Mirror of git.openembedded.org/meta-openembedded https://git.enea.com/cgit/linux/meta-openembedded.git/atom?h=scarthgap 2021-04-22T14:28:15+00:00 2021-04-22T14:28:15+00:00 Chen Qi Qi.Chen@windriver.com 2021-04-22T06:01:01+00:00 urn:sha1:eff7a55f492365e61ffabae4b9160885cba2afb4 2.2.x is LTS, so upgrade to latest release 2.2.20. This upgrade fixes several CVEs such as CVE-2021-3281. Also, CVE-2021-28658.patch is dropped as it's already in 2.2.20. Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> 2021-04-21T15:26:07+00:00 Stefan Ghinea stefan.ghinea@windriver.com 2021-04-16T15:24:17+00:00 urn:sha1:660e62b64531df16c616668747a68b9a62774fbf In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability. References: https://nvd.nist.gov/vuln/detail/CVE-2021-28658 Upstream patches: https://github.com/django/django/commit/4036d62bda0e9e9f6172943794b744a454ca49c2 Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> 2020-09-12T00:44:02+00:00 Trevor Gamblin trevor.gamblin@windriver.com 2020-09-11T14:10:09+00:00 urn:sha1:eb69aad33fc06f06544589ec483f9b76464f6c5f Summary of release notes from https://docs.djangoproject.com/en/2.2/releases/ 2.2.14 release notes: - Fixed messages of InvalidCacheKey exceptions and CacheKeyWarning warnings raised by cache key validation (#31654). 2.2.15 release notes: - Allowed setting the SameSite cookie flag in HttpResponse.delete_cookie() (#31790). - Fixed crash when sending emails to addresses with display names longer than 75 chars on Python 3.6.11+, 3.7.8+, and 3.8.4+ (#31784). 2.2.16 release notes: - Fixed CVE-2020-24583: Incorrect permissions on intermediate-level directories on Python 3.7+ - Fixed CVE-2020-24584: Permission escalation in intermediate-level directories of the file system cache on Python 3.7+ - Fixed a data loss possibility in the select_for_update(). When using related fields pointing to a proxy model in the of argument, the corresponding model was not locked (#31866). - Fixed a data loss possibility, following a regression in Django 2.0, when copying model instances with a cached fields value (#31863). Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>