthgap. > > Best regards, > -- Yoann Congal Smile ECS
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#228998): https://lists.openembedded.org/g/openembedded-core/message/228998 Mute This Topic: https://lists.openembedded.org/mt/117132726/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
