<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux/poky.git/meta/recipes-devtools/python/python3, branch yocto-5.0.4</title>
<subtitle>Mirror of git.yoctoproject.org/poky</subtitle>
<id>https://git.enea.com/cgit/linux/poky.git/atom?h=yocto-5.0.4</id>
<link rel='self' href='https://git.enea.com/cgit/linux/poky.git/atom?h=yocto-5.0.4'/>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/'/>
<updated>2024-09-25T12:07:47+00:00</updated>
<entry>
<title>python3: Upgrade 3.12.5 -&gt; 3.12.6</title>
<updated>2024-09-25T12:07:47+00:00</updated>
<author>
<name>Peter Marko</name>
<email>peter.marko@siemens.com</email>
</author>
<published>2024-09-17T21:34:24+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=d7249c50ecff3272afa699000884f17cce82222d'/>
<id>urn:sha1:d7249c50ecff3272afa699000884f17cce82222d</id>
<content type='text'>
Includes security fixes for CVE-2024-7592, CVE-2024-8088, CVE-2024-6232,
CVE-2023-27043 and other bug fixes.

Removed below patches, as the fix is included in 3.12.6 upgrade:
1. CVE-2024-7592.patch
2. CVE-2024-8088.patch

Release Notes:
https://www.python.org/downloads/release/python-3126/

(From OE-Core rev: aa492b1fd5973c37b8fa2cd17d28199eba46afcc)

(From OE-Core rev: 6688a8ff2e1cbf6ad8ebd1b89ec6c929caf6a161)

Signed-off-by: Divya Chellam &lt;divya.chellam@windriver.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
Signed-off-by: Peter Marko &lt;peter.marko@siemens.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>python3: skip readline limited history tests</title>
<updated>2024-09-25T12:07:47+00:00</updated>
<author>
<name>Trevor Gamblin</name>
<email>tgamblin@baylibre.com</email>
</author>
<published>2024-09-17T21:34:23+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=b9a2619bc8dd5ae58dbaeb8e507be45fc8f97ad1'/>
<id>urn:sha1:b9a2619bc8dd5ae58dbaeb8e507be45fc8f97ad1</id>
<content type='text'>
Python 3.12.5 is failing a newer ptest for reading/writing limited
history when editline (default) is set in PACKAGECONFIG. Skip it for now
until a proper fix (if any) is determined.

A bug has been opened upstream: https://github.com/python/cpython/issues/123018

(From OE-Core rev: de569ddffd5ea36b70c56df21dec9c892e5dee7d)

(From OE-Core rev: 98b3a3e3f79a3edaa4cf2cfbf58eb84553d65e1e)

Signed-off-by: Trevor Gamblin &lt;tgamblin@baylibre.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
Signed-off-by: Peter Marko &lt;peter.marko@siemens.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>python3: Fix CVE-2024-8088</title>
<updated>2024-09-09T13:08:10+00:00</updated>
<author>
<name>Soumya Sambu</name>
<email>soumya.sambu@windriver.com</email>
</author>
<published>2024-09-03T12:50:49+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=31ea437bf7785201dd4fb04622ec97feba110c93'/>
<id>urn:sha1:31ea437bf7785201dd4fb04622ec97feba110c93</id>
<content type='text'>
There is a HIGH severity vulnerability affecting the CPython "zipfile"
module. When iterating over names of entries in a zip archive (for example,
methodsof "zipfile.ZipFile" like "namelist()", "iterdir()", "extractall()",
etc) the process can be put into an infinite loop with a maliciously crafted
zip archive. This defect applies when reading only metadata or extracting
the contents of the zip archive. Programs that are not handling
user-controlled zip archives are not affected.

References:
https://nvd.nist.gov/vuln/detail/CVE-2024-8088

Upstream-Patch:
https://github.com/corydolphin/flask-cors/commit/7ae310c56ac30e0b94fb42129aa377bf633256ec

(From OE-Core rev: 2d98276ba70ed6c44afecd42a7352f1b3030438f)

Signed-off-by: Soumya Sambu &lt;soumya.sambu@windriver.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>python3: Fix CVE-2024-7592</title>
<updated>2024-09-09T13:08:10+00:00</updated>
<author>
<name>Soumya Sambu</name>
<email>soumya.sambu@windriver.com</email>
</author>
<published>2024-09-03T12:50:34+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=9541ad965035b28697b8df400d7b9bddc4d2519a'/>
<id>urn:sha1:9541ad965035b28697b8df400d7b9bddc4d2519a</id>
<content type='text'>
There is a LOW severity vulnerability affecting CPython, specifically the
'http.cookies' standard library module. When parsing cookies that contained
backslashes for quoted characters in the cookie value, the parser would use
an algorithm with quadratic complexity, resulting in excess CPU resources
being used while parsing the value.

References:
https://nvd.nist.gov/vuln/detail/CVE-2024-7592

Upstream-Patch:
https://github.com/python/cpython/commit/dcc3eaef98cd94d6cb6cb0f44bd1c903d04f33b1

(From OE-Core rev: 3bb9684eef5227e7b1280ee9051884310b0d0b7f)

Signed-off-by: Soumya Sambu &lt;soumya.sambu@windriver.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>python3: submit deterministic_imports.patch upstream as a ticket</title>
<updated>2024-08-01T13:08:09+00:00</updated>
<author>
<name>Alexander Kanavin</name>
<email>alex@linutronix.de</email>
</author>
<published>2024-06-19T08:59:45+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=64ac9fa408d925d951ebd4b042e010babce499f9'/>
<id>urn:sha1:64ac9fa408d925d951ebd4b042e010babce499f9</id>
<content type='text'>
(From OE-Core rev: eb3868d99ef2d5fa9fafc9cf947209d81ab5f11f)

Signed-off-by: Alexander Kanavin &lt;alex@linutronix.de&gt;
Signed-off-by: Alexandre Belloni &lt;alexandre.belloni@bootlin.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
(cherry picked from commit d77511cc9add70857e4a9d7237b23d7d6ae14e98)
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>python3: skip test_multiprocessing/test_active_children test</title>
<updated>2024-08-01T13:08:09+00:00</updated>
<author>
<name>Trevor Gamblin</name>
<email>tgamblin@baylibre.com</email>
</author>
<published>2024-06-13T15:37:21+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=754724ec73c0e387636dfb33fca94437c83338f3'/>
<id>urn:sha1:754724ec73c0e387636dfb33fca94437c83338f3</id>
<content type='text'>
This test is causing problems on the Autobuilder, so disable it for now.

(From OE-Core rev: 9eafd0c56b279a7c3025b0dcd00745baead15bb6)

Signed-off-by: Trevor Gamblin &lt;tgamblin@baylibre.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
(cherry picked from commit ac000b00ec615b3e51dda8d819015d5e7110ed88)
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>python3: skip test_concurrent_futures/test_deadlock</title>
<updated>2024-08-01T13:08:09+00:00</updated>
<author>
<name>Trevor Gamblin</name>
<email>tgamblin@baylibre.com</email>
</author>
<published>2024-06-12T15:05:28+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=a28f4c97b3548786a5b1d6a191f8330fbbaf67b1'/>
<id>urn:sha1:a28f4c97b3548786a5b1d6a191f8330fbbaf67b1</id>
<content type='text'>
These tests are causing hangs on the Autobuilder, so disable them for
now.

(From OE-Core rev: 141c348ce83552beae88e115d9c4db5802c6e0f4)

Signed-off-by: Trevor Gamblin &lt;tgamblin@baylibre.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
(cherry picked from commit 291f37808f1a2b2fdc8190696867f974994457c0)
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>python3: Treat UID/GID overflow as failure</title>
<updated>2024-08-01T13:08:09+00:00</updated>
<author>
<name>Khem Raj</name>
<email>raj.khem@gmail.com</email>
</author>
<published>2024-05-09T01:30:46+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=8a203e0f2ad75198afd5227edc28bd2551359aca'/>
<id>urn:sha1:8a203e0f2ad75198afd5227edc28bd2551359aca</id>
<content type='text'>
This fixes ptest failures on 32bit architectures

AssertionError:
Failed ptests:
{'python3': ['test_extractall_none_gid',
             'test_extractall_none_gname',
             'test_extractall_none_mode',
             'test_extractall_none_mtime',
             'test_extractall_none_uid',
             'test_extractall_none_uname',
             'setUpClass',
             'python3']}

(From OE-Core rev: 371124fa4bf1a255a4fc646b028398db8c9f3681)

Signed-off-by: Khem Raj &lt;raj.khem@gmail.com&gt;
Signed-off-by: Alexandre Belloni &lt;alexandre.belloni@bootlin.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
(cherry picked from commit 43104b547cb79693c83df0882773ae8dd74b1d35)
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>python3: skip test_concurrent_futures/test_shutdown</title>
<updated>2024-05-09T11:45:06+00:00</updated>
<author>
<name>Trevor Gamblin</name>
<email>tgamblin@baylibre.com</email>
</author>
<published>2024-05-08T17:10:14+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=c4a4246f798b1487ec3b53c9c5753e3ead6e2657'/>
<id>urn:sha1:c4a4246f798b1487ec3b53c9c5753e3ead6e2657</id>
<content type='text'>
These tests are causing hangs on the Autobuilder, so disable them for
now.

(From OE-Core rev: e3b4a05f19e3ba8f84b5d892b787e67bef565e48)

Signed-off-by: Trevor Gamblin &lt;tgamblin@baylibre.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>python3: upgrade 3.12.2 -&gt; 3.12.3</title>
<updated>2024-04-14T05:28:02+00:00</updated>
<author>
<name>Trevor Gamblin</name>
<email>tgamblin@baylibre.com</email>
</author>
<published>2024-04-12T00:42:02+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=6cbe62a0cee10ecb05bcaddcfe0cd185a033d198'/>
<id>urn:sha1:6cbe62a0cee10ecb05bcaddcfe0cd185a033d198</id>
<content type='text'>
Remove the following patch:

0001-gh-115133-Fix-tests-for-XMLPullParser-with-Expat-2.6.patch

Which a different fix was submitted for in:

c4fa79b924 [3.12] gh-115133: Fix tests for XMLPullParser with Expat 2.6.0 (GH-115164) (GH-115288)
See: https://github.com/python/cpython/pull/115288
(related to CVE-2023-52425)

Changelog: https://docs.python.org/3/whatsnew/changelog.html#python-3-12-3-final

(From OE-Core rev: 4122d8f6ecf6957de7a34fc51beffcd8e808911f)

Signed-off-by: Trevor Gamblin &lt;tgamblin@baylibre.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
</feed>
