| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
| |
This change is for python3-django_2.2.28.
This patch contains an incorrect intendation, making the tests fail.
This change fixes that.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix the following error introduced by CVE-2024-42005.patch:
AttributeError: module 'django.db.models' has no attribute 'JSONField'
The patch assumes JSONField is available from django.db.models, which
is not the case for this Django version.
Revert the changes in the following files to restore compatibility:
tests/expressions/models.py
tests/expressions/test_queryset_values.py
Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
Fix the following error introduced by CVE-2024-27351.patch and
CVE-2025-32873.patch:
NameError: name '_lazy_re_compile' is not defined
Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
|
| |
|
|
|
|
|
|
| |
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-34062
Pick the patch mentioned by the NVD advisory.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
|
| |
|
|
|
|
|
|
| |
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-52804
Pick the patch mentioned by the NVD advisory.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-28370
The NVD advisory mentions that the vulnerability was fixed
in v6.3.2. I checked the commits in that tag, and picked the
only one that's commit message described the same vulnerability
as the NVD report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Details: https://nvd.nist.gov/vuln/detail/CVE-2009-0127
The vulnerability is disputed[1] by upstream:
"There is no vulnerability in M2Crypto. Nowhere in the functions
are the return values of OpenSSL functions interpreted incorrectly.
The functions provide an interface to their users that may be
considered confusing, but is not incorrect, nor it is a vulnerability."
[1]: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-0127
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-49769
Pick the patch that is referenced in the NVD report (which is
a merge commit. The patches here are the individual patches from
that merge).
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-49768
Pick the patch mentioned in the NVD report (which is a merge commit,
and the patches here are the individual commits from that merge)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-49766
https://nvd.nist.gov/vuln/detail/CVE-2025-66221
Both vulnerabilities affect Windows only - ignore them.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Remove change of default for clear_untrusted_proxy_headers
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit ef4e48c7a06b16755181a11d1d2d0d823353a95d)
Contains fix for CVE-2022-31015
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
|
| |
|
|
|
|
|
|
| |
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-29063
Pick the patch referenced by the NVD advisory.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
|
| |
|
|
|
|
|
|
| |
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-29217
Pick the patch referenced by the NVD advsory.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
|
| |
|
|
|
|
| |
The only change is a fix for CVE-2022-21797
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
|
| |
|
|
|
|
|
|
| |
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-24816
Pick the patch referenced by the NVD report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
|
| |
|
|
|
|
|
|
| |
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-30861
Pick the patch referenced by the NVD report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
|
| |
|
|
|
|
|
|
| |
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-26112
Pick the patch that resolves the issue referenced in the NVD report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-64076
The vunerability was introduced in v5.6.0[1], the recipe version doesn't
contain the vulnerable piece of code.
[1]: https://github.com/agronholm/cbor2/commit/387755eacf0be35591a478d3c67fe10618a6d542
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
Similarly to c++ protobuf, add products matching historical entries.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit ae7556a737f7d21b0e345226fdab4a286d2f85db)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
These grpc python modules contain parts of grpc core.
Each CVE needs to be assessed if the patch applies also to core parts
included in each module.
Note that so far there was never a CVE specific for python module, only
for grpc:grpc and many of those needed to be fixed at leasts in grpcio:
sqlite> select vendor, product, count(*) from products where product like '%grpc%' group by vendor, product;
grpc|grpc|21
grpck|grpck|1
linuxfoundation|grpc_swift|9
microsoft|grpconv|1
opentelemetry|configgrpc|1
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit f993cb2ecb62193bcce8d3d0e06e180a7fef44b8)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
This CVE is not for python-django, but for some go project
which shares the same name.
Ignore this CVE due to this.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The methods QuerySet.filter(), QuerySet.exclude(), and QuerySet.get(), and the
class Q() were subject to SQL injection when using a suitably crafted
dictionary, with dictionary expansion, as the _connector argument.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-64459
https://shivasurya.me/security/django/2025/11/07/django-sql-injection-CVE-2025-64459.html
Upstream-patch:
https://github.com/django/django/commit/98e642c69181c942d60a10ca0085d48c6b3068bb
Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-32873
Upstream-patch:
https://github.com/django/django/commit/9cd8028f3e38dca8e51c1388f474eecbe7d6ca3c/
Signed-off-by: Saravanan <saravanan.kadambathursubramaniyam@windriver.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-53907
Upstream-patch:
https://github.com/django/django/commit/790eb058b0716c536a2f2e8d1c6d5079d776c22b/
Signed-off-by: Saravanan <saravanan.kadambathursubramaniyam@windriver.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-41991
Upstream-patch:
https://github.com/django/django/commit/efea1ef7e2190e3f77ca0651b5458297bc0f6a9f/
Signed-off-by: Saravanan <saravanan.kadambathursubramaniyam@windriver.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-39330
Upstream-patch:
https://github.com/django/django/commit/2b00edc0151a660d1eb86da4059904a0fc4e095e
Signed-off-by: Saravanan <saravanan.kadambathursubramaniyam@windriver.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-39329
Upstream-patch:
https://github.com/django/django/commit/156d3186c96e3ec2ca73b8b25dc2ef366e38df14
Signed-off-by: Saravanan <saravanan.kadambathursubramaniyam@windriver.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-57833
Upstream-patch:
https://github.com/django/django/commit/31334e6965ad136a5e369993b01721499c5d1a92
Signed-off-by: Saravanan <saravanan.kadambathursubramaniyam@windriver.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-56374
Upstream-patch:
https://github.com/django/django/commit/ad866a1ca3e7d60da888d25d27e46a8adb2ed36e
Signed-off-by: Saravanan <saravanan.kadambathursubramaniyam@windriver.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-26699
Upstream-patch:
https://github.com/django/django/commit/e88f7376fe68dbf4ebaf11fad1513ce700b45860
Signed-off-by: Saravanan <saravanan.kadambathursubramaniyam@windriver.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-27351
Upstream-patch:
https://github.com/django/django/commit/072963e4c4d0b3a7a8c5412bc0c7d27d1a9c3521
Signed-off-by: Saravanan <saravanan.kadambathursubramaniyam@windriver.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes CVE-2025-64459, CVE-2025-64458, CVE-2025-59682, CVE-2025-59681,
CVE-2025-57833, CVE-2025-48432, CVE-2025-32873, CVE-2025-26699, CVE-2024-56374
and other bug fixes.
Release notes:
https://docs.djangoproject.com/en/dev/releases/4.2.18/
https://docs.djangoproject.com/en/dev/releases/4.2.19/
https://docs.djangoproject.com/en/dev/releases/4.2.20/
https://docs.djangoproject.com/en/dev/releases/4.2.21/
https://docs.djangoproject.com/en/dev/releases/4.2.22/
https://docs.djangoproject.com/en/dev/releases/4.2.23/
https://docs.djangoproject.com/en/dev/releases/4.2.24/
https://docs.djangoproject.com/en/dev/releases/4.2.25/
https://docs.djangoproject.com/en/dev/releases/4.2.26/
Signed-off-by: Saravanan <saravanan.kadambathursubramaniyam@windriver.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Fixes CVE-2024-27351, CVE-2024-24680 and other bugfixes.
Release notes:
https://docs.djangoproject.com/en/dev/releases/3.2.24/
https://docs.djangoproject.com/en/dev/releases/3.2.25/
Signed-off-by: Saravanan <saravanan.kadambathursubramaniyam@windriver.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
|
| |
|
|
|
|
| |
Master branch was renamed to main.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python.
Security-sensitive parts of the Python HTTP parser retained minor differences in
allowable character sets, that must trigger error handling to robustly match frame
boundaries of proxies in order to protect against injection of additional requests.
Additionally, validation could trigger exceptions that were not handled consistently
with processing of other malformed input. Being more lenient than internet standards
require could, depending on deployment environment, assist in request smuggling. The
unhandled exception could cause excessive resource consumption on the application
server and/or its logging facilities. This vulnerability exists due to an incomplete
fix for CVE-2023-47627. Version 3.9.2 fixes this vulnerability.
References:
https://nvd.nist.gov/vuln/detail/CVE-2024-23829
https://security-tracker.debian.org/tracker/CVE-2024-23829
Upstream patch:
https://github.com/aio-libs/aiohttp/commit/d33bc21414e283c9e6fe7f6caf69e2ed60d66c82
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In _imagingcms.c in Pillow before 10.3.0, a buffer overflow exists because
strcpy is used instead of strncpy.
References:
https://nvd.nist.gov/vuln/detail/CVE-2024-28219
https://security-tracker.debian.org/tracker/CVE-2024-28219
Upstream patch:
https://github.com/python-pillow/Pillow/commit/2a93aba5cfcf6e241ab4f9392c13e3b74032c061
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
|
| |
|
|
|
|
| |
Backport patch that adapts failing tests.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
python3-gunicorn depends on python3-geventlet. geventlet has made some
breaking changes (which is part of meta-oe/kirkstone), however gunicorn
wasn't adapted to this, and it broke some features (at least ptests).
This patch backports the change that adapts gunicorn to the used version
of geventlet.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
|
| |
|
|
| |
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
1. Add missing ptest dependency (pytest-subtest)
2. The testsuite is installed in both the site-packages and ${PTEST_PATH}
folders, however some dependencies are only available in the site-packages
folder, so many test cases fail.
At this point of the branch lifecycle I decided not to refactor the recipe, but
rather to just use the installation in the site-packages dir to run the
tests (switch to that folder in the run-ptest script)
3. Fix the run-ptest script to output PASS/FAIL status.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The application ships with a self signed certificate as part of the test suite.
Unfortunately this certificate has expired in 2021, and since then the tests
refuse to use it, they just fail.
Upstream has fixed this issue by refactoring these tests[1] not to use a vendored
certificate, but rather to use the "python3-trustme" module - however this
is not part of Kirkstone meta-oe, so that patch cannot be used.
Due to this, disable these particular test cases.
[1]: https://github.com/requests/toolbelt/commit/b93b4067ea1ded1e33959920ae5ff4163fdd6939
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
|
| |
|
|
|
|
|
| |
The tests require the library to be present in the folder of test execution,
otherwise many of them fail.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
oe-core currently ships with Python 3.10.18.
Python 3.10.17 has introduced a change in urlparse library, regarding how
brackets are handled by urllib.parse.urlsplit() and urlparse() functions
(which makes it more conformant to the specification).
This has caused a regression in yarl: some tests have failed, and it also
revealed a bug in how yarl treates brackets.
This backported patch corrects this behavior, making it compatible once
again with the current Python version - and it also allows the the ptests
to pass once again.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
1. Some tests require internet access. Set a DNS for that, if it is not
available at the start of the test.
2. Added a backported patch that fixes some failing tests, due to a
variable header value contained in a response. (fix-failing-ptest.patch)
3. Added a backported patch that avoids calling pytest fixtures directly.
If not applied, tests calling them are marked as failing by pytest.
(fix-direct-calls-to-test-fixtures.patch)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
Some ptests have started to fail, due to a change in libxml 2.9.12 (oe-core
ships with 2.9.14 currently).
See upstream issue: https://github.com/facelessuser/soupsieve/issues/220
This backported patch solves this issue.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
Signed-off-by: Derek Straka <derek@asterius.io>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit bb8e0534be8349e73b069a63739e965e9442934e)
Adapted to Kirkstone.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
The current script doesn't execute any tests. This patch fixes the
run-ptest script.
This is mostly a backport of e183db0c8f0b6ef605731769aeefed3e4f0a0093.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
|
| |
|
|
|
|
|
|
| |
It fails sometimes when system is under stress
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 38e2f6a9a94463916d2c4ea5d08f1a554e337f28)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
Add missing RDEPENDS for this package.
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit e7430b5874ae68c02a4cc0ecdbe76b62446c67c6)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
Add missing RDEPENDS for this package.
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 9249052f98dde632173cbad95c7e6a3cd5e42651)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
|
