linux/meta-openembedded.git/meta-python/recipes-devtools/python, branch stable/kirkstone-nut

python3-gevent: fix CVE-2023-41419

2023-10-17T12:44:46+00:00

An issue in Gevent Gevent before version 23.9.1 allows a remote attacker to escalate privileges via a crafted script to the WSGIServer component. References: https://nvd.nist.gov/vuln/detail/CVE-2023-41419 https://github.com/advisories/GHSA-x7m3-jprg-wc5g Signed-off-by: Narpat Mali Signed-off-by: Armin Kuster

python3-django: upgrade 4.2.3 -> 4.2.5

2023-09-27T14:23:28+00:00

The delta between 4.2.3 and 4.2.5 contains the CVE-2023-41164 fix and other bugfixes. git log --oneline 4.2.3..4.2.5 shows: b8b2f74512 (tag: 4.2.5) [4.2.x] Bumped version for 4.2.5 release. 9c51b4dcfa [4.2.x] Fixed CVE-2023-41164 -- Fixed potential DoS in django.utils.encoding.uri_to_iri(). acfb427522 [4.2.x] Fixed #34803 -- Fixed queryset crash when filtering againts deeply nested OuterRef annotations. 55a0b9c32e [4.2.x] Added stub release notes and release date for 4.2.5, 4.1.11, and 3.2.21. 8e8c318449 [4.2.x] Avoided counting exceptions in AsyncClient docs. dcb9d7a0e4 [4.2.x] Improved formset docs by using a set instead of a list in the custom validation example. f55b420277 [4.2.x] Fixed #34781 -- Updated logging ref docs for django.server's request extra context value. 46b2b08e45 [4.2.x] Fixed #34779 -- Avoided unnecessary selection of non-nullable m2m fields without natural keys during serialization. d34db6602e [4.2.x] Fixed #34773 -- Fixed syncing DEFAULT_FILE_STORAGE/STATICFILES_STORAGE settings with STORAGES. a22aeef555 [4.2.x] Fixed #15799 -- Doc'd that Storage._open() should raise FileNotFoundError when file doesn't exist. 936afc2deb [4.2.x] Refs #34754 -- Added missing FullResultSet import. 3a1863319c [4.2.x] Fixed #34754 -- Fixed JSONField check constraints validation on NULL values. 951dcbb2e6 [4.2.x] Fixed #34756 -- Fixed docs HTML build on Sphinx 7.1+. a750fd0d7f [4.2.x] Added stub release notes for 4.2.5. a56c46642d [4.2.x] Post-release version bump. 6f4c7c124a (tag: 4.2.4) [4.2.x] Bumped version for 4.2.4 release. e53d6239df [4.2.x] Added release date for 4.2.4. 8808d9da6b [4.2.x] Fixed #34750 -- Fixed QuerySet.count() when grouping by unused multi-valued annotations. 2ef2b2ffc0 [4.2.x] Corrected pycon formatting in some docs. 8db9a0b5a0 [4.2.x] Fixed warnings per flake8 6.1.0. 739da73164 [4.2.x] Fixed #34748 -- Fixed queryset crash when grouping by a reference in a subquery. a52a2b6678 [4.2.x] Fixed #34749 -- Corrected QuerySet.acreate() signature in docs. 12ebd9a1ac [4.2.x] Refs #34712 -- Doc'd that defining STORAGES overrides the default configuration. 1f9d00ef9f [4.2.x] Added missing backticks in docs. c99d935600 [4.2.x] Fixed typo in docs/ref/models/querysets.txt. da92a971a0 [4.2.x] Refs #30052 -- Clarified that defer() and only() do not work with aggregated fields. 7a67b065d7 [4.2.x] Fixed #34717 -- Fixed QuerySet.aggregate() crash when referencing window functions. c646412a75 Added reference to TypedChoiceField in ChoiceField docs. f474ba4cb5 [4.2.x] Fixed #34309 -- Doc'd how to fully delete an app. e54f711d42 [4.2.x] Fixed #33405, Refs #7177 -- Clarified docs for filter escapejs regarding safe and unsafe usages. 047844270b [4.2.x] Added stub release notes for 4.2.4. Release Notes: https://docs.djangoproject.com/en/dev/releases/4.2.5/ Signed-off-by: Narpat Mali Signed-off-by: Armin Kuster

python3-django: upgrade 3.2.20 -> 3.2.21

2023-09-27T14:23:24+00:00

The delta between 3.2.20 and 3.2.21 contains the CVE-2023-41164 fix and other bugfixes. git log --oneline 3.2.20..3.2.21 shows: fd0ccd7fb3 (tag: 3.2.21) [3.2.x] Bumped version for 3.2.21 release. 6f030b1149 [3.2.x] Fixed CVE-2023-41164 -- Fixed potential DoS in django.utils.encoding.uri_to_iri(). 73350a6369 [3.2.x] Added stub release notes for 3.2.21. 75418f8c0e [3.2.x] Fixed #34756 -- Fixed docs HTML build on Sphinx 7.1+. 848fe70f3e [3.2.x] Added CVE-2023-36053 to security archive. 4012a87a58 [3.2.x] Post-release version bump. Release Notes: https://docs.djangoproject.com/en/dev/releases/3.2.21/ Signed-off-by: Narpat Mali Signed-off-by: Armin Kuster

python3-django: fix CVE-2023-41164

2023-09-27T14:23:14+00:00

In Django 3.2 before 3.2.21, 4 before 4.1.11, and 4.2 before 4.2.5, ``django.utils.encoding.uri_to_iri()`` was subject to potential denial of service attack via certain inputs with a very large number of Unicode characters. Since, there is no ptest available for python3-django so have not tested the patch changes at runtime. References: https://security-tracker.debian.org/tracker/CVE-2023-41164 https://www.djangoproject.com/weblog/2023/sep/04/security-releases/ Signed-off-by: Narpat Mali Signed-off-by: Armin Kuster

python3-aiohttp: upgrade 3.8.1 -> 3.8.5

2023-08-30T17:41:52+00:00

The delta between 3.8.1 & 3.8.5 contains the CVE-2023-37276 fix and other bugfixes. https://github.com/aio-libs/aiohttp/security/advisories/GHSA-45c4-8wx5-qw6w Changelog: https://docs.aiohttp.org/en/stable/changes.html - Increased the upper boundary of the multidict dependency to allow for the version 6 - License-Update: Update copyright year from 2020 to 2022 - Fixed incorrectly overwriting cookies with the same name and domain, but different path - Fixed ConnectionResetError not being raised after client disconnection in SSL environments - Upgraded the vendored copy of llhttp_ to v8.1.1 - Added information to C parser exceptions to show which character caused the error - Fixed a transport is :data:None error Upstream master patches: 3.8.1 -> 3.8.3 : https://git.openembedded.org/meta-openembedded/commit/?id=c0d2a5bcc87ee8564a5b9be35f3e2b930e384a59 3.8.3 -> 3.8.4 : https://git.openembedded.org/meta-openembedded/commit/?id=1fc465466cd138e1fcc87de18e84f88e2c5f1b4f 3.8.4 -> 3.8.5 : https://git.openembedded.org/meta-openembedded/commit/?id=ba5d26d1d8b30d71cb648f95b6431c16134e82e9 Signed-off-by: Narpat Mali Signed-off-by: Armin Kuster

python3-kivy: Require X11 or Wayland in DISTRO_FEATURES

2023-08-30T17:41:52+00:00

At least one of the following DISTRO_FEATURES needs to be present: X11 or Wayland. The recipe now work with pure Wayland. Signed-off-by: Marine Vovard Signed-off-by: Armin Kuster

python3-django: fix CVE-2023-36053

2023-08-25T14:45:34+00:00

In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, EmailValidator and URLValidator are subject to a potential ReDoS (regular expression denial of service) attack via a very large number of domain name labels of emails and URLs. Since, there is no ptest available for python3-django so have not tested the patch changes at runtime. References: https://github.com/advisories/GHSA-jh3w-4vvf-mjgr https://github.com/django/django/commit/454f2fb93437f98917283336201b4048293f7582 Signed-off-by: Narpat Mali Signed-off-by: Armin Kuster

python3-can: Add missing runtime dependencies

2023-08-11T14:30:50+00:00

According to the setup.py of v4.0.0 [1] the following runtime dependencies are currently missing. Add them. * packaging * setuptools * typing_extensions While at it, also reorder the list alphabetically. [1] https://github.com/hardbyte/python-can/blob/4.0.0/setup.py Signed-off-by: Frieder Schrempf Signed-off-by: Armin Kuster

python3-django: upgrade 4.2.1 -> 4.2.3

2023-08-03T20:47:53+00:00

The delta between 4.2.1 and 4.2.3 contains the CVE-2023-36053 fix and other bugfixes. git log --oneline 4.2.1..4.2.3 shows: 1651351386 (tag: 4.2.3) [4.2.x] Bumped version for 4.2.3 release. b7c5feb35a [4.2.x] Fixed CVE-2023-36053 -- Prevented potential ReDoS in EmailValidator and URLValidator. 1ea11365f6 [4.2.x] Fixed typo in docs/intro/tutorial08.txt. 7b45fe01ab [4.2.x] Added dedicated section for output_field in query expressions docs. 67fe092a85 [4.2.x] Fixed typo in docs/ref/models/querysets.txt. 9ab56e64de [4.2.x] Added stub release notes and release date for 4.2.3, 4.1.10, and 3.2.20. a18e0f44d5 [4.2.x] Corrected admin.E013 check message in docs. fabd0510a0 [4.2.x] Fixed typo in docs/topics/db/fixtures.txt. 4b433ef236 [4.2.x] Refs #30220 -- Bumped required version of Selenium to 3.8.0. 9e9a286bed [4.2.x] Fixed #34638 -- Fixed admin change list selected row highlight on editable boolean fields. 31d1fc36b3 [4.2.x] Fixed #34645 -- Restored alignment for admin date/time timezone warnings. eb84c068ed [4.2.x] Fixed #30355 -- Doc'd interaction between custom managers and prefetch_related(). b2355a8df3 [4.2.x] Added stub release notes for 4.2.3. 10de214055 [4.2.x] Post-release version bump. 6218ed3454 (tag: 4.2.2) [4.2.x] Bumped version for 4.2.2 release. e84d38ab36 [4.2.x] Added release date for 4.2.2. 87a4cd559b [4.2.x] Fixed #34620 -- Fixed serialization crash on m2m fields without natural keys when base querysets use select_related(). 66d9fa4371 [4.2.x] Refs #23528 -- Made cosmetic edits to swappable_dependency() docs. 92ad551afd [4.2.x] Fixed #23528 -- Doc'd django.db.migrations.swappable_dependency(). 738386470d [4.2.x] Fixed #34612 -- Fixed QuerySet.only() crash on reverse relationships. dae052d823 [4.2.x] Fixed #34595 -- Doc'd that format_string arg of format_html() is not escaped. dca5f5d58a [4.2.x] Fixed #34600 -- Removed references to bleach in docs. 25bd9faf32 [4.2.x] Fixed #34574 -- Noted unexpected outcomes in autoescape/escape docs. 91f8df5c2e [4.2.x] Fixed #34590 -- Reverted "Refs #33308 -- Improved adapting DecimalField values to decimal." a44e974412 [4.2.x] Corrected documentation of Log database function. bf5249fc8e [4.2.x] Refs #34118 -- Fixed FunctionalTests.test_cached_property_reuse_different_names() on Python 3.12+. c78a4421de [4.2.x] Fixed #34551 -- Fixed QuerySet.aggregate() crash when referencing subqueries. 57f499e412 [4.2.x] Refs #34551 -- Fixed QuerySet.aggregate() crash on precending aggregation reference. b4563cdd23 [4.2.x] Fixed #34579 -- Added Django Forum to contributing guides. 37ba4c3a94 [4.2.x] Fixed references to django.core.cache in docs. 6b76481fb9 [4.2.x] Fixed #34588 -- Removed usage of nonexistent stylesheet in the 'Congrats' page. e1c00f8b36 [4.2.x] Fixed #34580 -- Avoided unnecessary computation of selected expressions in SQLCompiler. cdd970ae22 [4.2.x] Fixed #34568 -- Made makemigrations --update respect --name option. 2b5c5e54de [4.2.x] Updated broken links in docs. 201d29b371 [4.2.x] Fixed #34570 -- Silenced noop deferral of many-to-many and GFK. 9c301814b0 [4.2.x] Fixed #34539 -- Restored get_prep_value() call when adapting JSONFields. ddccecee91 [4.2.x] Fixed #34556 -- Doc'd that StreamingHttpResponse accepts memoryviews and strings iterators. dbe263751c [4.2.x] Clarified database connections lifetime outside HTTP requests. e50fe33e13 [4.2.x] Made explicit the location of locally-built HTML docs. e0d8981139 [4.2.x] Fixed #34544 -- Avoided DBMS_LOB.SUBSTR() wrapping with IS NULL condition on Oracle. dc3b8190ed [4.2.x] Fixed #34545 -- Corrected the number of months in installation FAQ. bcf66f1355 [4.2.x] Corrected code-block directive in docs/ref/templates/builtins.txt. 4eaed191b6 [4.2.x] Corrected code-block directives in docs. 9ec1ff7879 [4.2.x] Fixed MultipleFileFieldTest.test_file_multiple_validation() test if Pillow isn't installed. 2756c69601 [4.2.x] Added CVE-2023-31047 to security archive. 110919987b [4.2.x] Added stub release notes for 4.2.2. 00152276e9 [4.2.x] Post-release version bump. Release Notes: https://docs.djangoproject.com/en/dev/releases/4.2.3/ Signed-off-by: Narpat Mali Signed-off-by: Armin Kuster

python3-django: upgrade 3.2.19 -> 3.2.20

2023-08-03T20:47:53+00:00

The delta between 3.2.19 and 3.2.20 contains the CVE-2023-36053 fix and other bugfixes. git log --oneline 3.2.19..3.2.20 shows: 19bc11f636 (tag: 3.2.20) [3.2.x] Bumped version for 3.2.20 release. 454f2fb934 [3.2.x] Fixed CVE-2023-36053 -- Prevented potential ReDoS in EmailValidator and URLValidator. 07cc014cb3 [3.2.x] Added stub release notes for 3.2.20. e1bbbbe6ac [3.2.x] Fixed MultipleFileFieldTest.test_file_multiple_validation() test if Pillow isn't installed. 47ef12e69c [3.2.x] Added CVE-2023-31047 to security archive. 15f90ebff3 [3.2.x] Post-release version bump. Release Notes: https://docs.djangoproject.com/en/dev/releases/3.2.20/ Signed-off-by: Narpat Mali Signed-off-by: Armin Kuster