Re: [OE-core] [meta][scarthgap][PATCH] python3-urllib3: fix CVE-2025-50182

Mon, 04 May 2026 04:30:56 -0700 

I think this is the same as was already submitted and then rejected under
https://lists.openembedded.org/g/openembedded-core/message/220031

Peter

> -----Original Message-----
> From: [email protected] <openembedded-
> [email protected]> On Behalf Of Naman Jain via
> lists.openembedded.org
> Sent: Monday, May 4, 2026 1:23 PM
> To: [email protected]
> Cc: [email protected]
> Subject: [OE-core] [meta][scarthgap][PATCH] python3-urllib3: fix 
> CVE-2025-50182
> 
> From: Yogita Urade <[email protected]>
> 
> urllib3 is a user-friendly HTTP client library for Python. Prior
> to 2.5.0, urllib3 does not control redirects in browsers and
> Node.js. urllib3 supports being used in a Pyodide runtime utilizing
> the JavaScript Fetch API or falling back on XMLHttpRequest. This
> means Python libraries can be used to make HTTP requests from a
> browser or Node.js. Additionally, urllib3 provides a mechanism to
> control redirects, but the retries and redirect parameters are
> ignored with Pyodide; the runtime itself determines redirect
> behavior. This issue has been patched in version 2.5.0.
> 
> Reference:
> https://nvd.nist.gov/vuln/detail/CVE-2025-50182
> 
> Upstream patch:
> https://github.com/urllib3/urllib3/commit/7eb4a2aafe49a279c29b6d1f0ed0f42e97
> 36194f
> 
> (From OE-Core rev: 082b865d9814e7e7aca4466551a035199aa8b563)
> 
> Signed-off-by: Yogita Urade <[email protected]>
> Signed-off-by: Steve Sakoman <[email protected]>
> (cherry picked from commit 0372024fe7ab2cea5eddf686f9bee0f8f07a2000)
> Signed-off-by: Sana Kazi <[email protected]>
> ---
>  .../python3-urllib3/CVE-2025-50182.patch      | 112 ++++++++++++++++++
>  .../python/python3-urllib3_2.2.2.bb           |   1 +
>  2 files changed, 113 insertions(+)
>  create mode 100644 meta/recipes-devtools/python/python3-urllib3/CVE-2025-
> 50182.patch
> 
> diff --git a/meta/recipes-devtools/python/python3-urllib3/CVE-2025-50182.patch
> b/meta/recipes-devtools/python/python3-urllib3/CVE-2025-50182.patch
> new file mode 100644
> index 0000000000..3c0efec119
> --- /dev/null
> +++ b/meta/recipes-devtools/python/python3-urllib3/CVE-2025-50182.patch
> @@ -0,0 +1,112 @@
> +From 7eb4a2aafe49a279c29b6d1f0ed0f42e9736194f Mon Sep 17 00:00:00
> 2001
> +From: Illia Volochii <[email protected]>
> +Date: Wed, 18 Jun 2025 16:30:35 +0300
> +Subject: [PATCH] Merge commit from fork
> +
> +CVE: CVE-2025-50182
> +Upstream-Status: Backport
> [https://github.com/urllib3/urllib3/commit/7eb4a2aafe49a279c29b6d1f0ed0f42e97
> 36194f]
> +
> +Signed-off-by: Yogita Urade <[email protected]>
> +---
> + docs/reference/contrib/emscripten.rst      |  2 +-
> + src/urllib3/contrib/emscripten/fetch.py    | 20 ++++++++++
> + test/contrib/emscripten/test_emscripten.py | 46 ++++++++++++++++++++++
> + 3 files changed, 67 insertions(+), 1 deletion(-)
> +
> +diff --git a/docs/reference/contrib/emscripten.rst
> b/docs/reference/contrib/emscripten.rst
> +index a8f1cda..4670757 100644
> +--- a/docs/reference/contrib/emscripten.rst
> ++++ b/docs/reference/contrib/emscripten.rst
> +@@ -68,7 +68,7 @@ Features which are usable with Emscripte
> + * Timeouts
> + * Retries
> + * Streaming (with Web Workers and Cross-Origin Isolation)
> +-* Redirects (determined by browser/runtime, not restrictable with urllib3)
> ++* Redirects (urllib3 controls redirects in Node.js but not in browsers where
> behavior is determined by runtime)
> + * Decompressing response bodies
> +
> + Features which don't work with Emscripten:
> +diff --git a/src/urllib3/contrib/emscripten/fetch.py
> b/src/urllib3/contrib/emscripten/fetch.py
> +index a514306..6695821 100644
> +--- a/src/urllib3/contrib/emscripten/fetch.py
> ++++ b/src/urllib3/contrib/emscripten/fetch.py
> +@@ -403,6 +403,21 @@ def send_request(request: EmscriptenRequ
> +             raise _RequestError(err.message, request=request)
> +
> +
> ++def _is_node_js() -> bool:
> ++    """
> ++    Check if we are in Node.js.
> ++
> ++    :return: True if we are in Node.js.
> ++    :rtype: bool
> ++    """
> ++    return (
> ++        hasattr(js, "process")
> ++        and hasattr(js.process, "release")
> ++        # According to the Node.js documentation, the release name is always
> "node".
> ++        and js.process.release.name == "node"
> ++    )
> ++
> ++
> + def streaming_ready() -> bool | None:
> +     if _fetcher:
> +         return _fetcher.streaming_ready
> +diff --git a/test/contrib/emscripten/test_emscripten.py
> b/test/contrib/emscripten/test_emscripten.py
> +index 5eaa674..fbf89fc 100644
> +--- a/test/contrib/emscripten/test_emscripten.py
> ++++ b/test/contrib/emscripten/test_emscripten.py
> +@@ -964,6 +964,51 @@ def test_redirects(
> +         selenium_coverage, testserver_http.http_host, 
> testserver_http.http_port
> +     )
> +
> [email protected]_jspi
> ++def test_disabled_redirects(
> ++    selenium_coverage: typing.Any, testserver_http: PyodideServerInfo
> ++) -> None:
> ++    """
> ++    Test that urllib3 can control redirects in Node.js.
> ++    """
> ++
> ++    @run_in_pyodide  # type: ignore[misc]
> ++    def pyodide_test(selenium_coverage: typing.Any, host: str, port: int) 
> -> None:
> ++        import pytest
> ++
> ++        from urllib3 import PoolManager, request
> ++        from urllib3.contrib.emscripten.fetch import _is_node_js
> ++        from urllib3.exceptions import MaxRetryError
> ++
> ++        if not _is_node_js():
> ++            pytest.skip("urllib3 does not control redirects in browsers.")
> ++
> ++        redirect_url = f"http://{host}:{port}/redirect";
> ++
> ++        with PoolManager(retries=0) as http:
> ++            with pytest.raises(MaxRetryError):
> ++                http.request("GET", redirect_url)
> ++
> ++            response = http.request("GET", redirect_url, redirect=False)
> ++            assert response.status == 303
> ++
> ++        with PoolManager(retries=False) as http:
> ++            response = http.request("GET", redirect_url)
> ++            assert response.status == 303
> ++
> ++        with pytest.raises(MaxRetryError):
> ++            request("GET", redirect_url, retries=0)
> ++
> ++        response = request("GET", redirect_url, redirect=False)
> ++        assert response.status == 303
> ++
> ++        response = request("GET", redirect_url, retries=0, redirect=False)
> ++        assert response.status == 303
> ++
> ++    pyodide_test(
> ++        selenium_coverage, testserver_http.http_host, 
> testserver_http.http_port
> ++    )
> ++
> +
> + @install_urllib3_wheel()
> + def test_insecure_requests_warning(
> +--
> +2.40.0
> diff --git a/meta/recipes-devtools/python/python3-urllib3_2.2.2.bb 
> b/meta/recipes-
> devtools/python/python3-urllib3_2.2.2.bb
> index f6ac8f89ca..19c51b68a7 100644
> --- a/meta/recipes-devtools/python/python3-urllib3_2.2.2.bb
> +++ b/meta/recipes-devtools/python/python3-urllib3_2.2.2.bb
> @@ -12,6 +12,7 @@ SRC_URI += " \
>      file://CVE-2025-66418.patch \
>      file://CVE-2025-66471.patch \
>      file://CVE-2026-21441.patch \
> +    file://CVE-2025-50182.patch \
>  "
> 
>  RDEPENDS:${PN} += "\
> --
> 2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#236449): 
https://lists.openembedded.org/g/openembedded-core/message/236449
Mute This Topic: https://lists.openembedded.org/mt/119140733/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to