Re: [OE-core][whinlatter 04/11] python3-urllib3: patch

public inbox for openembedded-core@lists.openembedded.org
 help / color / mirror / Atom feed

From: Yoann Congal <yoann.congal@smile.fr>
To: Paul Barker <paul@pbarker.dev>,
	"Marko, Peter" <Peter.Marko@siemens.com>,
	"openembedded-core@lists.openembedded.org"
	<openembedded-core@lists.openembedded.org>,
	Jiaying Song <jiaying.song.cn@windriver.com>
Subject: Re: [OE-core][whinlatter 04/11] python3-urllib3: patch
Date: Wed, 7 Jan 2026 13:47:00 +0100	[thread overview]
Message-ID: <04c34334-5342-4711-bcdf-177da37b6fdc@smile.fr> (raw)
In-Reply-To: <5549493a25264654b39a48522691b15feece176c.camel@pbarker.dev>



Le 07/01/2026 à 13:32, Paul Barker a écrit :
> On Wed, 2026-01-07 at 12:19 +0000, Marko, Peter wrote:
>>
>>> -----Original Message-----
>>> From: Paul Barker <paul@pbarker.dev>
>>> Sent: Wednesday, January 7, 2026 12:49
>>> To: yoann.congal@smile.fr; openembedded-core@lists.openembedded.org;
>>> Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com>
>>> Subject: Re: [OE-core][whinlatter 04/11] python3-urllib3: patch
>>>
>>> On Wed, 2026-01-07 at 09:08 +0100, Yoann Congal via
>>> lists.openembedded.org wrote:
>>>> From: Peter Marko <peter.marko@siemens.com>
>>>>
>>>> Pick patch per [1].
>>>>
>>>> [1] https://nvd.nist.gov/vuln/detail/CVE-2025-66471
>>>>
>>>> Signed-off-by: Peter Marko <peter.marko@siemens.com>
>>>> ---
>>>>  .../python3-urllib3/CVE-2025-66471.patch      | 930 ++++++++++++++++++
>>>>  .../python/python3-urllib3_2.5.0.bb           |   1 +
>>>>  2 files changed, 931 insertions(+)
>>>>  create mode 100644 meta/recipes-devtools/python/python3-urllib3/CVE-2025-
>>> 66471.patch
>>>
>>> This seems like a very large patch for a CVE issue. The changelog entry
>>> in the patch also says that the API of urllib3.response.ContentDecoder
>>> is changed.
>>>
>>> We should look for a narrower fix, and only take this if there is no
>>> other option.
>>
>> I originally didn't want to patch this CVE due to this reason (and didn't patch it in kirkstone).
>> But since this has landed in scarthgap, I decided for the same in whinlatter for consistency.
>> Should we revert it from scartghap?
> 
> I don't think we need to rush to a decision.

On my side, I need to do the whinlatter 5.3.1 release build on Monday.
I propose to set this patch aside to not block the release and the other
patches.

For scarthgap, we can revert the current fix and add the "proper" fix
when we have it. I'd rather avoid a patched->applicable transition on a CVE.

Sounds good?

> 
> Have any other distros patched this CVE? I see it's still unpatched in
> Debian [1], and Arch Linux is on v2.6.2 already [2]. Ubuntu has taken
> the patch [3], we should check if they've modified it or directly taken
> the upstream commit.
> 
> [1]: https://tracker.debian.org/pkg/python-urllib3
> [2]: https://archlinux.org/packages/extra/any/python-urllib3/
> [3]: https://launchpad.net/ubuntu/+source/python-urllib3/2.5.0-1ubuntu1
> 
> Jiaying Song: Any thoughts on this? You did the backport to scarthgap.
> 
> Best regards,
> 

-- 
Yoann Congal
Smile ECS

next prev parent reply	other threads:[~2026-01-07 12:47 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-01-07  8:08 [OE-core][whinlatter 00/11] Patch review Yoann Congal
2026-01-07  8:08 ` [OE-core][whinlatter 01/11] dropbear: patch CVE-2019-6111 Yoann Congal
2026-01-07  8:08 ` [OE-core][whinlatter 02/11] sqlite3: mark CVE-2025-29087 as patched Yoann Congal
2026-01-07  8:08 ` [OE-core][whinlatter 03/11] python3-urllib3: patch CVE-2025-66418 Yoann Congal
2026-01-07  8:08 ` [OE-core][whinlatter 04/11] python3-urllib3: patch CVE-2025-66471 Yoann Congal
2026-01-07 11:48   ` Paul Barker
2026-01-07 12:19     ` [OE-core][whinlatter 04/11] python3-urllib3: patch Marko, Peter
2026-01-07 12:32       ` Paul Barker
2026-01-07 12:47         ` Yoann Congal [this message]
2026-01-07 14:05           ` Paul Barker
2026-01-30 10:33             ` Yoann Congal
2026-03-04 11:10               ` Marko, Peter
2026-03-04 15:15                 ` Yoann Congal
2026-03-05  9:39                   ` Paul Barker
2026-03-05 10:30                     ` Yoann Congal
2026-01-07  8:08 ` [OE-core][whinlatter 05/11] python3: upgrade 3.13.9 -> 3.13.11 Yoann Congal
2026-01-07  8:08 ` [OE-core][whinlatter 06/11] libarchive: upgrade 3.8.3 -> 3.8.4 Yoann Congal
2026-01-07  8:08 ` [OE-core][whinlatter 07/11] glib-2.0: upgrade 2.86.1 -> 2.86.3 Yoann Congal
2026-01-07  8:08 ` [OE-core][whinlatter 08/11] libpng: upgrade 1.6.51 -> 1.6.52 Yoann Congal
2026-01-07  8:08 ` [OE-core][whinlatter 09/11] libpcap: upgrade 1.10.5 -> 1.10.6 Yoann Congal
2026-01-07  8:08 ` [OE-core][whinlatter 10/11] Revert "populate_sdk_ext: keep SDK_TARGETS so SPDX/SBOM tasks remain in locked sigs" Yoann Congal
2026-01-07  8:09 ` [OE-core][whinlatter 11/11] Revert "create-spdx-image-3.0: Image SPDX/SBOM tasks are retained for eSDK installation" Yoann Congal

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=04c34334-5342-4711-bcdf-177da37b6fdc@smile.fr \
    --to=yoann.congal@smile.fr \
    --cc=Peter.Marko@siemens.com \
    --cc=jiaying.song.cn@windriver.com \
    --cc=openembedded-core@lists.openembedded.org \
    --cc=paul@pbarker.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox