To: ['Tim Orling <tim.orling@konsulko.com>']
To: openembedded-core@lists.openembedded.org
Subject: [AUH] python3-requests: upgrading to 2.33.1 SUCCEEDED
Attachments: /srv/pokybuild/yocto-worker/auh/build/build/upgrade-helper/20260501050056/all/python3-requests/buildhistory-diff.txt /srv/pokybuild/yocto-worker/auh/build/build/upgrade-helper/20260501050056/all/python3-requests/bitbake-output-qemuarm_musl.txt /srv/pokybuild/yocto-worker/auh/build/build/upgrade-helper/20260501050056/all/python3-requests/0001-python3-requests-upgrade-2.32.5-2.33.1.patch /srv/pokybuild/yocto-worker/auh/build/build/upgrade-helper/20260501050056/all/python3-requests/buildhistory-diff-full.txt

Hello,

this email is a notification from the Auto Upgrade Helper
that the automatic attempt to upgrade the recipe(s) *python3-requests* to *2.33.1* has Succeeded.

Next steps:
    - apply the patch: git am 0001-python3-requests-upgrade-2.32.5-2.33.1.patch
    - check the changes to upstream patches and summarize them in the commit message,
    - compile an image that contains the package
    - perform some basic sanity tests
    - amend the patch and sign it off: git commit -s --reset-author --amend
    - send it to the appropriate mailing list

Alternatively, if you believe the recipe should not be upgraded at this time,
you can fill RECIPE_NO_UPDATE_REASON in respective recipe file so that
automatic upgrades would no longer be attempted.

Please review the attached files for further information and build/update failures.
Any problem please file a bug at https://bugzilla.yoctoproject.org/enter_bug.cgi?product=Automated%20Update%20Handler

Regards,
The Upgrade Helper

-- >8 --
From 7efe3e68368571b3025f2d2bb2e99fc01195c9ab Mon Sep 17 00:00:00 2001
From: Upgrade Helper <auh@yoctoproject.org>
Date: Fri, 1 May 2026 09:15:03 +0000
Subject: [PATCH] python3-requests: upgrade 2.32.5 -> 2.33.1

---
 .../python3-requests/CVE-2026-25645.patch     | 46 -------------------
 ...s_2.32.5.bb => python3-requests_2.33.1.bb} |  5 +-
 2 files changed, 2 insertions(+), 49 deletions(-)
 delete mode 100644 meta/recipes-devtools/python/python3-requests/CVE-2026-25645.patch
 rename meta/recipes-devtools/python/{python3-requests_2.32.5.bb => python3-requests_2.33.1.bb} (82%)

diff --git a/meta/recipes-devtools/python/python3-requests/CVE-2026-25645.patch b/meta/recipes-devtools/python/python3-requests/CVE-2026-25645.patch
deleted file mode 100644
index 3bebba6572..0000000000
--- a/meta/recipes-devtools/python/python3-requests/CVE-2026-25645.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From 66d21cb07bd6255b1280291c4fafb71803cdb3b7 Mon Sep 17 00:00:00 2001
-From: Nate Prewitt <nate.prewitt@gmail.com>
-Date: Wed, 25 Mar 2026 08:57:56 -0600
-Subject: [PATCH] Merge commit from fork
-
-Prior to version 2.33.0, the `requests.utils.extract_zipped_paths()` utility function
-uses a predictable filename when extracting files from zip archives into the system
-temporary directory. If the target file already exists, it is reused without validation.
-A local attacker with write access to the temp directory could pre-create a malicious
-file that would be loaded in place of the legitimate one. Standard usage of the Requests
-library is not affected by this vulnerability. Only applications that call
-`extract_zipped_paths()` directly are impacted. Starting in version 2.33.0, the library
-extracts files to a non-deterministic location. If developers are unable to upgrade,
-they can set `TMPDIR` in their environment to a directory with restricted write access.
-
-CVE: CVE-2026-25645
-Upstream-Status: Backport [https://github.com/psf/requests/commit/66d21cb07bd6255b1280291c4fafb71803cdb3b7]
-Signed-off-by: Ross Burton <ross.burton@arm.com>
----
- src/requests/utils.py | 13 +++++++------
- 1 file changed, 7 insertions(+), 6 deletions(-)
-
-diff --git a/src/requests/utils.py b/src/requests/utils.py
-index d8803e6e91..54959bb8ab 100644
---- a/src/requests/utils.py
-+++ b/src/requests/utils.py
-@@ -282,12 +282,13 @@ def extract_zipped_paths(path):
-         return path
- 
-     # we have a valid zip archive and a valid member of that archive
--    tmp = tempfile.gettempdir()
--    extracted_path = os.path.join(tmp, member.split("/")[-1])
--    if not os.path.exists(extracted_path):
--        # use read + write to avoid the creating nested folders, we only want the file, avoids mkdir racing condition
--        with atomic_open(extracted_path) as file_handler:
--            file_handler.write(zip_file.read(member))
-+    suffix = os.path.splitext(member.split("/")[-1])[-1]
-+    fd, extracted_path = tempfile.mkstemp(suffix=suffix)
-+    try:
-+        os.write(fd, zip_file.read(member))
-+    finally:
-+        os.close(fd)
-+
-     return extracted_path
- 
- 
diff --git a/meta/recipes-devtools/python/python3-requests_2.32.5.bb b/meta/recipes-devtools/python/python3-requests_2.33.1.bb
similarity index 82%
rename from meta/recipes-devtools/python/python3-requests_2.32.5.bb
rename to meta/recipes-devtools/python/python3-requests_2.33.1.bb
index 3477a5d83e..f9c1f1f8ee 100644
--- a/meta/recipes-devtools/python/python3-requests_2.32.5.bb
+++ b/meta/recipes-devtools/python/python3-requests_2.33.1.bb
@@ -5,10 +5,9 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=34400b68072d710fecd0a2940a0d1658"
 
 inherit pypi python_setuptools_build_meta
 
-SRC_URI[sha256sum] = "dbba0bac56e100853db0ea71b82b4dfd5fe2bf6d3754a8893c3af500cec7d7cf"
+SRC_URI[sha256sum] = "18817f8c57c6263968bc123d237e3b8b08ac046f5456bd1e307ee8f4250d3517"
 
-SRC_URI += "file://CVE-2026-25645.patch"
-SRC_URI:append:class-nativesdk = " file://environment.d-python3-requests.sh"
+SRC_URI += "file://environment.d-python3-requests.sh"
 
 do_install:append:class-nativesdk() {
 	mkdir -p ${D}${SDKPATHNATIVE}/environment-setup.d
-- 
2.47.1


