From: "Yoann Congal" <yoann.congal@smile.fr>
To: "Marko, Peter" <Peter.Marko@siemens.com>,
"Paul Barker" <paul@pbarker.dev>
Cc: "openembedded-core@lists.openembedded.org"
<openembedded-core@lists.openembedded.org>,
"Jiaying Song" <jiaying.song.cn@windriver.com>
Subject: Re: [OE-core][whinlatter 04/11] python3-urllib3: patch
Date: Wed, 04 Mar 2026 16:15:34 +0100 [thread overview]
Message-ID: <DGU3HPLPGFES.23M3LOS6Y7S4H@smile.fr> (raw)
In-Reply-To: <AS1PR10MB5697D5349A3C15D8B6E731EFFD7CA@AS1PR10MB5697.EURPRD10.PROD.OUTLOOK.COM>
On Wed Mar 4, 2026 at 12:10 PM CET, Peter Marko wrote:
> Hello Yoann, Paul,
>
> What shall we do with this patch?
> Drop or take?
>
> I also think that it’s intrusive, however having this fixed on older Yocto release and not fixed in newer is weird.
> https://git.openembedded.org/openembedded-core/commit/?h=scarthgap&id=d9f52c5f86bcc4716e384fe5c01c03d386d60446
Hello,
For context, here an update on status in other distros:
Debian did not fix it:
https://security-tracker.debian.org/tracker/CVE-2025-66471
Ubuntu has not fixed for most releases:
https://ubuntu.com/security/CVE-2025-66471
Redhat did take the patch:
https://access.redhat.com/errata/RHSA-2026:1254
So the situation in other distros has not changed much.
I looked closer at the patch:
* There is indeed an API change:
ContentDecoder.decompress(..., max_length: int = -1)
BaseHTTPResponse._decode(..., max_length: int | None = None)
But this has a default value so existing code will use that and
preserve current behavior (uncompress without limit).
That could be a problem for users that subclassed those but, a
decompress() without max_length would have the CVE so better fix it
and _decode() is not intended to be subclassed (as private?)
* The upgraded dependency to brotli >= 1.2.0:
* is optional
* existing brotli 1.1.0 (in meta-openembedded/scarthgap) will still
work but generate a valid warning (the 1.1.0 version of brotli can't
support fixes for this CVE)
* For what it's worth (not much), this patch was in released scarthgap
5.0.15 for 1.5 months and yet we had no user reports.
I don't see how you could fix this CVE without changing the API you have
to limit the size of the decompressed data, but you also have to pass
the maximum size to the underlying decompressor somehow...
Interestingly, urllib3 has paid support available:
https://urllib3.readthedocs.io/en/latest/index.html#for-enterprise
Maybe an interested party can ask through that for a smaller fix?
In conclusion, I'm leaning toward taking the patch : while it is
definitely intrusive, some care was taken in it to ensure
compatibility and the breakages are inherent to the CVE.
Paul, would you agree?
Regards,
> Peter
>
>
> From: Yoann Congal <yoann.congal@smile.fr>
> Sent: Friday, January 30, 2026 11:34
> To: Paul Barker <paul@pbarker.dev>
> Cc: Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com>; openembedded-core@lists.openembedded.org; Jiaying Song <jiaying.song.cn@windriver.com>
> Subject: Re: [OE-core][whinlatter 04/11] python3-urllib3: patch
>
>
>
> Le mer. 7 janv. 2026 à 15:05, Paul Barker <paul@pbarker.dev<mailto:paul@pbarker.dev>> a écrit :
> On Wed, 2026-01-07 at 13:47 +0100, Yoann Congal wrote:
>>
>> Le 07/01/2026 à 13:32, Paul Barker a écrit :
>> > On Wed, 2026-01-07 at 12:19 +0000, Marko, Peter wrote:
>> > >
>> > > > -----Original Message-----
>> > > > From: Paul Barker <paul@pbarker.dev<mailto:paul@pbarker.dev>>
>> > > > Sent: Wednesday, January 7, 2026 12:49
>> > > > To: yoann.congal@smile.fr<mailto:yoann.congal@smile.fr>; openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org>;
>> > > > Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com<mailto:Peter.Marko@siemens.com>>
>> > > > Subject: Re: [OE-core][whinlatter 04/11] python3-urllib3: patch
>> > > >
>> > > > On Wed, 2026-01-07 at 09:08 +0100, Yoann Congal via
>> > > > lists.openembedded.org<http://lists.openembedded.org> wrote:
>> > > > > From: Peter Marko <peter.marko@siemens.com<mailto:peter.marko@siemens.com>>
>> > > > >
>> > > > > Pick patch per [1].
>> > > > >
>> > > > > [1] https://nvd.nist.gov/vuln/detail/CVE-2025-66471
>> > > > >
>> > > > > Signed-off-by: Peter Marko <peter.marko@siemens.com<mailto:peter.marko@siemens.com>>
>> > > > > ---
>> > > > > .../python3-urllib3/CVE-2025-66471.patch | 930 ++++++++++++++++++
>> > > > > .../python/python3-urllib3_2.5.0.bb<http://python3-urllib3_2.5.0.bb> | 1 +
>> > > > > 2 files changed, 931 insertions(+)
>> > > > > create mode 100644 meta/recipes-devtools/python/python3-urllib3/CVE-2025-
>> > > > 66471.patch
>> > > >
>> > > > This seems like a very large patch for a CVE issue. The changelog entry
>> > > > in the patch also says that the API of urllib3.response.ContentDecoder
>> > > > is changed.
>> > > >
>> > > > We should look for a narrower fix, and only take this if there is no
>> > > > other option.
>> > >
>> > > I originally didn't want to patch this CVE due to this reason (and didn't patch it in kirkstone).
>> > > But since this has landed in scarthgap, I decided for the same in whinlatter for consistency.
>> > > Should we revert it from scartghap?
>> >
>> > I don't think we need to rush to a decision.
>>
>> On my side, I need to do the whinlatter 5.3.1 release build on Monday.
>> I propose to set this patch aside to not block the release and the other
>> patches.
>
> Agreed.
>
>> For scarthgap, we can revert the current fix and add the "proper" fix
>> when we have it. I'd rather avoid a patched->applicable transition on a CVE.
>
> We don't need to do this immediately, let's take a little time to think
> and see if others have any thoughts.
>
> Ubuntu seem to have applied the patch with post-fixes :
> https://git.launchpad.net/ubuntu/+source/python-urllib3/tree/debian/patches?h=ubuntu%2Fnoble-security
> CVE-2025-66471.patch # the upstream patch
> CVE-2025-66471-post1.patch # Remove brotli version warning
> CVE-2025-66471-fix1.patch # Revert fix for zstd
> CVE-2025-66471-fix2.patch # Fix zstandard using unknown attribute
>
> but also, has deem the fix too intrusive for most maintained releases: https://ubuntu.com/security/CVE-2025-66471#status
>
> Debian has not patched: https://security-tracker.debian.org/tracker/CVE-2025-66471
> Intrusive to backport; requires update for src:brotli for effective fix
> The fix requires an updated src:brotli >= 1.2.0 for the fix to be effective,
> which adds the optional output_buffer_limit option to avoid these attacks.
>
> --
> Yoann Congal
> Smile ECS
--
Yoann Congal
Smile ECS
next prev parent reply other threads:[~2026-03-04 15:15 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-07 8:08 [OE-core][whinlatter 00/11] Patch review Yoann Congal
2026-01-07 8:08 ` [OE-core][whinlatter 01/11] dropbear: patch CVE-2019-6111 Yoann Congal
2026-01-07 8:08 ` [OE-core][whinlatter 02/11] sqlite3: mark CVE-2025-29087 as patched Yoann Congal
2026-01-07 8:08 ` [OE-core][whinlatter 03/11] python3-urllib3: patch CVE-2025-66418 Yoann Congal
2026-01-07 8:08 ` [OE-core][whinlatter 04/11] python3-urllib3: patch CVE-2025-66471 Yoann Congal
2026-01-07 11:48 ` Paul Barker
2026-01-07 12:19 ` [OE-core][whinlatter 04/11] python3-urllib3: patch Marko, Peter
2026-01-07 12:32 ` Paul Barker
2026-01-07 12:47 ` Yoann Congal
2026-01-07 14:05 ` Paul Barker
2026-01-30 10:33 ` Yoann Congal
2026-03-04 11:10 ` Marko, Peter
2026-03-04 15:15 ` Yoann Congal [this message]
2026-03-05 9:39 ` Paul Barker
2026-03-05 10:30 ` Yoann Congal
2026-01-07 8:08 ` [OE-core][whinlatter 05/11] python3: upgrade 3.13.9 -> 3.13.11 Yoann Congal
2026-01-07 8:08 ` [OE-core][whinlatter 06/11] libarchive: upgrade 3.8.3 -> 3.8.4 Yoann Congal
2026-01-07 8:08 ` [OE-core][whinlatter 07/11] glib-2.0: upgrade 2.86.1 -> 2.86.3 Yoann Congal
2026-01-07 8:08 ` [OE-core][whinlatter 08/11] libpng: upgrade 1.6.51 -> 1.6.52 Yoann Congal
2026-01-07 8:08 ` [OE-core][whinlatter 09/11] libpcap: upgrade 1.10.5 -> 1.10.6 Yoann Congal
2026-01-07 8:08 ` [OE-core][whinlatter 10/11] Revert "populate_sdk_ext: keep SDK_TARGETS so SPDX/SBOM tasks remain in locked sigs" Yoann Congal
2026-01-07 8:09 ` [OE-core][whinlatter 11/11] Revert "create-spdx-image-3.0: Image SPDX/SBOM tasks are retained for eSDK installation" Yoann Congal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DGU3HPLPGFES.23M3LOS6Y7S4H@smile.fr \
--to=yoann.congal@smile.fr \
--cc=Peter.Marko@siemens.com \
--cc=jiaying.song.cn@windriver.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=paul@pbarker.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox