Mirror of git.yoctoproject.org/poky https://git.enea.com/cgit/linux/poky.git/atom?h=mickledore 2023-11-11T18:23:01+00:00 2023-11-11T18:23:01+00:00 Tan Wen Yan wen.yan.tan@intel.com 2023-11-10T09:30:42+00:00 urn:sha1:02b045ff13c75aa80d278cbfe307c48e009f21af https://github.com/urllib3/urllib3/releases/tag/1.26.18 Major changes in python3-urllib3 1.26.18: - Made body stripped from HTTP requests changing the request method to GET after HTTP 303 "See Other" redirect responses. (CVE-2023-45803) (From OE-Core rev: 74da05b63634c248910594456dae286947f33da5) Signed-off-by: Tan Wen Yan <wen.yan.tan@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> 2023-10-25T14:51:01+00:00 Lee Chee Yang chee.yang.lee@intel.com 2023-10-13T10:39:53+00:00 urn:sha1:167b0b6a9355339a95fbd323a0278e45ff320d7d 1.26.17 (2023-10-02) Added the Cookie header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via Retry.remove_headers_on_redirect. (CVE-2023-43804) 1.26.16 (2023-05-23) Fixed thread-safety issue where accessing a PoolManager with many distinct origins would cause connection pools to be closed while requests are in progress (#2954) (From OE-Core rev: 7466db00ca2f884cf58504c3910b858a87f33128) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> 2023-09-29T14:33:43+00:00 Narpat Mali narpat.mali@windriver.com 2023-09-25T13:28:44+00:00 urn:sha1:22af10c1b1e5dfe6ac8f14114efdd2493b74095e The delta between 3.1.32 & 3.1.37 contains the CVE-2023-40590 and CVE-2023-41040 fixes and other bugfixes. Changelog: ========== - WIP Quick doc by @LeoDaCoda in #1608 - Partial clean up wrt mypy and black by @bodograumann in #1617 - Disable merge_includes in config writers by @bodograumann in #1618 - feat: full typing for "progress" parameter in Repo class by @madebylydia in #1634 - Fix CVE-2023-40590 by @EliahKagan in #1636 - #1566 Creating a lock now uses python built-in "open()" method to work arou… by @HageMaster3108 in #1619 - util: close lockfile after opening successfully by @skshetry in #1639 - Bump actions/checkout from 3 to 4 by @dependabot in #1643 - Fix 'Tree' object has no attribute '_name' when submodule path is normal path by @CosmosAtlas in #1645 - Fix CVE-2023-41040 by @facutuesca in #1644 - Only make config more permissive in tests that need it by @EliahKagan in #1648 - Added test for PR #1645 submodule path by @CosmosAtlas in #1647 - Fix Windows environment variable upcasing bug by @EliahKagan in #1650 - Improve Python version and OS compatibility, fixing deprecations by @EliahKagan in #1654 - Better document env_case test/fixture and cwd by @EliahKagan in #1657 - Remove spurious executable permissions by @EliahKagan in #1658 - Fix up checks in Makefile and make them portable by @EliahKagan in #1661 - Fix URLs that were redirecting to another license by @EliahKagan in #1662 - Assorted small fixes/improvements to root dir docs by @EliahKagan in #1663 - Use venv instead of virtualenv in test_installation by @EliahKagan in #1664 - Omit py_modules in setup by @EliahKagan in #1665 - Don't track code coverage temporary files by @EliahKagan in #1666 - Configure tox by @EliahKagan in #1667 - Format tests with black and auto-exclude untracked paths by @EliahKagan in #1668 - Upgrade and broaden flake8, fixing style problems and bugs by @EliahKagan in #1673 - Fix rollback bug in SymbolicReference.set_reference by @EliahKagan in #1675 - Remove @NoEffect annotations by @EliahKagan in #1677 - Add more checks for the validity of refnames by @facutuesca in #1672 Note that the changes to the license file are just removal of excess whitespace (the extra blank line at the end, and spaces appearing at the end of lines). References: https://github.com/gitpython-developers/GitPython/releases https://github.com/gitpython-developers/GitPython/blob/main/doc/source/changes.rst https://github.com/gitpython-developers/GitPython/commit/e1af18377fd69f9c1007f8abf6ccb95b3c5a6558 (From OE-Core rev: 931af3758a2d79aea534ab6d23db392ede7cc1bb) Signed-off-by: Narpat Mali <narpat.mali@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> 2023-09-13T16:21:25+00:00 Chee Yang Lee chee.yang.lee@intel.com 2023-09-01T12:41:42+00:00 urn:sha1:6ae9654ab590582e27f41cdd224cdc2010020247 upgrade include fix for CVE-2023-40217 Release notes: https://docs.python.org/3/whatsnew/changelog.html#python-3-11-5-final (From OE-Core rev: 4a3e3042a0cef3a215d286b0f32be293c3948d1e) Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> 2023-09-13T16:21:25+00:00 Alexander Kanavin alex.kanavin@gmail.com 2023-09-01T12:41:41+00:00 urn:sha1:8b372c7d4e5ae8ac37952dab2179a99ebb9a7e2a upgrade include fix for CVE-2023-24329 (cherry picked from commit f7f163ebe8c53de4314d04595c1fbcc7af2deccc ) (From OE-Core rev: 8687de9f20bde7aba118a50342848031adfb7641) Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> 2023-09-13T16:21:25+00:00 Alexander Kanavin alex.kanavin@gmail.com 2023-09-01T12:41:40+00:00 urn:sha1:b2e008f2d447e0ae127b1eb2fe42ccebaf4f438f (cherry picked from commit 7d5bb3a4690ef61a1fee21773b4717e829789e32) (From OE-Core rev: a991fe85dca51ddf36994666e14e69839dd694b2) Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> 2023-09-04T14:13:24+00:00 Narpat Mali narpat.mali@windriver.com 2023-08-29T14:57:53+00:00 urn:sha1:7b65658ede3253a6d22297a6c5550f1400274632 A ReDoS issue was discovered in pygments/lexers/smithy.py in pygments through 2.15.0 via SmithyLexer. The CVE issue is fixed by these 3 different commits in different version: 1. Improve the Smithy metadata matcher (These changes are already available as part of current python3-pygments_2.14.0 version): https://github.com/pygments/pygments/commit/dd52102c38ebe78cd57748e09f38929fd283ad04 (2.14.0) 2. SQL+Jinja: use a simpler regex in analyse_text: https://github.com/pygments/pygments/commit/97eb3d5ec7c1b3ea4fcf9dee30a2309cf92bd194 (2.15.0) 3. Improve Java properties lexer (#2404): https://github.com/pygments/pygments/commit/fdf182a7af85b1deeeb637ca970d31935e7c9d52 (2.15.1) References: https://nvd.nist.gov/vuln/detail/CVE-2022-40896 https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages-part-2/ (From OE-Core rev: 5a02307af5e593be864423a9f3ab309703d61dbf) Signed-off-by: Narpat Mali <narpat.mali@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> 2023-08-30T14:52:35+00:00 Narpat Mali narpat.mali@windriver.com 2023-08-24T12:22:19+00:00 urn:sha1:4c9e8b0390309a5633b3835101a860701acc8fcb The delta between 3.1.31 & 3.1.32 contains the CVE-2023-40267 fix and other bugfixes. Changelog: https://github.com/gitpython-developers/GitPython/releases/tag/3.1.32 - Bump cygwin/cygwin-install-action from 3 to 4 by @dependabot in #1572 - Fix up the commit trailers functionality by @itsluketwist in #1576 - Name top-level exceptions as private variables by @Hawk777 in #1590 - fix pypi long description by @eUgEntOptIc44 in #1603 - Don't rely on del by @r-darwish in #1606 - Block insecure non-multi options in clone/clone_from by @Beuc in #1609 (From OE-Core rev: fd38c8d91f95b44ea7b833772b9a07e1f1d74479) Signed-off-by: Narpat Mali <narpat.mali@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> 2023-08-15T16:18:48+00:00 Narpat Mali narpat.mali@windriver.com 2023-08-03T11:31:17+00:00 urn:sha1:c36a0bd40611688092c41c24c33bd94674d73f4d python3-certifi 2023.7.22 contains the CVE-2023-37920 fix. No changelog provided. Commits: 8fb96ed (tag: 2023.07.22) 2023.07.22 afe7722 Bump actions/setup-python from 4.6.1 to 4.7.0 (#230) 2038739 Bump dessant/lock-threads from 3.0.0 to 4.0.1 (#229) 44df761 Hash pin Actions and enable dependabot (#228) 8b3d7ba (tag: 2023.05.07) 2023.05.07 53da240 ci: Add Python 3.12-dev to the testing (#224) c2fc3b1 Create a Security Policy (#222) c211ef4 Set up permissions to github workflows (#218) 2087de5 Don't let deprecation warning fail CI (#219) e0b9fc5 remove paragraphs about 1024-bit roots from README 9427a5a fix CI fed4048 get CI passing again 9e9e840 (tag: 2022.12.07) 2022.12.07 (From OE-Core rev: ec5e5ae6b304dee9b323bd20f3db25152a083398) Signed-off-by: Narpat Mali <narpat.mali@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> 2023-08-01T16:17:28+00:00 Ross Burton ross.burton@arm.com 2023-07-05T10:34:34+00:00 urn:sha1:1dccb216a07419a617c1fb6213ddeea60c8c6ccd Wes Tarro <wes.tarro@azuresummit.com> noticed a missing comma in a preplace() call, add it. That said, calling replace() with one argument results in a TypeError, so this is obviously dead code. (From OE-Core rev: f24236b7b52dd753d7170bac9c38dff1133db76e) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 9b2e2c8d809e7ca34451ec9702b029a00dfb410b) Signed-off-by: Steve Sakoman <steve@sakoman.com>