From patchwork Tue Jan 27 15:39:57 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: adarsh.jagadish.kamini@est.tech X-Patchwork-Id: 79921 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id EADA0D3568F for ; Wed, 28 Jan 2026 08:16:20 +0000 (UTC) Received: from OSPPR02CU001.outbound.protection.outlook.com (OSPPR02CU001.outbound.protection.outlook.com [40.107.159.32]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.14169.1769528414607631026 for ; Tue, 27 Jan 2026 07:40:15 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@est.tech header.s=selector1 header.b=wcGQxwpE; spf=pass (domain: est.tech, ip: 40.107.159.32, mailfrom: adarsh.jagadish.kamini@est.tech) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=ruXuikqqHXK/Z113bN5ICk/JLViraHTI9nF3jg/eo69xw7wg+oMySrVIPUJQTdRfNRJxfIEyWhCvy4LnegNwdWByI5oknrCZP7bYvX1Pg6LYQs8Bqa69gFwo8UFKVktEj9uRh1CfKn0vju9jB3huFV2fXVtCU4DNCfoWIjxzT4IHlhhkvel7yPKnPeG2XGLPT/rXi06ltKW5vLCeQJIY4Hcel1DCPeDifkcrlIXBzGINUpkvYXtfZC0SDz4O9wQUzDJFgzgKOqYQbsjOOog2Lb9zHzrCiwfVr1LLa8eWOw5A+DqxsoJD+O7Xj1Uv9NtQDj3Djqg1KIj+P3+7r+Q3mA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=7FSKKzXYPLzEEHaTNuHKu+uHavGhAPWM64eV8ce7JRw=; b=u7OniFdOPt69gtzO2WEeocX5nm46VJcW1B91xg2Jb/XhgPk8ufYsHSsl4Zr+rszq2aApc0Y16EudfnLeY7BLCcjUz7XWBGKtJb+gtkLKin4H9CjxxJT7j1Fu32edEzjzp8D28T5J2i+B3eMRHSBmQ/eUNgPtozq9HeDtAK0XjJK4dY2KfAL+2/PN1e5Z6VMdVvQQMOWHuTG6yCP7Rs3tMZcbImHQq1hxfsSHIWBeResOgTvIWKuXlKhL2pieslY9jFRG+EPppsM+bDSvLoIGqBnF26ZoBwKWT0T+ml5GAISbk86Re2V5ZL9n+1+Bmf+uZXGO0ls8gTh0CGOy97MKDQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=est.tech; dmarc=pass action=none header.from=est.tech; dkim=pass header.d=est.tech; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=est.tech; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7FSKKzXYPLzEEHaTNuHKu+uHavGhAPWM64eV8ce7JRw=; b=wcGQxwpEkvlDIH6oLPXEZo5pV/AVn8BUzvLLp56LZsH1yj5xrRbFLDsFfgVqEvLI9IVerGgVy8a3fPERtR1YPmA6ZsAhXyjAzA6QST7jZ4E8GKDUAxK1fbQkmMJ8WvT5VSafPdQldKZ+/mfjvsoQlx5dTb44EnOnb93LJMgUQPMHKFxVrRU2r9n3C34/mnrzQgrNf0KSHDORzCBPh2Bk//CB4yjNIkF8SPe1v+s+Z8D/jU2y8V2t6YVE+2CXhUA+xhr6QTolEwrMDI1ww6C7adQ3EDbn0jSqOaaUo42sP/lQZ8Q/JWfFwrrHqPE+x8Ogb+49sZ67aa4viu/7G1Ldtg== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=est.tech; Received: from AS8P189MB1672.EURP189.PROD.OUTLOOK.COM (2603:10a6:20b:396::9) by AS1P189MB1963.EURP189.PROD.OUTLOOK.COM (2603:10a6:20b:4a1::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9542.15; Tue, 27 Jan 2026 15:40:10 +0000 Received: from AS8P189MB1672.EURP189.PROD.OUTLOOK.COM ([fe80::f147:85e5:34de:eeff]) by AS8P189MB1672.EURP189.PROD.OUTLOOK.COM ([fe80::f147:85e5:34de:eeff%5]) with mapi id 15.20.9542.010; Tue, 27 Jan 2026 15:40:09 +0000 From: adarsh.jagadish.kamini@est.tech To: openembedded-core@lists.openembedded.org CC: Adarsh Jagadish Kamini Subject: [PATCH v2] Backport fix for CVE-2026-21441 Python3 urllib3 Date: Tue, 27 Jan 2026 16:39:57 +0100 Message-ID: <20260127154003.96816-1-adarsh.jagadish.kamini@est.tech> X-Mailer: git-send-email 2.43.0 X-ClientProxiedBy: LO3P123CA0033.GBRP123.PROD.OUTLOOK.COM (2603:10a6:600:388::11) To AS8P189MB1672.EURP189.PROD.OUTLOOK.COM (2603:10a6:20b:396::9) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AS8P189MB1672:EE_|AS1P189MB1963:EE_ X-MS-Office365-Filtering-Correlation-Id: 701f2948-a60d-45a2-6a1b-08de5dba5a31 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|376014|366016|1800799024; X-Microsoft-Antispam-Message-Info: B7kJ4SB4asQjzgPkXv3bSKtui5pvvfFhqJrRUmBvuCmm4nYWQcjIKv19w8xKzReUBHl7P3H1IT0oI0VKDrDtEDH1awheQ7gG0NZKqdvhp0nk4KsmR5RFpcVe0vzl6Xjuy2fIKuDoNn/xHCHpMR5xrlghgxVz1MgBmwAuDvlFv4oXSkBGZ1L4Au8XOA2WeQPWAjkwdAF1vLahiDCQdYmg4CL+vAdXlIvNPS1UoSf5mmcOQKrr7H098wZMvNHi8eolptg016gD/NSmPuJ5LsZmvnkRbKIOlP91bDP4oRCzJ3/FceIOUqy2wAjHRRh949DhdqodHvhPQekOL/s3gQnl3A/LG+sr3WdA8ywuBfNA13jGTpGL1G47f5iU+SU6EeQPXoggYvHEHLz6WwH/Aa1ylgL7c4LeigEoQMfTiJfSNrwHpKuXgMMsopLvQk9zLjOre/fyAXdOXxQR/htNNYMluyy4oj7dk94PM1bVli6MRDUARzWD6W/eAO4tCbZZiV8opEU2hm72Zh/XGDOcvbO0P4N01iBWja+14aLOLxUgbbpbAlIUETfpeNAd/NikKINuNrn9l/uaokzjz9pWUL5GtImiV0uvcVHOK1UV+VxIRC3cCfjm1Emrj27yTk7xxYNmRwrGPkrhNJqs8xzxEjWb1igkI5CXMzxdSNwlq8NhOPlGT6fAuoyUUaP3SwSGi+oyiZrXNfusRHVB39cWGon2XnLiosSMPEM8NQUTXMoAXtyBk5ti+FyJ8WkWwTTvUp1Pzy0oCpBsTa2FUpq9tYH5/pspej+j1N9GG60hyWI4FJQW6aef4Pr3EHlTrOE/nh9Av/M94to3hkiNtJJrSBm8kXyjRnCZ0mcOZZmLFKlIB3nQ7JfLWAhr0g01YcPaIXoqq0mT3SP/YqVem1N88+P0XyQdQCVuL9021kmKM9EaSoBYJaA6/0nQoXyXYyAK3+0PK/qWRGHzUYmDZP9jQvpkfXx+uEETzfFu5+PvhU/O4a7fnfPzFEv3cu1QrANriTB6MgFYKjPdJDK3aHDS9QRw9XN6elRZPHqvVr+JqCyJTg7eW5obVeJRaV1CadpVVsuLCA0RHXqJ6xGhn0Ski4PFTqcRLSrsbQJm08pIHB364f+nx8YC3JsEmkgKN3obZqbqIx2B+NVmKNXaKGMjgBiqa7AQ9Ku8ZwFEyc7eEegi7Q/rl7Wo10HeCJUhQ26CyTxZaB7zzsHWYDobLFw06kryJe/JSFno3WouZgbFz6RuyP1G8S24vq/+jePCoMKn9HRW50HjHP3tKi+TF5/8dOc6uV9FQZQVCkOayQP/vXEw1iBenaEUrG+c2GsR+ptlDKUXpdILMet1/Uwjz0kAE/LjzGxNDmIzHIu4+2tSACdDypT+QfudKSN4f7UAqS3tx3Kt99XBuNeDVJ6LEp1foc9czAFcIAxSd9QJc+Sxb9/5rxPSMdvJnxBWa7Mihnl43auK5nwe9Qan2kVLBCGoKe5E7YKetZO2FqTtQlcLGW0C3QdKMxaYc4aD9BaxuPCT3AyaeYR1adeeGhdHIVi9YRYd8LQ+lZwboftOgiB9XZIlVcgnk06h2E4DJIlDVMYEqL4G X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AS8P189MB1672.EURP189.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(376014)(366016)(1800799024);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: 2j2zrHjYxWMt/5+gzOyHDr3+vi+vU8/cCagcXtwMCUcnZFX5J6w5EuIK0iGv64NCCUueVZCpi+nNaFM8iRbfPUqLlAY2FvvHDhndQh7x1VvvUhe9VFalFhLeaHLltc96anPEQG24ATzv1Faaying7rhC9r3Ari0MvyAySKzaXdGaJ9lwoS4IHhEbh5/8XxJ5uUI6qFHd1Jc9hpAj43biQ4fqtx85v5BNaj76EIg3yiFCALap/EJrGWyr260Mc6lWUy/vOWmJD/5U7uuMNhae6YVLRBPik51pPvZKbRDwD/bUEwlTXfuiMjWJUUea2rBi80PCxDSgH3U7Tyrq70Ldp21lCK4fhtdaUIMao2wUsRq0cwHqcX2FVFT/q656ZhOgJWvAjC2d6BhS6e51E0AKrQKqCZbT2pLrtJHIeTqy5YsKFxs+HkngRE3ZitzF3tnPFwBMAO4AhmGD51ay/HjsPYcfdv7yeKrl0/cz3Z0bnMayd9RdnH6o8F4IsXUexhMzgx2paSs2hneqGQuVY/kA3JOXal4gD3yQ/7krryutbKIBFtERyJpjvfq88K78Qvd1n9q+2dWWyv0je2nfvZLL8vhW+qL9VoLB+9HGlaLyY+eXhJTiNioVs4486JFpFSD+/Cjl0jL/Z/fREKROvLaU86PE0gvqE3u2uC2U1sK9s4HKSCt4VrQOu2Bfhsf226pQJGl+UKv8a1o7rT8GIAto34Vos2sp9Md1KG/aXqc5GeCRyy8L0HMX8kHG7pB2RDgHzugAy+ZwkYlDagFXXoRCD6G+4H6K1ViALsTwnN6nDQ8d0LEqEYQUsuX3pfamDDKnl/4Spd8NhAZahocp6uwaekRHT8iJieHnc8kD0OkBKd6SroQhkhITNpURLbqFQMopopgfS9zS9gBXGsFjaeN9by2ajc7kinIHxulFc9Fptzq0st/aOJng6Dj4OJF7lk9E/T7NYaHBnWGniyGESxIGPSMmyRsgaY6A+Fm5obf6yvmWlDfcIRFs/0kKsmxV6i2VSd2cHK12ueCWSe5/n0C/nLuVEcyC8mJT0Kb6EnFIeJBa363/DKnPzj8Ki/1jumIW8u3UdfiBNTkMI9f2+FLJNuaBWX2/WVGY3vAVP0FxHSO6/UwMC8RigFYZndjH++NawfaXkuu8oN/RNec2DPft1EWfLmBEE/tYw0uUSjfewRhu6x5fu1lZI/uML2woFXgydHDFOSCHjxPMrdGGgvlV4XAxH7qVN36y/THAbiF11f9KGXALRjyn4zoLZn7NN1ZMURhkSN7E+L3N2LWGWXXzODULyFkxYZDfx+i50DDXSU2GGbOSdhHpAEM7bXeLlAO0KkCPYZ1i38YVUWceWp7yVMopSfB77jRm96q9Xm2ZsI5oXMXCKr+SpSvOfUWUDgi/4BihZbDOKhFWOLycZ7hZo3IKYpsQLER/zUKwLCW8Ds1d1NvwiAm7vne7Wxx6QxHJjFpFcdbkHd1l6nBPJU4czaAo2u2KQBqIqZG9IK2pesBWKXNs63gC8OjsUiX+bABXAynE8aTVnMitZdjbWvhlCxDvr8VGWyCqio+lod9uP5w0C+3am4jzru64UfbqyAGvkJ72nQorAoJcyjzKxUMcP1HIB3BB+0tj52WYjaXPALVLJt9X4d2osndlanKySuaTm83KeAQ8WJ/6SB7P3WeLRcp+DSJjrybiHrx/MYVekZmNPWGfuzOzYir+BG62APwf1LG+YgxBERFRsL+dnzLmHVw02NO7Fm8p6FFyfrl/tSg= X-OriginatorOrg: est.tech X-MS-Exchange-CrossTenant-Network-Message-Id: 701f2948-a60d-45a2-6a1b-08de5dba5a31 X-MS-Exchange-CrossTenant-AuthSource: AS8P189MB1672.EURP189.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 27 Jan 2026 15:40:09.2788 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: d2585e63-66b9-44b6-a76e-4f4b217d97fd X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 4PXg0U7/Zz1Szojym3qU5WIAg/ReWt0gkcSMXTrorDsxlYywO4vup/wzoYCSOCTmgkZsaIrcPgDrCRZRUkWjy12xiq7DThiHxMAuFoUFmTE= X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS1P189MB1963 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 28 Jan 2026 08:16:20 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/230083 From: Adarsh Jagadish Kamini Include the patch linked in the NVD report : https://nvd.nist.gov/vuln/detail/CVE-2026-21441 Signed-off-by: Adarsh Jagadish Kamini --- .../python3-urllib3/CVE-2026-21441.patch | 105 ++++++++++++++++++ .../python/python3-urllib3_2.2.2.bb | 1 + 2 files changed, 106 insertions(+) create mode 100644 meta/recipes-devtools/python/python3-urllib3/CVE-2026-21441.patch diff --git a/meta/recipes-devtools/python/python3-urllib3/CVE-2026-21441.patch b/meta/recipes-devtools/python/python3-urllib3/CVE-2026-21441.patch new file mode 100644 index 0000000000..16af67af31 --- /dev/null +++ b/meta/recipes-devtools/python/python3-urllib3/CVE-2026-21441.patch @@ -0,0 +1,105 @@ +From 686d2bdd4affd3c86e605f54a72afe53c920f72f Mon Sep 17 00:00:00 2001 +From: Illia Volochii +Date: Wed, 7 Jan 2026 18:07:30 +0200 +Subject: [PATCH] Backport fix CVE-2026-21441 python urllib3 + +Original commit: 8864ac407bba8607950025e0979c4c69bc7abc7b +Original-author: Illia Volochii + +Bugfixes +-------- + +- Fixed a high-severity security issue where decompression-bomb safeguards of + the streaming API were bypassed when HTTP redirects were followed. + (`GHSA-38jv-5279-wg99 `__) + +* Stop decoding response content during redirects needlessly + +* Rename the new query parameter + +* Add a changelog entry + +Fixes CVE-2026-21441 +CVE: CVE-2026-21441 + +Upstream-Status: Backport [https://github.com/urllib3/urllib3/commit/8864ac407bba8607950025e0979c4c69bc7abc7b] + +Signed-off-by: Adarsh Jagadish Kamini +--- + dummyserver/app.py | 8 +++++++- + src/urllib3/response.py | 6 +++++- + test/with_dummyserver/test_connectionpool.py | 19 +++++++++++++++++++ + 3 files changed, 31 insertions(+), 2 deletions(-) + +diff --git a/dummyserver/app.py b/dummyserver/app.py +index 9fc9d1b7..c4978152 100644 +--- a/dummyserver/app.py ++++ b/dummyserver/app.py +@@ -233,10 +233,16 @@ async def redirect() -> ResponseReturnValue: + values = await request.values + target = values.get("target", "/") + status = values.get("status", "303 See Other") ++ compressed = values.get("compressed") == "true" + status_code = status.split(" ")[0] + + headers = [("Location", target)] +- return await make_response("", status_code, headers) ++ if compressed: ++ headers.append(("Content-Encoding", "gzip")) ++ data = gzip.compress(b"foo") ++ else: ++ data = b"" ++ return await make_response(data, status_code, headers) + + + @hypercorn_app.route("/redirect_after") +diff --git a/src/urllib3/response.py b/src/urllib3/response.py +index a0273d65..909da62b 100644 +--- a/src/urllib3/response.py ++++ b/src/urllib3/response.py +@@ -646,7 +646,11 @@ class HTTPResponse(BaseHTTPResponse): + Unread data in the HTTPResponse connection blocks the connection from being released back to the pool. + """ + try: +- self.read() ++ self.read( ++ # Do not spend resources decoding the content unless ++ # decoding has already been initiated. ++ decode_content=self._has_decoded_content, ++ ) + except (HTTPError, OSError, BaseSSLError, HTTPException): + pass + +diff --git a/test/with_dummyserver/test_connectionpool.py b/test/with_dummyserver/test_connectionpool.py +index 4fbe6a4f..ebcdf9bf 100644 +--- a/test/with_dummyserver/test_connectionpool.py ++++ b/test/with_dummyserver/test_connectionpool.py +@@ -480,6 +480,25 @@ class TestConnectionPool(HypercornDummyServerTestCase): + assert r.status == 200 + assert r.data == b"Dummy server!" + ++ @mock.patch("urllib3.response.GzipDecoder.decompress") ++ def test_no_decoding_with_redirect_when_preload_disabled( ++ self, gzip_decompress: mock.MagicMock ++ ) -> None: ++ """ ++ Test that urllib3 does not attempt to decode a gzipped redirect ++ response when `preload_content` is set to `False`. ++ """ ++ with HTTPConnectionPool(self.host, self.port) as pool: ++ # Three requests are expected: two redirects and one final / 200 OK. ++ response = pool.request( ++ "GET", ++ "/redirect", ++ fields={"target": "/redirect?compressed=true", "compressed": "true"}, ++ preload_content=False, ++ ) ++ assert response.status == 200 ++ gzip_decompress.assert_not_called() ++ + def test_303_redirect_makes_request_lose_body(self) -> None: + with HTTPConnectionPool(self.host, self.port) as pool: + response = pool.request( +-- +2.44.0 + diff --git a/meta/recipes-devtools/python/python3-urllib3_2.2.2.bb b/meta/recipes-devtools/python/python3-urllib3_2.2.2.bb index 620927322a..f6ac8f89ca 100644 --- a/meta/recipes-devtools/python/python3-urllib3_2.2.2.bb +++ b/meta/recipes-devtools/python/python3-urllib3_2.2.2.bb @@ -11,6 +11,7 @@ SRC_URI += " \ file://CVE-2025-50181.patch \ file://CVE-2025-66418.patch \ file://CVE-2025-66471.patch \ + file://CVE-2026-21441.patch \ " RDEPENDS:${PN} += "\