On Wed, 2026-01-07 at 09:08 +0100, Yoann Congal via
lists.openembedded.org wrote:
> From: Peter Marko <peter.marko@siemens.com>
> 
> Pick patch per [1].
> 
> [1] https://nvd.nist.gov/vuln/detail/CVE-2025-66471
> 
> Signed-off-by: Peter Marko <peter.marko@siemens.com>
> ---
>  .../python3-urllib3/CVE-2025-66471.patch      | 930 ++++++++++++++++++
>  .../python/python3-urllib3_2.5.0.bb           |   1 +
>  2 files changed, 931 insertions(+)
>  create mode 100644 meta/recipes-devtools/python/python3-urllib3/CVE-2025-66471.patch

This seems like a very large patch for a CVE issue. The changelog entry
in the patch also says that the API of urllib3.response.ContentDecoder
is changed.

We should look for a narrower fix, and only take this if there is no
other option.

Thanks,

-- 
Paul Barker