From a8369be5eecf8485619e018e788e04bd0efdffed Mon Sep 17 00:00:00 2001 From: Narpat Mali Date: Fri, 18 Nov 2022 11:49:15 +0000 Subject: python3-oauthlib: upgrade 3.2.0 -> 3.2.2 As per CVE reference, version 3.2.1 fixes the CVE-2022-36087 issue. But after upgrading the python3-oauthlib version to 3.2.1, observed that the vulnerable code lines are still available. The same observations were reported here in github at https://github.com/oauthlib/oauthlib/issues/837 and found that it was a mistake during 3.2.1 release preparation and due to which vulnerable code was still existing in 3.2.1 source code. To fix CVE-2022-36087 issue, we need to upgrade python3-oauthlib to 3.2.2 version and here are the changelog of version 3.2.2 https://github.com/oauthlib/oauthlib/blob/v3.2.2/CHANGELOG.rst Reference : https://nvd.nist.gov/vuln/detail/CVE-2022-36087 Upstream fix : https://github.com/oauthlib/oauthlib/commit/2e40b412c844ecc4673c3fa3f72181f228bdbacd Signed-off-by: Narpat Mali Signed-off-by: Armin Kuster --- .../python/python3-oauthlib_3.2.0.bb | 22 ---------------------- .../python/python3-oauthlib_3.2.2.bb | 22 ++++++++++++++++++++++ 2 files changed, 22 insertions(+), 22 deletions(-) delete mode 100644 meta-python/recipes-devtools/python/python3-oauthlib_3.2.0.bb create mode 100644 meta-python/recipes-devtools/python/python3-oauthlib_3.2.2.bb (limited to 'meta-python') diff --git a/meta-python/recipes-devtools/python/python3-oauthlib_3.2.0.bb b/meta-python/recipes-devtools/python/python3-oauthlib_3.2.0.bb deleted file mode 100644 index e7f7f0b47b..0000000000 --- a/meta-python/recipes-devtools/python/python3-oauthlib_3.2.0.bb +++ /dev/null @@ -1,22 +0,0 @@ -SUMMARY = "A generic, spec-compliant, thorough implementation of the OAuth request-signing logic" -HOMEPAGE = "https://github.com/idan/oauthlib" - -LICENSE = "BSD-3-Clause" -LIC_FILES_CHKSUM = "file://LICENSE;md5=abd2675e944a2011aed7e505290ba482" - -SRC_URI[sha256sum] = "23a8208d75b902797ea29fd31fa80a15ed9dc2c6c16fe73f5d346f83f6fa27a2" - -inherit pypi setuptools3 - -# The following configs & dependencies are from setuptools extras_require. -# These dependencies are optional, hence can be controlled via PACKAGECONFIG. -# The upstream names may not correspond exactly to bitbake package names. -# -# Uncomment this line to enable all the optional features. -#PACKAGECONFIG ?= "test signedtoken signals rsa" -PACKAGECONFIG[test] = ",,,${PYTHON_PN}-blinker ${PYTHON_PN}-cryptography ${PYTHON_PN}-pytest ${PYTHON_PN}-pyjwt" -PACKAGECONFIG[signedtoken] = ",,,${PYTHON_PN}-cryptography ${PYTHON_PN}-pyjwt" -PACKAGECONFIG[signals] = ",,,${PYTHON_PN}-blinker" -PACKAGECONFIG[rsa] = ",,,${PYTHON_PN}-cryptography" - -RDEPENDS:${PN} += "${PYTHON_PN}-core ${PYTHON_PN}-crypt ${PYTHON_PN}-datetime ${PYTHON_PN}-json ${PYTHON_PN}-logging ${PYTHON_PN}-math ${PYTHON_PN}-netclient ${PYTHON_PN}-unittest" diff --git a/meta-python/recipes-devtools/python/python3-oauthlib_3.2.2.bb b/meta-python/recipes-devtools/python/python3-oauthlib_3.2.2.bb new file mode 100644 index 0000000000..566279d71c --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-oauthlib_3.2.2.bb @@ -0,0 +1,22 @@ +SUMMARY = "A generic, spec-compliant, thorough implementation of the OAuth request-signing logic" +HOMEPAGE = "https://github.com/idan/oauthlib" + +LICENSE = "BSD-3-Clause" +LIC_FILES_CHKSUM = "file://LICENSE;md5=abd2675e944a2011aed7e505290ba482" + +SRC_URI[sha256sum] = "9859c40929662bec5d64f34d01c99e093149682a3f38915dc0655d5a633dd918" + +inherit pypi setuptools3 + +# The following configs & dependencies are from setuptools extras_require. +# These dependencies are optional, hence can be controlled via PACKAGECONFIG. +# The upstream names may not correspond exactly to bitbake package names. +# +# Uncomment this line to enable all the optional features. +#PACKAGECONFIG ?= "test signedtoken signals rsa" +PACKAGECONFIG[test] = ",,,${PYTHON_PN}-blinker ${PYTHON_PN}-cryptography ${PYTHON_PN}-pytest ${PYTHON_PN}-pyjwt" +PACKAGECONFIG[signedtoken] = ",,,${PYTHON_PN}-cryptography ${PYTHON_PN}-pyjwt" +PACKAGECONFIG[signals] = ",,,${PYTHON_PN}-blinker" +PACKAGECONFIG[rsa] = ",,,${PYTHON_PN}-cryptography" + +RDEPENDS:${PN} += "${PYTHON_PN}-core ${PYTHON_PN}-crypt ${PYTHON_PN}-datetime ${PYTHON_PN}-json ${PYTHON_PN}-logging ${PYTHON_PN}-math ${PYTHON_PN}-netclient ${PYTHON_PN}-unittest" -- cgit v1.2.3-54-g00ecf