linux/meta-openembedded.git/meta-python/recipes-devtools, branch kirkstone-next

python3-protobuf: fix RDEPENDS

2025-07-03T00:36:39+00:00

python3-ctypes is needed as a runtime dependency. Signed-off-by: Chen Qi Signed-off-by: Armin Kuster

python3-aiohttp: fix CVE-2024-42367

2025-07-03T00:36:23+00:00

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.10.2, static routes which contain files with compressed variants (`.gz` or `.br` extension) are vulnerable to path traversal outside the root directory if those variants are symbolic links. The server protects static routes from path traversal outside the root directory when `follow_symlinks=False` (default). It does this by resolving the requested URL to an absolute path and then checking that path relative to the root. However, these checks are not performed when looking for compressed variants in the `FileResponse` class, and symbolic links are then automatically followed when performing the `Path.stat()` and `Path.open()` to send the file. Version 3.10.2 contains a patch for the issue. Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-42367 https://github.com/aio-libs/aiohttp/security/advisories/GHSA-jwhx-xcg6-8xhj Upstream patch: https://github.com/aio-libs/aiohttp/commit/ce2e9758814527589b10759a20783fb03b98339f Signed-off-by: Jiaying Song Signed-off-by: Armin Kuster

python3-twisted: Fix CVE-2024-41671

2025-05-25T18:48:44+00:00

Twisted is an event-based framework for internet applications, supporting Python 3.6+. The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure. This vulnerability is fixed in 24.7.0rc1. References: https://nvd.nist.gov/vuln/detail/CVE-2024-41671 https://ubuntu.com/security/CVE-2024-41671 Upstream patches: https://github.com/twisted/twisted/commit/f1cb4e616e9f23b4dd044a6db44365060950c64f https://github.com/twisted/twisted/commit/ef2c755e9e9d57d58132af790bd2fd2b957b3fb1 Signed-off-by: Soumya Sambu Signed-off-by: Armin Kuster

python3-grpcio(-tools): fix build concurrency issue

2025-03-06T14:49:24+00:00

Set GRPC_PYTHON_BUILD_EXT_COMPILER_JOBS to limit spawned compiler processes. Without this it uses all available CPUs (via multiprocessing.cpu_count()) and can exhaust build host since there are lot of files to compile (e.g. with 128 cores it manages to spawn 128 gcc processes) Note that this is a general problem for all setuptools based builds with build_ext compilation which can either compile with 1 thread or cpu_count threads. grpcio hot-patches setuptools and allows to set specific build concurrency value. (From master rev: fe582374d3ba474164005942799eb2bddc52a080) Signed-off-by: Peter Marko Signed-off-by: Khem Raj Signed-off-by: Armin Kuster

python3-future: upgrade 0.18.2 -> 0.18.3

2025-03-06T14:39:34+00:00

Full changelog: https://github.com/PythonCharmers/python-future/releases (cherry-picked from a10bda8c873e66f0d895cf8065cbc076b2055655) Signed-off-by: Wang Mingyu Signed-off-by: Khem Raj Signed-off-by: Jiaying Song Signed-off-by: Armin Kuster

python3-h5py: add -Wno-error to allow building native with gcc-14 on host

2025-02-09T15:58:24+00:00

Signed-off-by: Martin Jansa Signed-off-by: Armin Kuster

python3-sqlparse: Fix CVE-2024-4340

2025-01-23T00:29:37+00:00

Passing a heavily nested list to sqlparse.parse() leads to a Denial of Service due to RecursionError. Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-4340 Upstream-patch: https://github.com/andialbrecht/sqlparse/commit/b4a39d9850969b4e1d6940d32094ee0b42a2cf03 Signed-off-by: Soumya Sambu Signed-off-by: Armin Kuster

python3-django: Fix CVE-2024-53907

2025-01-23T00:23:09+00:00

An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. The strip_tags() method and striptags template filter are subject to a potential denial-of-service attack via certain inputs containing large sequences of nested incomplete HTML entities. Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-53907 Upstream-patch: https://github.com/django/django/commit/790eb058b0716c536a2f2e8d1c6d5079d776c22b Signed-off-by: Soumya Sambu Signed-off-by: Armin Kuster

python3-django: Fix CVE-2024-45231

2025-01-23T00:23:05+00:00

An issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. The django.contrib.auth.forms.PasswordResetForm class, when used in a view implementing password reset flows, allows remote attackers to enumerate user e-mail addresses by sending password reset requests and observing the outcome (only when e-mail sending is consistently failing). Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-45231 Upstream-patch: https://github.com/django/django/commit/bf4888d317ba4506d091eeac6e8b4f1fcc731199 Signed-off-by: Soumya Sambu Signed-off-by: Armin Kuster

python3-django: Fix CVE-2024-45230

2025-01-23T00:23:02+00:00

An issue was discovered in Django 5.1 before 5.1.1, 5.0 before 5.0.9, and 4.2 before 4.2.16. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters. Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-45230 Upstream-patch: https://github.com/django/django/commit/d147a8ebbdf28c17cafbbe2884f0bc57e2bf82e2 Signed-off-by: Soumya Sambu Signed-off-by: Armin Kuster