<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux/poky.git/meta/recipes-devtools/python/python3, branch yocto-5.0.8</title>
<subtitle>Mirror of git.yoctoproject.org/poky</subtitle>
<id>https://git.enea.com/cgit/linux/poky.git/atom?h=yocto-5.0.8</id>
<link rel='self' href='https://git.enea.com/cgit/linux/poky.git/atom?h=yocto-5.0.8'/>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/'/>
<updated>2025-02-14T14:38:54+00:00</updated>
<entry>
<title>python3: upgrade 3.12.8 -&gt; 3.12.9</title>
<updated>2025-02-14T14:38:54+00:00</updated>
<author>
<name>Peter Marko</name>
<email>peter.marko@siemens.com</email>
</author>
<published>2025-02-08T23:23:19+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=c9c335583601f5fc08c1dee355fcc19f35cdc76a'/>
<id>urn:sha1:c9c335583601f5fc08c1dee355fcc19f35cdc76a</id>
<content type='text'>
Release notes:
https://docs.python.org/release/3.12.9/whatsnew/changelog.html#python-3-12-9

Solves CVE-2025-0938, CVE-2024-12254 and 3 other vulnerabilities without
CVE number assigment.

Add a patch to fix failure of a new test.

(From OE-Core rev: 685b2719ae9b44c238e63942efabe52e5df7d640)

Signed-off-by: Peter Marko &lt;peter.marko@siemens.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>python3: upgrade 3.12.7 -&gt; 3.12.8</title>
<updated>2025-01-09T14:25:36+00:00</updated>
<author>
<name>Guðni Már Gilbert</name>
<email>gudni.m.g@gmail.com</email>
</author>
<published>2024-12-28T18:19:11+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=321943e627877aabfd1f71599b7619e8bf2e624b'/>
<id>urn:sha1:321943e627877aabfd1f71599b7619e8bf2e624b</id>
<content type='text'>
Changelog:
https://docs.python.org/release/3.12.8/whatsnew/changelog.html#python-3-12-8

(From OE-Core rev: db5081254adacf6c87269fd43af7199267ad535c)

Signed-off-by: Guðni Már Gilbert &lt;gudni.m.g@gmail.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>python3: upgrade 3.12.6 -&gt; 3.12.7</title>
<updated>2025-01-09T14:25:36+00:00</updated>
<author>
<name>Guðni Már Gilbert</name>
<email>gudni.m.g@gmail.com</email>
</author>
<published>2024-12-28T18:19:10+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=a7abc52998f01193acc0bb9a93fa6b73d7f49f0e'/>
<id>urn:sha1:a7abc52998f01193acc0bb9a93fa6b73d7f49f0e</id>
<content type='text'>
Changelog:
https://docs.python.org/release/3.12.7/whatsnew/changelog.html#python-3-12-7

(From OE-Core rev: 197048667f69ed559baf54831eb7b1606320f3e8)

Signed-off-by: Guðni Már Gilbert &lt;gudni.m.g@gmail.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>python3: add dependency on -compression to -core</title>
<updated>2024-12-23T13:46:32+00:00</updated>
<author>
<name>Ross Burton</name>
<email>ross.burton@arm.com</email>
</author>
<published>2024-12-15T14:32:47+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=c75016dcf38e9d8b18a78687f0e3bb250282a0e1'/>
<id>urn:sha1:c75016dcf38e9d8b18a78687f0e3bb250282a0e1</id>
<content type='text'>
importlib.metadata is part of -core, but that will import zipfile which
is part of -compression.

Obviously this shows that our packaging of the Python modules is not
optimal.  I plan to follow up with a redesign of the splitting which
focuses on simply pulling out the larger or esoteric modules and
having a more featureful core.

(From OE-Core rev: 05166eafb99cf8c7adb6879277069ab384a2f8df)

Signed-off-by: Ross Burton &lt;ross.burton@arm.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>python3: Drop empty patch</title>
<updated>2024-12-23T13:46:32+00:00</updated>
<author>
<name>Khem Raj</name>
<email>raj.khem@gmail.com</email>
</author>
<published>2024-12-15T14:32:46+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=a56d901283368109c94068749c7356724d839113'/>
<id>urn:sha1:a56d901283368109c94068749c7356724d839113</id>
<content type='text'>
The fix brought by this patch is already part of python 3.12.3
therefore drop it.

(From OE-Core rev: 555623d2378138fdcfae95c04e06ba384cebab5b)

Signed-off-by: Khem Raj &lt;raj.khem@gmail.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>python3: Upgrade 3.12.5 -&gt; 3.12.6</title>
<updated>2024-09-25T12:07:47+00:00</updated>
<author>
<name>Peter Marko</name>
<email>peter.marko@siemens.com</email>
</author>
<published>2024-09-17T21:34:24+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=d7249c50ecff3272afa699000884f17cce82222d'/>
<id>urn:sha1:d7249c50ecff3272afa699000884f17cce82222d</id>
<content type='text'>
Includes security fixes for CVE-2024-7592, CVE-2024-8088, CVE-2024-6232,
CVE-2023-27043 and other bug fixes.

Removed below patches, as the fix is included in 3.12.6 upgrade:
1. CVE-2024-7592.patch
2. CVE-2024-8088.patch

Release Notes:
https://www.python.org/downloads/release/python-3126/

(From OE-Core rev: aa492b1fd5973c37b8fa2cd17d28199eba46afcc)

(From OE-Core rev: 6688a8ff2e1cbf6ad8ebd1b89ec6c929caf6a161)

Signed-off-by: Divya Chellam &lt;divya.chellam@windriver.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
Signed-off-by: Peter Marko &lt;peter.marko@siemens.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>python3: skip readline limited history tests</title>
<updated>2024-09-25T12:07:47+00:00</updated>
<author>
<name>Trevor Gamblin</name>
<email>tgamblin@baylibre.com</email>
</author>
<published>2024-09-17T21:34:23+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=b9a2619bc8dd5ae58dbaeb8e507be45fc8f97ad1'/>
<id>urn:sha1:b9a2619bc8dd5ae58dbaeb8e507be45fc8f97ad1</id>
<content type='text'>
Python 3.12.5 is failing a newer ptest for reading/writing limited
history when editline (default) is set in PACKAGECONFIG. Skip it for now
until a proper fix (if any) is determined.

A bug has been opened upstream: https://github.com/python/cpython/issues/123018

(From OE-Core rev: de569ddffd5ea36b70c56df21dec9c892e5dee7d)

(From OE-Core rev: 98b3a3e3f79a3edaa4cf2cfbf58eb84553d65e1e)

Signed-off-by: Trevor Gamblin &lt;tgamblin@baylibre.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
Signed-off-by: Peter Marko &lt;peter.marko@siemens.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>python3: Fix CVE-2024-8088</title>
<updated>2024-09-09T13:08:10+00:00</updated>
<author>
<name>Soumya Sambu</name>
<email>soumya.sambu@windriver.com</email>
</author>
<published>2024-09-03T12:50:49+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=31ea437bf7785201dd4fb04622ec97feba110c93'/>
<id>urn:sha1:31ea437bf7785201dd4fb04622ec97feba110c93</id>
<content type='text'>
There is a HIGH severity vulnerability affecting the CPython "zipfile"
module. When iterating over names of entries in a zip archive (for example,
methodsof "zipfile.ZipFile" like "namelist()", "iterdir()", "extractall()",
etc) the process can be put into an infinite loop with a maliciously crafted
zip archive. This defect applies when reading only metadata or extracting
the contents of the zip archive. Programs that are not handling
user-controlled zip archives are not affected.

References:
https://nvd.nist.gov/vuln/detail/CVE-2024-8088

Upstream-Patch:
https://github.com/corydolphin/flask-cors/commit/7ae310c56ac30e0b94fb42129aa377bf633256ec

(From OE-Core rev: 2d98276ba70ed6c44afecd42a7352f1b3030438f)

Signed-off-by: Soumya Sambu &lt;soumya.sambu@windriver.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>python3: Fix CVE-2024-7592</title>
<updated>2024-09-09T13:08:10+00:00</updated>
<author>
<name>Soumya Sambu</name>
<email>soumya.sambu@windriver.com</email>
</author>
<published>2024-09-03T12:50:34+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=9541ad965035b28697b8df400d7b9bddc4d2519a'/>
<id>urn:sha1:9541ad965035b28697b8df400d7b9bddc4d2519a</id>
<content type='text'>
There is a LOW severity vulnerability affecting CPython, specifically the
'http.cookies' standard library module. When parsing cookies that contained
backslashes for quoted characters in the cookie value, the parser would use
an algorithm with quadratic complexity, resulting in excess CPU resources
being used while parsing the value.

References:
https://nvd.nist.gov/vuln/detail/CVE-2024-7592

Upstream-Patch:
https://github.com/python/cpython/commit/dcc3eaef98cd94d6cb6cb0f44bd1c903d04f33b1

(From OE-Core rev: 3bb9684eef5227e7b1280ee9051884310b0d0b7f)

Signed-off-by: Soumya Sambu &lt;soumya.sambu@windriver.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>python3: submit deterministic_imports.patch upstream as a ticket</title>
<updated>2024-08-01T13:08:09+00:00</updated>
<author>
<name>Alexander Kanavin</name>
<email>alex@linutronix.de</email>
</author>
<published>2024-06-19T08:59:45+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=64ac9fa408d925d951ebd4b042e010babce499f9'/>
<id>urn:sha1:64ac9fa408d925d951ebd4b042e010babce499f9</id>
<content type='text'>
(From OE-Core rev: eb3868d99ef2d5fa9fafc9cf947209d81ab5f11f)

Signed-off-by: Alexander Kanavin &lt;alex@linutronix.de&gt;
Signed-off-by: Alexandre Belloni &lt;alexandre.belloni@bootlin.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
(cherry picked from commit d77511cc9add70857e4a9d7237b23d7d6ae14e98)
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
</feed>
