> -----Original Message----- > From: Yoann Congal <[email protected]> > Sent: Thursday, March 5, 2026 21:28 > To: Marko, Peter (FT D EU SK BFS1) <[email protected]>; > [email protected] > Subject: Re: [OE-core][whinlatter][PATCH v2] python3-urllib3: patch CVE-2025- > 66471 > > On Thu Mar 5, 2026 at 3:11 PM CET, Peter Marko via lists.openembedded.org > wrote: > > From: Peter Marko <[email protected]> > > > > Pick patch per [1]. > > > > [1] https://nvd.nist.gov/vuln/detail/CVE-2025-66471 > > > > Signed-off-by: Peter Marko <[email protected]> > > --- > > v2: rebased on top of additional CVE patches > > It looks like this v2 does not apply: > https://autobuilder.yoctoproject.org/valkyrie/#/builders/59/builds/3304/steps/12/log > s/stdio > ERROR: python3-urllib3-native-2.5.0-r0 do_patch: Applying patch 'CVE-2025- > 66471.patch' on target directory '/srv/pokybuild/yocto-worker/qemux86- > world/build/build/tmp/work/x86_64-linux/python3-urllib3- > native/2.5.0/sources/urllib3-2.5.0' > CmdError('quilt --quiltrc /srv/pokybuild/yocto-worker/qemux86- > world/build/build/tmp/work/x86_64-linux/python3-urllib3-native/2.5.0/recipe- > sysroot-native/etc/quiltrc push', 0, 'stdout: Applying patch > CVE-2025-66471.patch > patching file CHANGES.rst > patch: **** malformed patch at line 104: > Patch CVE-2025-66471.patch does not apply (enforce with -f) > stderr: ') > NOTE: recipe lib32-avahi-0.8-r0: task do_packagedata_setscene: Started > ERROR: python3-urllib3-2.5.0-r0 do_patch: Applying patch 'CVE-2025- > 66471.patch' on target directory '/srv/pokybuild/yocto-worker/qemux86- > world/build/build/tmp/work/x86-64-v3-poky-linux/python3- > urllib3/2.5.0/sources/urllib3-2.5.0' > CmdError('quilt --quiltrc /srv/pokybuild/yocto-worker/qemux86- > world/build/build/tmp/work/x86-64-v3-poky-linux/python3-urllib3/2.5.0/recipe- > sysroot-native/etc/quiltrc push', 0, 'stdout: Applying patch > CVE-2025-66471.patch > patching file CHANGES.rst > patch: **** malformed patch at line 104: > Patch CVE-2025-66471.patch does not apply (enforce with -f) > stderr: ') > > I could reproduce that locally as well. > > > > > .../python3-urllib3/CVE-2025-66471.patch | 927 ++++++++++++++++++ > > .../python/python3-urllib3_2.5.0.bb | 1 + > > 2 files changed, 928 insertions(+) > > create mode 100644 meta/recipes-devtools/python/python3-urllib3/CVE-2025- > 66471.patch > > > > diff --git > > a/meta/recipes-devtools/python/python3-urllib3/CVE-2025-66471.patch > b/meta/recipes-devtools/python/python3-urllib3/CVE-2025-66471.patch > > new file mode 100644 > > index 0000000000..de2f2c09e8 > > --- /dev/null > > +++ b/meta/recipes-devtools/python/python3-urllib3/CVE-2025-66471.patch > > [...] > > + > > diff --git a/meta/recipes-devtools/python/python3-urllib3_2.5.0.bb > b/meta/recipes-devtools/python/python3-urllib3_2.5.0.bb > > index 7892fc0874..e277a192e5 100644 > > --- a/meta/recipes-devtools/python/python3-urllib3_2.5.0.bb > > +++ b/meta/recipes-devtools/python/python3-urllib3_2.5.0.bb > > @@ -10,6 +10,7 @@ inherit pypi python_hatchling > > SRC_URI += "\ > > file://CVE-2025-66418.patch \ > > > file://CVE-2026-21441.patch \ > > + file://CVE-2025-66471.patch \ > > There is a conflict between CVE-2026-21441.patch and > CVE-2025-66471.patch on the CHANGES file but I do not understand why > this returns a syntax error/malformed patch instead of a conflict. > > Can you check please?
Looks like forgotten "git commit --amend" after "git add". V3 is out. Sorry for this mess. Peter > > Thanks! > > > " > > > > DEPENDS += "python3-hatch-vcs-native" > > > -- > Yoann Congal > Smile ECS
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#232521): https://lists.openembedded.org/g/openembedded-core/message/232521 Mute This Topic: https://lists.openembedded.org/mt/118152314/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
