linux/meta-openembedded.git/meta-python, branch scarthgap
Mirror of git.openembedded.org/meta-openembedded
https://git.enea.com/cgit/linux/meta-openembedded.git/atom?h=scarthgap
2026-04-29T04:44:29+00:00
python3-pillow: fix CVE-2026-40192
2026-04-29T04:44:29+00:00
Hitendra Prajapati
hprajapati@mvista.com
2026-04-28T05:59:53+00:00
urn:sha1:fdf83ebd289465a9534b8110a43a03a6cb2e9a5b
Backport commit[1] which fixes this vulnerability as mentioned NVD report in [2].
[1] https://github.com/python-pillow/Pillow/commit/3cb854e8b2bab43f40e342e665f9340d861aa628
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-40192
[3] https://security-tracker.debian.org/tracker/CVE-2026-40192
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
python3-tornado: set CVE_PRODUCT
2026-04-29T04:44:29+00:00
Gyorgy Sarvari
skandigraun@gmail.com
2026-04-21T11:17:51+00:00
urn:sha1:0febf2f87d3c2c839bcf08b78c9bf7029a738794
The default "python:tornado" CVE_PRODUCT doesn't match relevant CVEs, because
the project's CPE is "tornadoweb:tornado".
See cve db query (docmosis is an irrelevant vendor):
sqlite> select * from products where PRODUCT = 'tornado';
CVE-2012-2374|tornadoweb|tornado|||2.2|<=
CVE-2012-2374|tornadoweb|tornado|1.0|=||
CVE-2012-2374|tornadoweb|tornado|1.0.1|=||
CVE-2012-2374|tornadoweb|tornado|1.1|=||
CVE-2012-2374|tornadoweb|tornado|1.1.1|=||
CVE-2012-2374|tornadoweb|tornado|1.2|=||
CVE-2012-2374|tornadoweb|tornado|1.2.1|=||
CVE-2012-2374|tornadoweb|tornado|2.0|=||
CVE-2012-2374|tornadoweb|tornado|2.1|=||
CVE-2012-2374|tornadoweb|tornado|2.1.1|=||
CVE-2014-9720|tornadoweb|tornado|||3.2.2|<
CVE-2023-25264|docmosis|tornado|||2.9.5|<
CVE-2023-25265|docmosis|tornado|||2.9.5|<
CVE-2023-25266|docmosis|tornado|||2.9.5|<
CVE-2023-28370|tornadoweb|tornado|||6.3.2|<
CVE-2024-42733|docmosis|tornado|||2.9.7|<=
CVE-2024-52804|tornadoweb|tornado|||6.4.2|<
CVE-2025-47287|tornadoweb|tornado|||6.5.0|<
CVE-2025-67724|tornadoweb|tornado|||6.5.3|<
CVE-2025-67725|tornadoweb|tornado|||6.5.3|<
CVE-2025-67726|tornadoweb|tornado|||6.5.3|<
Set the CVE_PRODUCT accordingly.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 139cc15de304918edc0197346579162b12006faa)
Signed-off-by: Himanshu Jadon <hjadon@cisco.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
python3-werkzeug: ignore CVE-2026-27199
2026-04-15T08:42:18+00:00
Ankur Tyagi
ankur.tyagi85@gmail.com
2026-04-11T11:14:49+00:00
urn:sha1:a1b14b7a3aadd2ad6b117bdafa505928edadfeb7
Vvulnerability affects Windows application and can be ignored.
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-27199
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
python3-tornado: fix CVE-2026-35536
2026-04-15T08:42:18+00:00
Ankur Tyagi
ankur.tyagi85@gmail.com
2026-04-11T11:14:48+00:00
urn:sha1:3b6292cfbef8b60750071da92ccb91d50a63c2be
Backport the commit[1] from version 6.5.5 which fixes this vulnerability
according to the NVD[2].
[1] https://github.com/tornadoweb/tornado/commit/24a2d96ea115f663b223887deb0060f13974c104
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-35536
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
python3-flask: upgrade 3.0.2 -> 3.0.3
2026-04-15T08:42:18+00:00
Ankur Tyagi
ankur.tyagi85@gmail.com
2026-04-11T11:14:47+00:00
urn:sha1:667917103437dd9a6a737f005628884058ee2b79
License Update: File renamed as txt[1]
Release Notes:
https://github.com/pallets/flask/releases/tag/3.0.3
[1] https://github.com/pallets/flask/commit/87d5f5b9a9697434e6d972b021201105eabb54e6
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
python3-ecdsa: fix CVE-2026-33936
2026-04-15T08:42:18+00:00
Ankur Tyagi
ankur.tyagi85@gmail.com
2026-04-11T11:14:46+00:00
urn:sha1:8ce4b233c6e2afa6be89ad31a3c77452b0f3a23b
Details:
https://nvd.nist.gov/vuln/detail/CVE-2026-33936
Ptests passed:
root@qemux86:~# ptest-runner python3-ecdsa
START: ptest-runner
2026-04-11T08:04
BEGIN: /usr/lib/python3-ecdsa/ptest
...
...
Testsuite summary
# TOTAL: 1978
# PASS: 1974
# SKIP: 4
# XFAIL: 0
# FAIL: 0
# XPASS: 0
# ERROR: 0
DURATION: 386
END: /usr/lib/python3-ecdsa/ptest
2026-04-11T08:10
STOP: ptest-runner
TOTAL: 1 FAIL: 0
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
python3-django: upgrade 4.2.29 -> 4.2.30
2026-04-15T08:42:18+00:00
Ankur Tyagi
ankur.tyagi85@gmail.com
2026-04-11T11:14:45+00:00
urn:sha1:8e106a9b12bb8dbb24a63ef058bc12fc0c218b4b
Release Notes:
https://docs.djangoproject.com/en/dev/releases/4.2.30/
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
python3-django: fix CVE-2025-59681
2026-04-15T08:42:18+00:00
Haixiao Yan
haixiao.yan.cn@windriver.com
2026-04-10T07:05:07+00:00
urn:sha1:9757d0151b92601c4c6fd05baf7e328afa000213
QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and
QuerySet.extra() methods were subject to SQL injection in column aliases, using
a suitably crafted dictionary, with dictionary expansion, as the **kwargs
passed to these methods on MySQL and MariaDB.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-59681
Upstream-patch:
https://github.com/django/django/commit/38d9ef8c7b5cb6ef51b933e51a20e0e0063f33d5
Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
python3-django: fix CVE-2025-57833
2026-04-15T08:42:18+00:00
Haixiao Yan
haixiao.yan.cn@windriver.com
2026-04-10T07:05:06+00:00
urn:sha1:838ca228086821cf82b3de83fb78412c6d2784c8
FilteredRelation was subject to SQL injection in column aliases, using a
suitably crafted dictionary, with dictionary expansion, as the **kwargs
passed QuerySet.annotate() or QuerySet.alias().
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-57833
Upstream-patch:
https://github.com/django/django/commit/31334e6965ad136a5e369993b01721499c5d1a92
Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
python3-django: fix CVE-2025-64459
2026-04-15T08:40:33+00:00
Haixiao Yan
haixiao.yan.cn@windriver.com
2026-04-10T07:04:59+00:00
urn:sha1:151e634ed297eec8d9b269c2b08001fd76f4cc62
The methods QuerySet.filter(), QuerySet.exclude(), and QuerySet.get(), and the
class Q() were subject to SQL injection when using a suitably crafted
dictionary, with dictionary expansion, as the _connector argument.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-64459
https://shivasurya.me/security/django/2025/11/07/django-sql-injection-CVE-2025-64459.html
Upstream-patch:
https://github.com/django/django/commit/72d2c87431f2ae0431d65d0ec792047f078c8241
https://github.com/django/django/commit/4624ed769c0f7caea0d48ac824a75fa6b6f17671
Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>