Mirror of git.openembedded.org/meta-openembedded https://git.enea.com/cgit/linux/meta-openembedded.git/atom?h=honister 2022-04-07T23:42:55+00:00 2022-04-07T23:42:55+00:00 Trevor Gamblin trevor.gamblin@windriver.com 2022-03-29T13:43:48+00:00 urn:sha1:1d0d23978a7602fe7483c0f449324c95c6cd1611 Release notes (https://github.com/lxml/lxml/blob/master/CHANGES.txt): 4.6.5 (2021-12-12) ================== Bugs fixed ---------- * A vulnerability (GHSL-2021-1038) in the HTML cleaner allowed sneaking script content through SVG images (CVE-2021-43818). * A vulnerability (GHSL-2021-1037) in the HTML cleaner allowed sneaking script content through CSS imports and other crafted constructs (CVE-2021-43818). 4.6.4 (2021-11-01) ================== Features added -------------- * GH#317: A new property ``system_url`` was added to DTD entities. Patch by Thirdegree. * GH#314: The ``STATIC_*`` variables in ``setup.py`` can now be passed via env vars. Patch by Isaac Jurado. Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> 2022-03-31T20:49:34+00:00 Trevor Gamblin trevor.gamblin@windriver.com 2022-03-23T16:16:46+00:00 urn:sha1:de18681d7dd27000c132bc68f9fa267e8f5a2348 The delta between 3.2.10 and 3.2.12 contains numerous CVE and other bugfixes. git log --online 3.2.10..3.2.12 shows: fdf209eab8 (tag: 3.2.12) [3.2.x] Bumped version for 3.2.12 release. d16133568e [3.2.x] Fixed CVE-2022-23833 -- Fixed DoS possiblity in file uploads. 1a1e8278c4 [3.2.x] Fixed CVE-2022-22818 -- Fixed possible XSS via {% debug %} template tag. a7e89fe776 [3.2.x] Added stub release notes for 3.2.12 and 2.2.27. 027f4c4ceb [3.2.x] Added CVE-2021-45115, CVE-2021-45116, and CVE-2021-45452 to security archive. 0a9a46a1d7 [3.2.x] Post-release version bump. 6e499a28ac (tag: 3.2.11) [3.2.x] Bumped version for 3.2.11 release. 8d2f7cff76 [3.2.x] Fixed CVE-2021-45452 -- Fixed potential path traversal in storage subsystem. c7fe895bca [3.2.x] Fixed CVE-2021-45116 -- Fixed potential information disclosure in dictsort template filter. a8b32fe13b [3.2.x] Fixed CVE-2021-45115 -- Prevented DoS vector in UserAttributeSimilarityValidator. b0aa0709a5 [3.2.x] Added stub release notes for 3.2.11, and 2.2.26 releases. ae242235db [3.2.x] Refs #33365, Refs #30530 -- Doc'd re_path() behavior change in Django 2.2.25, 3.1.14, and 3.2.10. ecd2793897 [3.2.x] Added CVE-2021-44420 to security archive. 1cea03ab00 [3.2.x] Post-release version bump. Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> 2022-03-31T20:49:34+00:00 Trevor Gamblin trevor.gamblin@windriver.com 2022-03-23T16:16:45+00:00 urn:sha1:af8cc48dc78a6860832ec2c879935afd83907b4f The delta between 2.2.24 and 2.2.27 contain numerous CVE and other bugfixes. git log --oneline 2.2.24..2.2.27 shows: e541f2d05b (tag: 2.2.27) [2.2.x] Bumped version for 2.2.27 release. c477b76180 [2.2.x] Fixed CVE-2022-23833 -- Fixed DoS possiblity in file uploads. c27a7eb9f4 [2.2.x] Fixed CVE-2022-22818 -- Fixed possible XSS via {% debug %} template tag. 4cafd3aacb [2.2.x] Added stub release notes 2.2.27. 77d0fe5868 [2.2.x] Added CVE-2021-45115, CVE-2021-45116, and CVE-2021-45452 to security archive. e085d46e4b [2.2.x] Post-release version bump. 44e7cca623 (tag: 2.2.26) 2.2.x] Bumped version for 2.2.26 release. 4cb35b384c [2.2.x] Fixed CVE-2021-45452 -- Fixed potential path traversal in storage subsystem. c9f648ccfa [2.2.x] Fixed CVE-2021-45116 -- Fixed potential information disclosure in dictsort template filter. 2135637fdd [2.2.x] Fixed CVE-2021-45115 -- Prevented DoS vector in UserAttributeSimilarityValidator. 03b733d8a8 [2.2.x] Added stub release notes for 2.2.26 release. b87820668e [2.2.x] Refs #33365, Refs #30530 -- Doc'd re_path() behavior change in Django 2.2.25, 3.1.14, and 3.2.10. 573e70ea48 [2.2.x] Added CVE-2021-44420 to security archive. 8439938602 [2.2.x] Post-release version bump. 79d8dcefb2 (tag: 2.2.25) [2.2.x] Bumped version for 2.2.25 release. 7cf7d74e8a [2.2.x] Fixed #30530, CVE-2021-44420 -- Fixed potential bypass of an upstream access control based on URL paths. 0007a5f9fa [2.2.x] Added requirements.txt to files ignored by Sphinx builds. fac0fdd95d [2.2.x] Added stub release notes for 2.2.25. 4bc10b7955 [2.2.x] Fixed crash building HTML docs since Sphinx 4.3. 5289fcfffe [2.2.x] Configured Read The Docs to build all formats. 9a4a2b2089 [2.2.x] Refs #33247 -- Corrected configuration for Read The Docs. 029c830b71 [2.2.x] Fixed #33247 -- Added configuration for Read The Docs. 12141e3116 [2.2.x] Refs #32856 -- Clarified that psycopg2 < 2.9 is required. cf63dd5c1b [2.2.x] Added 'formatter' to spelling wordlist. 05bc1c81aa [2.2.x] Fixed #33082 -- Fixed CommandTests.test_subparser_invalid_option on Python 3.9.7+. a9c0aa11e7 [2.2.x] Refs #31676 -- Updated technical board description in organization docs. 66008c2af0 [2.2.x] Refs #31676 -- Added Mergers and Releasers to organization docs. d4d1c2b3db [2.2.x] Refs #31676 -- Removed Core team from organization docs. 8f59f72a20 [2.2.x] Refs #31676 -- Removed Django Core-Mentorship mailing list references in docs. 837ffcfa68 [2.2.x] Refs #32856 -- Doc'd that psycopg2 < 2.9 is required. dc43667eab [2.2.x] Fixed docs header underlines in security archive. 3e7bb564be [2.2.x] Added CVE-2021-33203 and CVE-2021-33571 to security archive. 48bde7cab4 [2.2.x] Post-release version bump. Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> 2022-01-29T14:04:47+00:00 Khem Raj raj.khem@gmail.com 2021-11-03T13:22:14+00:00 urn:sha1:feab111e79eab2ed203e5affbc2b62b5aad03ef8 Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> 2021-12-28T20:49:25+00:00 Trevor Gamblin trevor.gamblin@windriver.com 2021-12-20T14:27:38+00:00 urn:sha1:7e8de0e57e663cd8121a8301ad7237c7b4713365 From the release notes page (https://docs.djangoproject.com/en/4.0/releases/3.2.10/): Django 3.2.10 fixes a security issue with severity “low” and a bug in 3.2.9. CVE-2021-44420: Potential bypass of an upstream access control based on URL paths HTTP requests for URLs with trailing newlines could bypass an upstream access control based on URL paths. Bugfixes Fixed a regression in Django 3.2 that caused a crash of setUpTestData() with BinaryField on PostgreSQL, which is memoryview-backed (#33333). Django 3.2.9 fixes a bug in 3.2.8 and adds compatibility with Python 3.10. Bugfixes Fixed a bug in Django 3.2 that caused a migration crash on SQLite when altering a field with a functional index (#33194). Django 3.2.8 fixes two bugs in 3.2.7. Bugfixes Fixed a bug in Django 3.2 that caused incorrect links on read-only fields in the admin (#33077). Fixed a regression in Django 3.2 that caused incorrect selection of items across all pages when actions were placed both on the top and bottom of the admin change-list view (#33083). Django 3.2.7 fixes a bug in 3.2.6. Bugfixes Fixed a regression in Django 3.2 that caused the incorrect offset extraction from fixed offset timezones (#32992). Django 3.2.6 fixes several bugs in 3.2.5. Bugfixes Fixed a regression in Django 3.2 that caused a crash validating "NaN" input with a forms.DecimalField when additional constraints, e.g. max_value, were specified (#32949). Fixed a bug in Django 3.2 where a system check would crash on a model with a reverse many-to-many relation inherited from a parent class (#32947). Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> (cherry picked from commit 446a503acf6854b3357571044f396e6815f6bd9e) Signed-off-by: Armin Kuster <akuster808@gmail.com> 2021-12-09T05:11:36+00:00 Ross Burton ross@burtonini.com 2021-11-18T16:11:38+00:00 urn:sha1:1a8108873029a3787dbcc42bcad3c7ada11eaa52 "BSD" is ambiguous, use the precise license BSD-3-Clause. Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> (cherry picked from commit 57647ea0d6b87a02bf812192ae39f2d81644b744) Signed-off-by: Armin Kuster <akuster808@gmail.com> 2021-12-09T05:11:14+00:00 Ross Burton ross@burtonini.com 2021-11-18T16:11:37+00:00 urn:sha1:8b5bfb2e008ec58a1d9354e6c16c20f0fce0b13b pip isn't needed to build, and adding the empty string to RDEPENDS is most certainly meaningless. Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> (cherry picked from commit 57ae325941d3a71eaeeca107ecef69d664a3f710) Signed-off-by: Armin Kuster <akuster808@gmail.com> 2021-12-09T05:10:23+00:00 Ross Burton ross@burtonini.com 2021-11-18T16:11:36+00:00 urn:sha1:2def8912aabde1433175e414ef18ef1a50eb02aa "BSD" is ambiguous, use the precise license BSD-3-Clause. Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> (cherry picked from commit 4b526f42ed8db2c45bdfa7d1ba0a37e444676e1f) Signed-off-by: Armin Kuster <akuster808@gmail.com> 2021-12-09T05:09:52+00:00 Ross Burton ross@burtonini.com 2021-11-18T16:11:35+00:00 urn:sha1:f9707f700ec6b7f2128ceebf3b9ffec844b4a15e "BSD" is ambiguous, use the precise license BSD-3-Clause. Also update the HOMEPAGE. Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> (cherry picked from commit 45e5b27db6f34cefeb4d66197161fbfa9ebd476a) Signed-off-by: Armin Kuster <akuster808@gmail.com> 2021-12-09T05:04:55+00:00 Ross Burton ross@burtonini.com 2021-11-18T16:11:34+00:00 urn:sha1:46026cd6ec5f8cac58e846e7e46d0635e4a52f06 gevent is MIT, and it embeds copies of Python which is Python-2.0. Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> (cherry picked from commit 91b516cc80ea9f46cdf94bd4ce6a168c240b5c58) Signed-off-by: Armin Kuster <akuster808@gmail.com>