summaryrefslogtreecommitdiffstats
path: root/meta-python/recipes-devtools/python
Commit message (Collapse)AuthorAgeFilesLines
* python3-pymongo: upgrade 4.6.1 -> 4.6.3Ankur Tyagi2026-01-191-1/+1
| | | | | | | | | | | 4.6.3 - Security release to address CVE-2024-5629. 4.6.2 - Fixed a bug appearing in Python 3.12 where "RuntimeError: can't create new thread at interpreter shutdown" could be written to stderr when a MongoClient's thread starts as the python interpreter is shutting down. Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-marshmallow: upgrade 3.21.1 -> 3.21.3Ankur Tyagi2026-01-191-1/+1
| | | | | | | | | | | | | | | | | 3.21.3 (2024-06-05) Bug fixes: - Fix memory leak that prevented schema instances from getting GC'd. 3.21.2 (2024-05-01) Bug fixes: - Allow timestamp 0 in fields.DateTime. https://github.com/marshmallow-code/marshmallow/blob/3.21.3/CHANGELOG.rst Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-eventlet: patch CVE-2025-58068Ankur Tyagi2026-01-192-0/+44
| | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2025-58068 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-configobj: patch CVE-2023-26112Ankur Tyagi2026-01-192-0/+27
| | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2023-26112 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-cob2: upgrade 5.6.3 -> 5.6.4Ankur Tyagi2026-01-191-1/+1
| | | | | | | | | | - Fixed compilation of C extension failing on GCC 14 - Fixed compiler warnings when building C extension https://github.com/agronholm/cbor2/releases/tag/5.6.4 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-aiohttp: patch CVE-2024-52304Ankur Tyagi2026-01-192-0/+126
| | | | | | | Details: https://nvd.nist.gov/vuln/detail/CVE-2024-52304 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-aiohttp: upgrade 3.9.4 -> 3.9.5Ankur Tyagi2026-01-191-1/+1
| | | | | | | | | | | | | | | | | | Bug fixes - Fixed "Unclosed client session" when initialization of :py:class:~aiohttp.ClientSession fails. - Fixed regression (from :pr:8280) with adding Content-Disposition to the form-data part after appending to writer. - Added default Content-Disposition in multipart/form-data responses to avoid broken form-data responses. https://github.com/aio-libs/aiohttp/releases/tag/v3.9.5 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-cbor2: Fix CVE-2025-64076Vijay Anusuri2026-01-122-0/+92
| | | | | | | Upstream-Status: Backport from https://github.com/agronholm/cbor2/commit/2349197bea8ebd1bf57a68f4a6549d8fd7585e66 Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-django: upgrade 5.0.11 -> 5.0.14Ankur Tyagi2025-12-092-103/+1
| | | | | | | | | | | | Drop patch merged in the upstream. Release notes: https://docs.djangoproject.com/en/dev/releases/5.0.12/ https://docs.djangoproject.com/en/dev/releases/5.0.13/ https://docs.djangoproject.com/en/dev/releases/5.0.14/ Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-passlib: add python3-misc as a depencencyMichael Wyraz2025-11-171-0/+1
| | | | | | | | | | | python3-passlib requires 'timtit' at runtime which is part of python3-misc Issue #1001 Signed-off-by: Michael Wyraz <mw@brick4u.de> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 82f17c4afe51dc1106094a2342ee9c8ece691044) Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-transitions: add native supportMichael Wyraz2025-11-171-0/+2
| | | | | | | | | Issue #997 Signed-off-by: Michael Wyraz <mw@brick4u.de> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit ac8e1757ad9632ca03ce0aad04b3611a5895e0ca) Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-passlib: add native supportMichael Wyraz2025-11-171-0/+2
| | | | | | | | | Issue #998 Signed-off-by: Michael Wyraz <mw@brick4u.de> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit d786d02d22b9249b7a810ab72dd14bc32520101c) Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-behave: update SRC_URI branchGyorgy Sarvari2025-11-121-1/+1
| | | | | | | Master branch was renamed to main. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-django 5.0.11: Fix CVE-2025-26699Anil Dongare2025-11-122-0/+102
| | | | | | | | | | | | | Upstream Repository: https://github.com/django/django.git Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2025-26699 Type: Security Fix CVE: CVE-2025-26699 Score: 7.5 Patch: https://github.com/django/django/commit/e88f7376fe68 Signed-off-by: Anil Dongare <adongare@cisco.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-django 5.0.11: ignore CVE-2025-27556Anil Dongare2025-11-121-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Upstream Repository: https://github.com/django/django.git Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2025-27556 Type: Security Advisory CVE: CVE-2025-27556 Score: 7.5 Analysis: - CVE-2025-27556 affects Django 5.1 before 5.1.8 and 5.0 before 5.0.14. - The issue occurs due to slow NFKC normalization on Windows, which can cause a denial-of-service (DoS) when handling inputs containing a very large number of Unicode characters. - Affected Django components: django.contrib.auth.views.LoginView django.contrib.auth.views.LogoutView django.views.i18n.set_language - This performance degradation is specific to Windows, caused by the Windows Unicode normalization implementation. Reference: - https://nvd.nist.gov/vuln/detail/CVE-2025-27556 - https://github.com/django/django/commit/2cb311f7b069 Signed-off-by: Anil Dongare <adongare@cisco.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
* python3-django: upgrade 4.2.18 -> 4.2.20Soumya Sambu2025-10-301-2/+2
| | | | | | | | | | | | | | Includes fix for CVE-2025-26699 Release Notes: https://docs.djangoproject.com/en/dev/releases/4.2.19/ https://docs.djangoproject.com/en/dev/releases/4.2.20/ Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 54f5df8907cbf1212d0733ffddc049c7b8b8aaf0) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
* python3-posix-ipc: fix runtime errorHaixiao Yan2025-09-232-0/+48
| | | | | | | | | Fix follow runtime error: ./build_support/src/sniff_mq_prio_max: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by ./build_support/src/sniff_mq_prio_max) Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
* python3-werkzeug: added python3-difflib as RDEPENDSJan Vermaete2025-09-121-0/+1
| | | | | | | | | | | File "/usr/lib/python3.12/site-packages/werkzeug/routing/exceptions.py", line 3, in <module> import difflib ModuleNotFoundError: No module named 'difflib' Signed-off-by: Jan Vermaete <jan.vermaete@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Leon Anavi <leon.anavi@konsulko.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
* python3-h5py: backport fixes for incompatible-pointer-types issuesMartin Jansa2025-07-103-2/+56
| | | | | | | | | | | | | Needed in scarthgap for native build on hosts with gcc-14 and newer. It was in master since: https://git.openembedded.org/meta-openembedded/diff/meta-python/recipes-devtools/python/python3-h5py_3.11.0.bb?id=f0c767407d033e3f39ceeccc2f7e03a1ca7a6443 and then removed as fixed in 3.11.0 by: https://git.openembedded.org/meta-openembedded/commit/?id=4b990b6dbabaeb65df5bf46546a873c69032a040 but scarthgap has older 3.10.0, backport necessary changes. Signed-off-by: Martin Jansa <martin.jansa@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* python3-pylint: correct the SRC_URIGuocai He2025-07-061-1/+1
| | | | | | | | In the SRC_URI, the branch of maintenance/3.1.x has been reomved, which will cause do fetch error. So update as "branch=main" Signed-off-by: Guocai He <guocai.he.cn@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* python3-protobuf: upgrade from 4.25.3 to 4.25.8Chen Qi2025-07-061-1/+1
| | | | | | | protobuf has upgraded to 4.25.8. Sync with it. Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* python3-posix-ipc: improve build_supportMartin Jansa2025-05-214-0/+166
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * fixes: https://lists.openembedded.org/g/openembedded-devel/message/117255 DEBUG: Executing shell function do_compile * Getting build dependencies for wheel... /usr/lib/ld-linux-aarch64.so.1: No such file or directory Traceback (most recent call last): File "TOPDIR/BUILD/work/raspberrypi4_64-webos-linux/python3-posix-ipc/1.2.0/recipe-sysroot-native/usr/lib/python3.13/site-packages/pyproject_hooks/_in_process/_in_process.py", line 389, in <module> main() ~~~~^^ File "TOPDIR/BUILD/work/raspberrypi4_64-webos-linux/python3-posix-ipc/1.2.0/recipe-sysroot-native/usr/lib/python3.13/site-packages/pyproject_hooks/_in_process/_in_process.py", line 373, in main json_out["return_val"] = hook(**hook_input["kwargs"]) ~~~~^^^^^^^^^^^^^^^^^^^^^^^^ File "TOPDIR/BUILD/work/raspberrypi4_64-webos-linux/python3-posix-ipc/1.2.0/recipe-sysroot-native/usr/lib/python3.13/site-packages/pyproject_hooks/_in_process/_in_process.py", line 143, in get_requires_for_build_wheel return hook(config_settings) File "TOPDIR/BUILD/work/raspberrypi4_64-webos-linux/python3-posix-ipc/1.2.0/recipe-sysroot-native/usr/lib/python3.13/site-packages/setuptools/build_meta.py", line 334, in get_requires_for_build_wheel return self._get_build_requires(config_settings, requirements=[]) ~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "TOPDIR/BUILD/work/raspberrypi4_64-webos-linux/python3-posix-ipc/1.2.0/recipe-sysroot-native/usr/lib/python3.13/site-packages/setuptools/build_meta.py", line 304, in _get_build_requires self.run_setup() ~~~~~~~~~~~~~~^^ File "TOPDIR/BUILD/work/raspberrypi4_64-webos-linux/python3-posix-ipc/1.2.0/recipe-sysroot-native/usr/lib/python3.13/site-packages/setuptools/build_meta.py", line 320, in run_setup exec(code, locals()) ~~~~^^^^^^^^^^^^^^^^ File "<string>", line 23, in <module> File "TOPDIR/BUILD/work/raspberrypi4_64-webos-linux/python3-posix-ipc/1.2.0/posix_ipc-1.2.0/build_support/discover_system_info.py", line 409, in discover d["QUEUE_PRIORITY_MAX"] = sniff_mq_prio_max() ~~~~~~~~~~~~~~~~~^^ File "TOPDIR/BUILD/work/raspberrypi4_64-webos-linux/python3-posix-ipc/1.2.0/posix_ipc-1.2.0/build_support/discover_system_info.py", line 238, in sniff_mq_prio_max if max_priority < 0: ^^^^^^^^^^^^^^^^ TypeError: '<' not supported between instances of 'str' and 'int' ERROR Backend subprocess exited when trying to invoke get_requires_for_build_wheel WARNING: TOPDIR/BUILD/work/raspberrypi4_64-webos-linux/python3-posix-ipc/1.2.0/temp/run.do_compile.2736023:168 exit 1 from 'nativepython3 -m build --no-isolation --wheel --outdir TOPDIR/BUILD/work/raspberrypi4_64-webos-linux/python3-posix-ipc/1.2.0/dist TOPDIR/BUILD/work/raspberrypi4_64-webos-linux/python3-posix-ipc/1.2.0/posix_ipc-1.2.0' WARNING: Backtrace (BB generated script): On some hosts. Signed-off-by: Martin Jansa <martin.jansa@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* python3-posix-ipc: switch to PEP-517 build backendKhem Raj2025-05-171-1/+1
| | | | | | Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Guðni Már Gilbert <gudni.m.g@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* python3-posix-ipc: upgrade 1.1.1 -> 1.2.0Wang Mingyu2025-05-171-2/+2
| | | | | | | | | | | | 0001-Use-default-cc-from-environment-variable.patch removed since it's not available in 1.2.0 License-Update: Reorg and rename files; add pyproject.toml Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Guðni Már Gilbert <gudni.m.g@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* tftpy: fix CVE-2023-46566Archana Polampalli2025-04-262-0/+28
| | | | | | | | Buffer Overflow vulnerability in msoulier tftpy commit 467017b844bf6e31745138a30e2509145b0c529c allows a remote attacker to cause a denial of service via the parse function in the TftpPacketFactory class. Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* python3-pycocotools: Remove absolute paths from commentsKhem Raj2025-04-161-0/+4
| | | | | | | | | | _mask.c is generated by cython and encodes sourcepaths into comments which are absolute. Edit them out. Fixes buildpaths QA errors Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Armin Kuster <akuster@mvista.com>
* python3-pyproj: Remove absolute paths from cython generated .c filesKhem Raj2025-04-161-0/+8
| | | | | Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Armin Kuster <akuster@mvista.com>
* python3-pyproj: Fix buildpaths QA ErrorKhem Raj2025-04-162-0/+20
| | | | | | | | | | | | This error is due to absolute paths leaking into ELF files due to -rpath option in compiler cmdline, therefore patch them out. Apply patch [1] from Debian [1] https://sources.debian.org/data/main/p/python-pyproj/3.6.1-4/debian/patches/rpath.patch Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Armin Kuster <akuster@mvista.com>
* python3-kivy: Remove buildpaths from comments in generated C sourcesKhem Raj2025-04-161-0/+7
| | | | | | | | | | | | | | Cython does not provide a direct option to disable or customize the metadata written in the generated C files. The metadata includes information like the Cython version and absolute paths to the original Cython files, which can be problematic for doing reproducible builds Therefore edit out these comments from the cython generated C files they are nicely tucked between two known tags at the top of file. Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Armin Kuster <akuster@mvista.com>
* python3-grpcio(-tools): fix build concurrency issuePeter Marko2025-03-032-0/+8
| | | | | | | | | | | | | | | | | | | Set GRPC_PYTHON_BUILD_EXT_COMPILER_JOBS to limit spawned compiler processes. Without this it uses all available CPUs (via multiprocessing.cpu_count()) and can exhaust build host since there are lot of files to compile (e.g. with 128 cores it manages to spawn 128 gcc processes) Note that this is a general problem for all setuptools based builds with build_ext compilation which can either compile with 1 thread or cpu_count threads. grpcio hot-patches setuptools and allows to set specific build concurrency value. (From master rev: fe582374d3ba474164005942799eb2bddc52a080) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* python3-django: upgrade 4.2.17 -> 4.2.18Soumya Sambu2025-03-031-2/+2
| | | | | | | | | | Fixes CVE-2024-56374 Release Notes: https://docs.djangoproject.com/en/dev/releases/4.2.18/ Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* python3-django: upgrade 5.0.10 -> 5.0.11Soumya Sambu2025-03-031-1/+1
| | | | | | | | | | Fixes CVE-2024-56374 Release Notes: https://docs.djangoproject.com/en/dev/releases/5.0.11/ Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* python3-grpcio: patch CVE-2024-11407Peter Marko2025-02-042-0/+33
| | | | | | | | | | Cherry-pick commit [1] mentioned in [2]. [1] https://github.com/grpc/grpc/commit/e9046b2bbebc0cb7f5dc42008f807f6c7e98e791 [2] https://nvd.nist.gov/vuln/detail/CVE-2024-11407 Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* python3-django: upgrade 5.0.9 -> 5.0.10Soumya Sambu2025-01-201-1/+1
| | | | | | | | | | Fixes CVE-2024-53907 and CVE-2024-53908 Release Notes: https://docs.djangoproject.com/en/dev/releases/5.0.10/ Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* python3-django: upgrade 4.2.16 -> 4.2.17Soumya Sambu2025-01-201-2/+2
| | | | | | | | | | Fixes CVE-2024-53907 and CVE-2024-53908 Release Notes: https://docs.djangoproject.com/en/dev/releases/4.2.17/ Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* python3-tornado: Upgrade 6.4 -> 6.4.2Soumya Sambu2024-12-271-2/+2
| | | | | | | | | | | | | Changelog: ========== https://github.com/tornadoweb/tornado/releases/tag/v6.4.2 https://github.com/tornadoweb/tornado/releases/tag/v6.4.1 Switch to python_setuptools_build_meta - https://github.com/tornadoweb/tornado/commit/e71fb6e616e08838df55dddb494c96a80454f812 Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Armin Kuster <akuster@mvista.com>
* python3-werkzeug: upgrade 3.0.3 -> 3.0.6Soumya Sambu2024-12-151-1/+1
| | | | | | | | | | | | Includes fix for CVE-2024-49767 Changelog: ========== https://github.com/pallets/werkzeug/blob/3.0.6/CHANGES.rst Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* python3-xmodem: replace hardcoded /usr with ${prefix}Justin Bronder2024-11-091-2/+2
| | | | | | | | Without this the native recipe cannot be built. Signed-off-by: Justin Bronder <jsbronder@cold-front.org> (cherry picked from commit 4a86f8a54fe96f4aa05232180a2a744a15638f55) Signed-off-by: Armin Kuster <akuster808@gmail.com>
* python3-django: upgrade 5.0.4 -> 5.0.9Fathi Boudra2024-09-221-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | CVE-2024-45230: Potential denial-of-service vulnerability in django.utils.html.urlize() urlize and urlizetrunc were subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters. CVE-2024-45231: Potential user email enumeration via response status on password reset Due to unhandled email sending failures, the django.contrib.auth.forms.PasswordResetForm class allowed remote attackers to enumerate user emails by issuing password reset requests and observing the outcomes. To mitigate this risk, exceptions occurring during password reset email sending are now handled and logged using the django.contrib.auth logger. CVE-2024-41989: Memory exhaustion in django.utils.numberformat.floatformat() The floatformat template filter is subject to significant memory consumption when given a string representation of a number in scientific notation with a large exponent. CVE-2024-41990: Potential denial-of-service in django.utils.html.urlize() The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters. CVE-2024-41991: Potential denial-of-service vulnerability in django.utils.html.urlize() and AdminURLFieldWidget The urlize and urlizetrunc template filters, and the AdminURLFieldWidget widget, are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters. CVE-2024-42005: Potential SQL injection in QuerySet.values() and values_list() QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a crafted JSON object key as a passed *arg. CVE-2024-38875: Potential denial-of-service in django.utils.html.urlize() urlize() and urlizetrunc() were subject to a potential denial-of-service attack via certain inputs with a very large number of brackets. CVE-2024-39329: Username enumeration through timing difference for users with unusable passwords The django.contrib.auth.backends.ModelBackend.authenticate() method allowed remote attackers to enumerate users via a timing attack involving login requests for users with unusable passwords. CVE-2024-39330: Potential directory-traversal in django.core.files.storage.Storage.save() Derived classes of the django.core.files.storage.Storage base class which override generate_filename() without replicating the file path validations existing in the parent class, allowed for potential directory-traversal via certain inputs when calling save(). Built-in Storage sub-classes were not affected by this vulnerability. CVE-2024-39614: Potential denial-of-service in django.utils.translation.get_supported_language_variant() get_supported_language_variant() was subject to a potential denial-of-service attack when used with very long strings containing specific characters. To mitigate this vulnerability, the language code provided to get_supported_language_variant() is now parsed up to a maximum length of 500 characters. Signed-off-by: Fathi Boudra <fathi.boudra@linaro.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* python3-django: upgrade 4.2.11 -> 4.2.16Fathi Boudra2024-09-221-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | CVE-2024-45230: Potential denial-of-service vulnerability in django.utils.html.urlize() urlize and urlizetrunc were subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters. CVE-2024-45231: Potential user email enumeration via response status on password reset Due to unhandled email sending failures, the django.contrib.auth.forms.PasswordResetForm class allowed remote attackers to enumerate user emails by issuing password reset requests and observing the outcomes. To mitigate this risk, exceptions occurring during password reset email sending are now handled and logged using the django.contrib.auth logger. CVE-2024-41989: Memory exhaustion in django.utils.numberformat.floatformat() The floatformat template filter is subject to significant memory consumption when given a string representation of a number in scientific notation with a large exponent. CVE-2024-41990: Potential denial-of-service in django.utils.html.urlize() The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters. CVE-2024-41991: Potential denial-of-service vulnerability in django.utils.html.urlize() and AdminURLFieldWidget The urlize and urlizetrunc template filters, and the AdminURLFieldWidget widget, are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters. CVE-2024-42005: Potential SQL injection in QuerySet.values() and values_list() QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a crafted JSON object key as a passed *arg. CVE-2024-38875: Potential denial-of-service in django.utils.html.urlize() urlize() and urlizetrunc() were subject to a potential denial-of-service attack via certain inputs with a very large number of brackets. CVE-2024-39329: Username enumeration through timing difference for users with unusable passwords The django.contrib.auth.backends.ModelBackend.authenticate() method allowed remote attackers to enumerate users via a timing attack involving login requests for users with unusable passwords. CVE-2024-39330: Potential directory-traversal in django.core.files.storage.Storage.save() Derived classes of the django.core.files.storage.Storage base class which override generate_filename() without replicating the file path validations existing in the parent class, allowed for potential directory-traversal via certain inputs when calling save(). Built-in Storage sub-classes were not affected by this vulnerability. CVE-2024-39614: Potential denial-of-service in django.utils.translation.get_supported_language_variant() get_supported_language_variant() was subject to a potential denial-of-service attack when used with very long strings containing specific characters. To mitigate this vulnerability, the language code provided to get_supported_language_variant() is now parsed up to a maximum length of 500 characters. Fixed a crash in Django 4.2 when validating email max line lengths with content decoded using the surrogateescape error handling scheme (#35361) Signed-off-by: Fathi Boudra <fathi.boudra@linaro.org> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* python3-libevdev: Fix LIC_FILES_CHKSUMNiko Mauno2024-09-091-1/+1
| | | | | | | | | Change the reference to the MIT license containing COPYING file in the downloaded archive. Signed-off-by: Niko Mauno <niko.mauno@vaisala.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* python3-haversine: Fix LIC_FILES_CHKSUMNiko Mauno2024-09-091-1/+1
| | | | | | | | | Change the reference to the MIT license containing LICENSE file in the downloaded archive. Signed-off-by: Niko Mauno <niko.mauno@vaisala.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* python3-googleapis-common-protos: Fix LIC_FILES_CHKSUMNiko Mauno2024-09-091-1/+1
| | | | | | | | | Change the reference to the Apache-2.0 license containing LICENSE file in the downloaded archive. Signed-off-by: Niko Mauno <niko.mauno@vaisala.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* python3-pycurl: Fix LICENSENiko Mauno2024-09-091-1/+1
| | | | | | | | | | Contents of https://github.com/pycurl/pycurl/blob/REL_7_45_2/COPYING-LGPL correspond to version 2.1 of the license rather than 2.0. Signed-off-by: Niko Mauno <niko.mauno@vaisala.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* python3-nmap: Fix LICENSE and LIC_FILES_CHKSUMNiko Mauno2024-09-091-2/+2
| | | | | | | | | | | | | In the source code repository the LICENSE file is GPL-3.0-only: https://github.com/nmmapper/python3-nmap/blob/1.5.2/LICENSE https://github.com/nmmapper/python3-nmap/blob/1.7.0/LICENSE Also change the LIC_FILES_CHKSUM reference to the GPLv3.0 license containing LICENSE file in the downloaded archive. Signed-off-by: Niko Mauno <niko.mauno@vaisala.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* python3-fann2: Fix LICENSENiko Mauno2024-09-091-1/+1
| | | | | | | | | | | According to https://github.com/FutureLinkCorporation/fann2/tree/1.1.2?tab=readme-ov-file#license and https://github.com/FutureLinkCorporation/fann2/blob/1.1.2/LICENSE this project is subject to LGPL-2.1-only license. Signed-off-by: Niko Mauno <niko.mauno@vaisala.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* python3-colorama: Fix LICENSENiko Mauno2024-09-091-1/+1
| | | | | | | | | | https://github.com/tartley/colorama?tab=readme-ov-file#license and https://github.com/tartley/colorama/blob/0.4.6/LICENSE.txt declare that this project is subject to BSD-3-Clause license. Signed-off-by: Niko Mauno <niko.mauno@vaisala.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* python3-platformdirs: Fix LICENSENiko Mauno2024-09-091-1/+1
| | | | | | | | | | According to https://pypi.org/project/platformdirs/ and https://github.com/platformdirs/platformdirs/blob/4.2.0/LICENSE the project is subject to MIT license. Signed-off-by: Niko Mauno <niko.mauno@vaisala.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* python3-pillow: Fix LICENSE and change SUMMARY to DESCRIPTIONNiko Mauno2024-09-091-2/+2
| | | | | | | | | | | | | According to https://pypi.org/project/pillow/ and https://github.com/python-pillow/Pillow/blob/10.3.0/LICENSE the project is subject to HPND license. Also change SUMMARY to DESCRIPTION as it's value is clearly over 72 characters long. Signed-off-by: Niko Mauno <niko.mauno@vaisala.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* python3-parse-type: Fix LICENSENiko Mauno2024-09-091-1/+1
| | | | | | | | | | According to https://pypi.org/project/parse-type/ and https://github.com/jenisys/parse_type/blob/v0.6.2/LICENSE the project is subject to MIT license. Signed-off-by: Niko Mauno <niko.mauno@vaisala.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2026-05-10 13:40:04 +0000