linux/meta-openembedded.git/meta-python, branch kirkstone

python3-werkzeug: ignore CVE-2026-27199

2026-02-27T13:28:50+00:00

Details: https://nvd.nist.gov/vuln/detail/CVE-2026-27199 The vulnerability affects only the application on Windows operating system. Due to this, ignore this CVE. Signed-off-by: Gyorgy Sarvari

python3-cbor2: patch CVE-2025-68131

2026-02-27T13:28:43+00:00

Backport the patch[1] which fixes this vulnerability as mentioned in the comment[2]. Details: https://nvd.nist.gov/vuln/detail/CVE-2025-68131 [1] https://github.com/agronholm/cbor2/commit/f1d701cd2c411ee40bb1fe383afe7f365f35abf0 [2] https://github.com/agronholm/cbor2/pull/268#issuecomment-3719179000 Dropped changes to the changelog from the original commit. Signed-off-by: Hitendra Prajapati Signed-off-by: Gyorgy Sarvari

python3-django: upgrade 4.2.27 -> 4.2.28

2026-02-15T14:30:54+00:00

Contains fixes for CVE-2025-13473, CVE-2025-14550, CVE-2026-1207, CVE-2026-1285, CVE-2026-1287 and CVE-2026-1312 Signed-off-by: Gyorgy Sarvari

python3-protobuf: patch CVE-2026-0994

2026-02-03T18:53:58+00:00

Pick patch from PR in NVD report. It is the only code change in 33.5 release. Skip the test file change as it's not shipped in python module sources. Resolve formatting-only conflict. Signed-off-by: Peter Marko Signed-off-by: Gyorgy Sarvari

python3-pymongo: upgrade 4.1.0 -> 4.1.1

2026-01-30T17:59:29+00:00

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-1-1-released/157895 Signed-off-by: Zheng Ruoqin Signed-off-by: Khem Raj (cherry picked from commit 5bfe98cb4074baa6b9a81e9a205eacf0d898db41) Signed-off-by: Gyorgy Sarvari

python3-pymongo: patch CVE-2024-5629

2026-01-30T17:59:29+00:00

Details: https://nvd.nist.gov/vuln/detail/CVE-2024-5629 Backport the patch that is indicated to solve the issue based on the upstream project's Jira ticket[1] (which comes from the NVD report). [1]: https://jira.mongodb.org/browse/PYTHON-4305 Signed-off-by: Gyorgy Sarvari

python3-ecdsa: ignore CVE-2024-23342

2026-01-30T17:59:29+00:00

Details: https://nvd.nist.gov/vuln/detail/CVE-2024-23342 The issue won't be fixed, because it is not in the scope of the project. See also the discussion in the relevant Github issue[1]. [1]: https://github.com/tlsfuzzer/python-ecdsa/issues/330 Signed-off-by: Gyorgy Sarvari

python3-twitter: mark CVE-2012-5825 patched

2026-01-30T17:59:29+00:00

Details: https://nvd.nist.gov/vuln/detail/CVE-2012-5825 The Debian bugtracker[1] indicated that the issue is tracked by upstream in github[2] (with a difference CVE ID, but same issue), where the vulnerability was confirmed. Later in the same github issue the solution is confirmed: the project switched to use the requests library, which doesn't suffer from this vulnerability. Due to this mark the CVE as patched. [1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692444 [2]: https://github.com/tweepy/tweepy/issues/279 Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj (cherry picked from commit 3ee544e7591b36a49550a263a0ec4d64b5e490e8) Adapted to Kirkstone (CVE_STATUS -> CVE_CHECK_IGNORE) Signed-off-by: Gyorgy Sarvari

python3-paramiko: upgrade 2.10.3 -> 2.10.6

2026-01-30T17:59:29+00:00

Bugfix releases. Changelog: 2.10.4: - Servers offering certificate variants of hostkey algorithms (eg ssh-rsa-cert-v01@openssh.com) could not have their host keys verified by Paramiko clients, as it only ever considered non-cert key types for that part of connection handshaking. This has been fixed. - PKey instancesâ€™ __eq__ did not have the usual safety guard in place to ensure they were being compared to another PKey object, causing occasional spurious BadHostKeyException (among other things). This has been fixed. - Update camelCase method calls against the threading module to be snake_case; this and related tweaks should fix some deprecation warnings under Python 3.10. 2.10.5: - Windows-native SSH agent support as merged in 2.10 could encounter Errno 22 OSError exceptions in some scenarios (eg server not cleanly closing a relevant named pipe). This has been worked around and should be less problematic. - OpenSSH 7.7 and older has a bug preventing it from understanding how to perform SHA2 signature verification for RSA certificates (specifically certs - not keys), so when we added SHA2 support it broke all clients using RSA certificates with these servers. This has been fixed in a manner similar to what OpenSSHâ€™s own client does: a version check is performed and the algorithm used is downgraded if needed. - Align signature verification algorithm with OpenSSH re: zero-padding signatures which donâ€™t match their nominal size/length. This shouldnâ€™t affect most users, but will help Paramiko-implemented SSH servers handle poorly behaved clients such as PuTTY. 2.10.6: - Raise SSHException explicitly when blank private key data is loaded, instead of the natural result of IndexError. This should help more bits of Paramiko or Paramiko-adjacent codebases to correctly handle this class of error. - Update SSHClient so it explicitly closes its wrapped socket object upon encountering socket errors at connection time. This should help somewhat with certain classes of memory leaks, resource warnings, and/or errors (though we hasten to remind everyone that Client and Transport have their own .close() methods for use in non-error situations!). https://www.paramiko.org/changelog.html Signed-off-by: Gyorgy Sarvari

python3-blivet: upgrade 3.4.3 -> 3.4.4

2026-01-30T17:59:28+00:00

Bugfix release. Changelog: - Use LVM PV format current_size in LVMVolumeGroupDevice._remove - Correctly set vg_name after adding/removing a PV from a VG - Do not crash when changing disklabel on disks with active devices - ActionDestroyDevice should not obsolete ActionRemoveMember - Correctly set compression and deduplication for existing VDO pools - Correctly cancel configure actions in cancel() - Set partition flags after setting parted filesystem Signed-off-by: Gyorgy Sarvari