summaryrefslogtreecommitdiffstats
path: root/meta-python/recipes-devtools/python
Commit message (Collapse)AuthorAgeFilesLines
* python3-django: upgrade 4.2.29 -> 4.2.30Ankur Tyagi2026-05-081-1/+1
| | | | | | | | Release Notes: https://docs.djangoproject.com/en/dev/releases/4.2.30/ Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-django: upgrade 5.2.12 -> 5.2.13Gyorgy Sarvari2026-05-081-1/+1
| | | | | | | | | | | | Contains fixes for CVE-2026-3902, CVE-2026-4277, CVE-2026-4292, CVE-2026-33033 and CVE-2026-33034. Changelog: https://docs.djangoproject.com/en/6.0/releases/5.2.13/ Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com> Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-gpiod: update to v2.4.2Bartosz Golaszewski2026-05-081-1/+1
| | | | | | | | | | | | Bug-fix release addressing a buffer overflow bug discovered during an AI-augmented security audit as well as another minor issue with unnecessarily duplicated code. Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com> Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com> (cherry picked from commit 7e24f2b5a868989719a1afde14258b323c7a3a56) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-bitarray: upgrade 3.8.0 -> 3.8.1Wang Mingyu2026-05-081-1/+1
| | | | | | | | | | | | | Changelog: ========== * fixed critial findings in C Extension Analysis Report * add tests, in particular 'devel/test_capi.py' Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com> (cherry picked from commit 041704b01cc0c039390b42ee72a28bdc13a630b2) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-tzdata: upgrade 2025.3 -> 2026.1Wang Mingyu2026-05-081-1/+1
| | | | | | | | Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com> (cherry picked from commit 36111dde1a7cd9f9df139d8dded91ea771336a69) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-tzdata: upgrade 2025.2 -> 2025.3Wang Mingyu2026-05-081-1/+1
| | | | | | | | Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 2c0a4edb58da813ca3d9709baed7b5c67ae85e2e) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-werkzeug: upgrade 3.1.7 -> 3.1.8Wang Mingyu2026-05-081-1/+1
| | | | | | | | | | Request.host and get_host return the empty string if the header is missing or has invalid characters. Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com> (cherry picked from commit d8c310aa52e669ca894d4b343bd83a97cb6eb8d4) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-werkzeug: upgrade 3.1.6 -> 3.1.7Wang Mingyu2026-05-081-1/+1
| | | | | | | | | | | | | | | | | | | | | | | Changelog: ========== - parse_list_header preserves partially quoted items, discards empty items, and returns empty for unclosed quoted values. - WWWAuthenticate.to_header does not produce a trailing space when there are no parameters. - Transfer-Encoding is parsed as a set. - Request.host, get_host, and host_is_trusted validate the characters of the value. An empty value is no longer allowed. A Unix socket server address is ignored. The trusted_list argument to host_is_trusted is optional. - Fix multipart form parser handling of newline at boundary. - Response.make_conditional sets the Accept-Ranges header even if it is not a satisfiable range request. - merge_slashes merges any number of consecutive slashes. Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com> (cherry picked from commit db8bd24b0db925cdbd4b9d444981846871c354f2) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-ecdsa: Upgrade 0.19.1 -> 0.19.2Mingli Yu2026-05-081-1/+1
| | | | | | | | | | | Changlog: https://github.com/tlsfuzzer/python-ecdsa/releases/tag/python-ecdsa-0.19.2 Signed-off-by: Mingli Yu <mingli.yu@windriver.com> Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com> (cherry picked from commit 27d096d984b1a5b567ba1b217c3fee8581284575) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-grpcio: ignore CVE-2026-33186Gyorgy Sarvari2026-05-081-0/+1
| | | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2026-33186 The vulnerability only affects the Go implememtation of the library, not the Python one. Ignore this CVE due to this. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com> (cherry picked from commit 468ee626f88272eedf275efe6f68640ee643c3f4) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* protobuf, python3-protobuf: ignore CVE-2026-6409Gyorgy Sarvari2026-05-081-0/+1
| | | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2026-6409 The vulnerability impacts only the PHP library component, not the cpp/python one. Ignore this CVE due to this. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com> (cherry picked from commit aef8bc34225cd0a56057749d0db1dfac773b17cb) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-apiflash: upgrade 3.0.0 -> 3.0.2Ankur Tyagi2026-04-211-1/+1
| | | | | | | | https://github.com/apiflask/apiflask/releases/tag/3.0.1 https://github.com/apiflask/apiflask/releases/tag/3.0.2 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-alembic: add HOMEPAGEAnkur Tyagi2026-04-211-0/+1
| | | | | Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-aiofiles: fix HOMEPAGEAnkur Tyagi2026-04-211-1/+1
| | | | | Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-astroid: upgrade 4.0.2 -> 4.0.4Ankur Tyagi2026-04-211-1/+1
| | | | | | | | https://github.com/pylint-dev/astroid/releases/tag/v4.0.3 https://github.com/pylint-dev/astroid/releases/tag/v4.0.4 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-gpiod: update to v2.4.1Bartosz Golaszewski2026-03-261-5/+3
| | | | | | | | | | | | | | | Bug-fix release addressing a memory leak and a couple minor issues. We now ship the license file with the dist tarball so update the recipe to take this into account. While at it: trim the LICENSE value to only include LGPL-v2.1-or-later as the other two licenses cover tests and text files. Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit f75f4164fd7184ed47e119c782cea583b96fbb45) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-marshmallow: mark CVE-2025-68480 patchedGyorgy Sarvari2026-03-261-0/+2
| | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2025-68480 The vulnerability has been fixed in version 4.1.2[1], however NVD tracks this CVE without version info. Mark it as patched explicitly. [1]: https://github.com/marshmallow-code/marshmallow/commit/d24a0c9df061c4daa92f71cf85aca25b83eee508 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-tornado: upgrade 6.5.4 -> 6.5.5Ankur Tyagi2026-03-261-1/+1
| | | | | | | | | Security fixes including CVE-2026-31958 https://www.tornadoweb.org/en/stable/releases/v6.5.5.html Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-pyjwt: Fix CVE-2026-32597Ankur Tyagi2026-03-262-0/+81
| | | | | | | | | | | | | | Details https://nvd.nist.gov/vuln/detail/CVE-2026-32597 Backport commit[1] which fixes this vulnerability as mentioned in changelog[2] Dropped changes to the changelog, version bump and tests during backport. [1] https://github.com/jpadilla/pyjwt/commit/051ea341b5573fe3edcd53042f347929b92c2b92 [2] https://github.com/jpadilla/pyjwt/blob/2.12.0/CHANGELOG.rst Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-django: upgrade 4.2.28 -> 4.2.29Gyorgy Sarvari2026-03-261-1/+1
| | | | | | | Contains fixes for CVE-2026-25673 and CVE-2026-25674. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-django: upgrade 5.2.11 -> 5.2.12Gyorgy Sarvari2026-03-261-1/+1
| | | | | | | | | | | | Ptests passed successfully. Changelog: https://docs.djangoproject.com/en/6.0/releases/5.2.12/ - Fixed CVE-2026-25673 and CVE-2026-25674 - Fixed NameError when inspecting functions making use of deferred annotations in Python 3.14. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-protobuf: mark CVE-2026-0994 patchedGyorgy Sarvari2026-03-091-0/+1
| | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2026-0994 It is fixed already in the currently used version, however NVD tracks it without any version info, so it still shows up in CVE reports. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-pillow: patch CVE-2026-25990Gyorgy Sarvari2026-03-092-0/+156
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2026-25990 Backport the patch referenced by the NVD advisory. Note that the patch contain some new binary test data, which requires "git" PATCHTOOL - other tools fail to apply binary patches. All ptests passed successfully: Testsuite summary TOTAL: 5011 PASS: 4577 SKIP: 431 XFAIL: 3 FAIL: 0 XPASS: 0 ERROR: 0 DURATION: 59 END: /usr/lib/python3-pillow/ptest 2026-03-06T17:58 STOP: ptest-runner TOTAL: 1 FAIL: 0 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-flask: Upgrade 3.1.2 -> 3.1.3Leon Anavi2026-03-061-2/+2
| | | | | | | | | | | | | Upgrade to release 3.1.3: - The session is marked as accessed for operations that only access the keys but not the values, such as in and len. Signed-off-by: Leon Anavi <leon.anavi@konsulko.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 0badc6de53e06045d943143ef70773d6959f1a08) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-werkzeug: upgrade 3.1.5 -> 3.1.6Gyorgy Sarvari2026-03-061-1/+1
| | | | | | | | | | | | Contains fix for CVE-2026-27199 Changelog: safe_join on Windows does not allow special devices names in multi-segment paths Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 9cbc4befe55716bfcf60616cd695318a5477b32d) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-sqlparse: upgrade 0.5.4 -> 0.5.5Wang Mingyu2026-03-061-1/+1
| | | | | | | | | | | | | | Changelog: ========== * Fix DoS protection to raise SQLParseError instead of silently returning None when grouping limits are exceeded * Fix splitting of BEGIN TRANSACTION statements Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 48617f70328d1a2abc2787594df028a3031e5268) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-greenlet: upgrade 3.2.4 -> 3.2.5Ankur Tyagi2026-03-061-1/+1
| | | | | | | | | Fix a crash on Python 3.9 if there are active greenlets during interpreter shutdown https://greenlet.readthedocs.io/en/latest/changes.html#id4 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-filelock: Upgrade 3.20.2 -> 3.20.3Leon Anavi2026-03-061-1/+1
| | | | | | | | | | | Upgrade to release 3.20.3: - Fix TOCTOU symlink vulnerability in SoftFileLock Signed-off-by: Leon Anavi <leon.anavi@konsulko.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-filelock: Upgrade 3.20.1 -> 3.20.2Leon Anavi2026-03-061-1/+1
| | | | | | | | | | | | | Upgrade to release 3.20.2: - Support Unix systems without O_NOFOLLOW - [pre-commit.ci] pre-commit autoupdate Signed-off-by: Leon Anavi <leon.anavi@konsulko.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 8b5e1f5dbf6bfe9dd6725d5dd04cd4c6aff73c86) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-filelock: upgrade 3.20.0 -> 3.20.1Wang Mingyu2026-03-061-1/+1
| | | | | | | | | | | Changelog: CVE-2025-68146: Fix TOCTOU symlink vulnerability in lock file creation Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit c2710a2df9bbafa9fabe87610f29864c56476b9d) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-pybind11-json: fix Targets.cmake trying to reference hostTafil Avdyli2026-03-062-1/+36
| | | | | | | | | | | | | | | | | | The resulting pybind11_jsonTargets.cmake in the dev-package adds an absolute path to python include directories in the target properties: set_target_properties(pybind11_json PROPERTIES INTERFACE_INCLUDE_DIRECTORIES "/usr/include/python3.13;${_IMPORT_PREFIX}/include" ) The patch removes ${PYTHON_INCLUDE_DIRS} which is set by pybind11 from set_target_properties to remove the poisonous host path. Signed-off-by: Tafil Avdyli <tafil@tafhub.de> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 0332dae9bb2ff79e4a4faa45c42d96e0dccee4db) Signed-off-by: Tafil Avdyli <tafil@tafhub.de> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-django: upgrade 4.2.27 -> 4.2.28Gyorgy Sarvari2026-02-191-1/+1
| | | | | | | | Contains fixes for CVE-2025-13473, CVE-2025-14550, CVE-2026-1207, CVE-2026-1285, CVE-2026-1287 and CVE-2026-1312 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-django: upgrade 5.2.9 -> 5.2.11Gyorgy Sarvari2026-02-191-1/+1
| | | | | | | | | | | | | | | | | Changelog: 5.2.11: Contains fixes for CVE-2025-13473, CVE-2025-14550, CVE-2026-1207, CVE-2026-1285, CVE-2026-1287 and CVE-2026-1312 5.2.10: * Fixed a bug in Django 5.2 where data exceeding max_length was silently truncated by QuerySet.bulk_create on PostgreSQL. * Fixed a bug where management command colorized help (introduced in Python 3.14) ignored the --no-color option and the DJANGO_COLORS setting. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-watchdog: Remove obsolete dependenciesTero Kinnunen2026-02-191-7/+2
| | | | | | | | | | | | | | | | Python watchdog has removed all dependencies except optional `pyyaml` dependency for `watchmedo` utility, like follows [1]: * pathtools dependency was removed in 1.0.0 * python-argh dependency removed in 2.1.6 * requests was never a dependency * pyyaml only needed for extras (`watchmedo`) and may not be strictly necessary [1] https://github.com/gorakhargosh/watchdog/blob/master/changelog.rst Signed-off-by: Tero Kinnunen <tero.kinnunen@vaisala.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-python-multipart: patch CVE-2026-24486Gyorgy Sarvari2026-02-192-0/+62
| | | | | | | | | | | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2026-24486 Pick the patch that is referenced by the NVD advisory. Ptests passed successfully: Testsuite summary TOTAL: 121 PASS: 121 SKIP: 0 XFAIL: 0 FAIL: 0 XPASS: 0 ERROR: 0 DURATION: 2 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-werkzeug: upgrade 3.1.4 -> 3.1.5Gyorgy Sarvari2026-02-191-1/+1
| | | | | | | | | | | | | | | | | | | | | | | Contains fix for CVE-2026-21860 Changelog: - safe_join on Windows does not allow more special device names, regardless of extension or surrounding spaces. - The multipart form parser handles a \r\n sequence at a chunk boundary. This fixes the previous attempt, which caused incorrect content lengths. - Fix AttributeError when initializing DebuggedApplication with pin_security=False. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit ecf359d2562795ca8de18f12f117cd654c30965e) From the release notes: This is the Werkzeug 3.1.5 security fix release, which fixes security issues and bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-werkzeug: upgrade 3.1.3 -> 3.1.4Wang Mingyu2026-02-191-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Changelog: ============== - safe_join on Windows does not allow special device names. This prevents reading from these when using send_from_directory. secure_filename already prevented writing to these. - The debugger pin fails after 10 attempts instead of 11. - The multipart form parser handles a \r\n sequence at a chunk boundary. - Improve CPU usage during Watchdog reloader. - Request.json annotation is more accurate. - Traceback rendering handles when the line number is beyond the available source lines. - HTTPException.get_response annotation and doc better conveys the distinction between WSGI and sans-IO responses. Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 74aa2bdac6d658791af34881f291d91aa4dc57ba) Contains fix for CVE-2025-66221. From the release notes: This is the Werkzeug 3.1.4 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-virtualenv: patch CVE-2026-22702Gyorgy Sarvari2026-02-192-0/+61
| | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2026-22702 Backport the patch that is referenced by the NVD advisory. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-uvicorn: mark CVE-2020-7694 patchedGyorgy Sarvari2026-02-191-0/+1
| | | | | | | | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2020-7694 The vulnerability was reported to the project[1], and the commit[2] that resolved the issue has been part of the project since version 0.11.7. Mark the CVE as patched due to this. [1]: https://github.com/Kludex/uvicorn/issues/723 [2]: https://github.com/Kludex/uvicorn/commit/895807f94ea9a8e588605c12076b7d7517cda503 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit a5ee234b8cf06b6385a9bf1eb5b60d6171a993c9) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-twitter: mark CVE-2012-5825 patchedGyorgy Sarvari2026-02-191-0/+2
| | | | | | | | | | | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2012-5825 The Debian bugtracker[1] indicated that the issue is tracked by upstream in github[2] (with a difference CVE ID, but same issue), where the vulnerability was confirmed. Later in the same github issue the solution is confirmed: the project switched to use the requests library, which doesn't suffer from this vulnerability. Due to this mark the CVE as patched. [1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692444 [2]: https://github.com/tweepy/tweepy/issues/279 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 3ee544e7591b36a49550a263a0ec4d64b5e490e8) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-tornado: upgrade 6.5.3 -> 6.5.4Wang Mingyu2026-02-191-1/+1
| | | | | | | | | | | | | | | Bug fixes ~~~~~~~~~ - The "in" operator for "HTTPHeaders" was incorrectly case-sensitive, causing lookups to fail for headers with different casing than the original header name. This was a regression in version 6.5.3 and has been fixed to restore the intended case-insensitive behavior from version 6.5.2 and earlier. Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit ebca0ae79d15c5d5f1489a8b5de18c810891e7e4) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-tornado: upgrade 6.5.2 -> 6.5.3Wang Mingyu2026-02-191-1/+1
| | | | | | | | | | | | | | Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 8ba97b66461e6dc9c8b073e43286932394d53ed0) Changelog: https://github.com/tornadoweb/tornado/blob/master/docs/releases/v6.5.3.rst - Fix CVE-2025-67724, CVE-2025-67725 and CVE-2025-67726 - Fix open redirect vulnerabilities in demos - Fix path traversal vulnerabilites in demos Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-pyjwt: ignore CVE-2025-45768Gyorgy Sarvari2026-02-191-0/+2
| | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2025-45768 The CVE is disputed: though the vulnerability is there, but it comes from incorrect configuration of the library by the main application. Due to this, ignore this CVE. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-py: ignore CVE-2022-42969Gyorgy Sarvari2026-02-191-0/+2
| | | | | | | | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2022-42969 Upstream could not reproduce the issue. The vulnerability has currently the "disputed" flag in the NVD database, and Github has revoked their related advisory[1]. Ignore this CVE due to this. [1]: https://github.com/advisories/GHSA-w596-4wvx-j9j6 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 91f6b85b36316d5940ee194b1d195caf3ac040b1) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-orjson: upgrade 3.10.17 -> 3.10.18Gyorgy Sarvari2026-02-191-1/+1
| | | | | | | | | Changelog: Fix incorrect escaping of the vertical tabulation character. This was introduced in 3.10.17. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-marshmallow: upgrade 4.1.1 -> 4.1.2Wang Mingyu2026-02-191-1/+1
| | | | | | | | | | | | | | Changelog: Merge error store messages without rebuilding collections. Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 54691ea40a98cc617d374d8368c665d103ceaf07) Contains fix for CVE-2025-68480 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-marshmallow: upgrade 4.1.0 -> 4.1.1Wang Mingyu2026-02-191-1/+1
| | | | | | | | | | | Bug fix: Ensure URL validator is case-insensitive when using custom schemes Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 39335015913a8bcc1b40fb7318334f626a9b8285) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-m2crypto: mark CVE-2020-25657 as patchedGyorgy Sarvari2026-02-191-0/+1
| | | | | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2020-25657 The commit[1] that fixes the vulnerability has been part of the package since version 0.39.0 [1]: https://git.sr.ht/~mcepl/m2crypto/commit/84c53958def0f510e92119fca14d74f94215827a Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit ba6468f7a09bf8e268ea5ac7939925c362ead876) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-m2crypto: ignore CVE-2009-0127Gyorgy Sarvari2026-02-191-0/+2
| | | | | | | | | | | | | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2009-0127 The vulnerability is disputed[1] by upstream: "There is no vulnerability in M2Crypto. Nowhere in the functions are the return values of OpenSSL functions interpreted incorrectly. The functions provide an interface to their users that may be considered confusing, but is not incorrect, nor it is a vulnerability." [1]: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-0127 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit b46a5452a1c1a417f2971e494e151fa1f4022e36) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-lief: upgrade 0.17.1 -> 0.17.2Gyorgy Sarvari2026-02-191-1/+1
| | | | | | | | | | | | | | | | | | | Contains fix for CVE-2025-15504 Changelog: - Differentiate Mach-O FAT magic bytes and Java class - Fix MinGW compilation for some configuration - Fix alignment issue when rebuilding PE relocations - Fix infinite loop when processing v2 dynamic relocation - Ensure that added DYN ELF sections are properly aligned - Fix GnuHash null dereference - Fix strong performance issue when parsing certain Mach-O Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit cc4aa9b9d0263de0ea172db4d97ea9f98ae022b3) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2026-06-27 05:42:09 +0000