Mirror of git.openembedded.org/meta-openembedded https://git.enea.com/cgit/linux/meta-openembedded.git/atom?h=scarthgap 2026-05-25T02:35:43+00:00 2026-05-25T02:35:43+00:00 Jérémie Dautheribes (Schneider Electric ) jeremie.dautheribes@bootlin.com 2026-05-21T05:04:03+00:00 urn:sha1:91c3393ce06dbe9716c55b28d5ded68de5d147f9 This recipe was previously part of the master branch but was removed because the zstd module was integrated into the Python standard library starting from Python 3.14. Since Scarthgap uses Python 3.12, restore and update this recipe for users on this branch. Signed-off-by: Jérémie Dautheribes (Schneider Electric) <jeremie.dautheribes@bootlin.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com> 2026-05-21T03:27:42+00:00 Gyorgy Sarvari skandigraun@gmail.com 2026-05-08T04:06:11+00:00 urn:sha1:3fd10def4959e04075ad0a60907e46c885fc7558 Set the correct CVE_PRODUCT value, the default python: ecdsa doesn't match relevant entries. The correct values were taken from the CVE db, by checking which CVEs are relevant. See CVE db query: sqlite> select * from products where product like '%ecdsa%'; CVE-2019-14853|python-ecdsa_project|python-ecdsa|||0.13.3|< CVE-2019-14859|python-ecdsa_project|python-ecdsa|||0.13.3|< CVE-2020-12607|antonkueltz|fastecdsa|||2.1.2|< CVE-2021-43568|starkbank|elixir_ecdsa|1.0.0|=|| CVE-2021-43569|starkbank|ecdsa-dotnet|1.3.2|=|| CVE-2021-43570|starkbank|ecdsa-java|1.0.0|=|| CVE-2021-43571|starkbank|ecdsa-node|1.1.2|=|| CVE-2021-43572|starkbank|ecdsa-python|||2.0.1|< CVE-2022-24884|ecdsautils_project|ecdsautils|||0.4.1|< CVE-2024-21502|antonkueltz|fastecdsa|||2.3.2|< CVE-2024-23342|tlsfuzzer|ecdsa|||0.18.0|<= Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 7f962ef1557a291545646470c03fd9c4a23eb7d9) Signed-off-by: Himanshu Jadon <hjadon@cisco.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com> 2026-05-21T03:27:41+00:00 Peter Marko peter.marko@siemens.com 2026-05-07T15:53:01+00:00 urn:sha1:6b76759967d94a114631007904fc74440a70e129 These grpc python modules contain parts of grpc core. Each CVE needs to be assessed if the patch applies also to core parts included in each module. Note that so far there was never a CVE specific for python module, only for grpc:grpc and many of those needed to be fixed at leasts in grpcio: sqlite> select vendor, product, count(*) from products where product like '%grpc%' group by vendor, product; grpc|grpc|21 grpck|grpck|1 linuxfoundation|grpc_swift|9 microsoft|grpconv|1 opentelemetry|configgrpc|1 Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit f993cb2ecb62193bcce8d3d0e06e180a7fef44b8) Signed-off-by: Himanshu Jadon <hjadon@cisco.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com> 2026-04-29T04:44:29+00:00 Hitendra Prajapati hprajapati@mvista.com 2026-04-28T05:59:53+00:00 urn:sha1:fdf83ebd289465a9534b8110a43a03a6cb2e9a5b Backport commit[1] which fixes this vulnerability as mentioned NVD report in [2]. [1] https://github.com/python-pillow/Pillow/commit/3cb854e8b2bab43f40e342e665f9340d861aa628 [2] https://nvd.nist.gov/vuln/detail/CVE-2026-40192 [3] https://security-tracker.debian.org/tracker/CVE-2026-40192 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com> 2026-04-29T04:44:29+00:00 Gyorgy Sarvari skandigraun@gmail.com 2026-04-21T11:17:51+00:00 urn:sha1:0febf2f87d3c2c839bcf08b78c9bf7029a738794 The default "python:tornado" CVE_PRODUCT doesn't match relevant CVEs, because the project's CPE is "tornadoweb:tornado". See cve db query (docmosis is an irrelevant vendor): sqlite> select * from products where PRODUCT = 'tornado'; CVE-2012-2374|tornadoweb|tornado|||2.2|<= CVE-2012-2374|tornadoweb|tornado|1.0|=|| CVE-2012-2374|tornadoweb|tornado|1.0.1|=|| CVE-2012-2374|tornadoweb|tornado|1.1|=|| CVE-2012-2374|tornadoweb|tornado|1.1.1|=|| CVE-2012-2374|tornadoweb|tornado|1.2|=|| CVE-2012-2374|tornadoweb|tornado|1.2.1|=|| CVE-2012-2374|tornadoweb|tornado|2.0|=|| CVE-2012-2374|tornadoweb|tornado|2.1|=|| CVE-2012-2374|tornadoweb|tornado|2.1.1|=|| CVE-2014-9720|tornadoweb|tornado|||3.2.2|< CVE-2023-25264|docmosis|tornado|||2.9.5|< CVE-2023-25265|docmosis|tornado|||2.9.5|< CVE-2023-25266|docmosis|tornado|||2.9.5|< CVE-2023-28370|tornadoweb|tornado|||6.3.2|< CVE-2024-42733|docmosis|tornado|||2.9.7|<= CVE-2024-52804|tornadoweb|tornado|||6.4.2|< CVE-2025-47287|tornadoweb|tornado|||6.5.0|< CVE-2025-67724|tornadoweb|tornado|||6.5.3|< CVE-2025-67725|tornadoweb|tornado|||6.5.3|< CVE-2025-67726|tornadoweb|tornado|||6.5.3|< Set the CVE_PRODUCT accordingly. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 139cc15de304918edc0197346579162b12006faa) Signed-off-by: Himanshu Jadon <hjadon@cisco.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com> 2026-04-15T08:42:18+00:00 Ankur Tyagi ankur.tyagi85@gmail.com 2026-04-11T11:14:49+00:00 urn:sha1:a1b14b7a3aadd2ad6b117bdafa505928edadfeb7 Vvulnerability affects Windows application and can be ignored. Details: https://nvd.nist.gov/vuln/detail/CVE-2026-27199 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com> 2026-04-15T08:42:18+00:00 Ankur Tyagi ankur.tyagi85@gmail.com 2026-04-11T11:14:48+00:00 urn:sha1:3b6292cfbef8b60750071da92ccb91d50a63c2be Backport the commit[1] from version 6.5.5 which fixes this vulnerability according to the NVD[2]. [1] https://github.com/tornadoweb/tornado/commit/24a2d96ea115f663b223887deb0060f13974c104 [2] https://nvd.nist.gov/vuln/detail/CVE-2026-35536 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com> 2026-04-15T08:42:18+00:00 Ankur Tyagi ankur.tyagi85@gmail.com 2026-04-11T11:14:47+00:00 urn:sha1:667917103437dd9a6a737f005628884058ee2b79 License Update: File renamed as txt[1] Release Notes: https://github.com/pallets/flask/releases/tag/3.0.3 [1] https://github.com/pallets/flask/commit/87d5f5b9a9697434e6d972b021201105eabb54e6 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com> 2026-04-15T08:42:18+00:00 Ankur Tyagi ankur.tyagi85@gmail.com 2026-04-11T11:14:46+00:00 urn:sha1:8ce4b233c6e2afa6be89ad31a3c77452b0f3a23b Details: https://nvd.nist.gov/vuln/detail/CVE-2026-33936 Ptests passed: root@qemux86:~# ptest-runner python3-ecdsa START: ptest-runner 2026-04-11T08:04 BEGIN: /usr/lib/python3-ecdsa/ptest ... ... Testsuite summary # TOTAL: 1978 # PASS: 1974 # SKIP: 4 # XFAIL: 0 # FAIL: 0 # XPASS: 0 # ERROR: 0 DURATION: 386 END: /usr/lib/python3-ecdsa/ptest 2026-04-11T08:10 STOP: ptest-runner TOTAL: 1 FAIL: 0 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com> 2026-04-15T08:42:18+00:00 Ankur Tyagi ankur.tyagi85@gmail.com 2026-04-11T11:14:45+00:00 urn:sha1:8e106a9b12bb8dbb24a63ef058bc12fc0c218b4b Release Notes: https://docs.djangoproject.com/en/dev/releases/4.2.30/ Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>