linux/poky.git/meta/recipes-devtools/python, branch scarthgap Mirror of git.yoctoproject.org/poky https://git.enea.com/cgit/linux/poky.git/atom?h=scarthgap 2026-05-04T12:57:31+00:00 python3-wheel: fix CVE-2026-24049 2026-05-04T12:57:31+00:00 Guocai He guocai.he.cn@windriver.com 2026-04-09T06:16:33+00:00 urn:sha1:c18ab4d89541cb1b22d88b630b51dfbe2bfaa11c Backport patch to fix CVE-2026-24049 per reference [1] [2]. [1] https://security-tracker.debian.org/tracker/CVE-2026-24049 [2] https://github.com/pypa/wheel/commit/7a7d2de96b (From OE-Core rev: aa7465ce6a3d82629abeaa9b6d199b465b449d43) Signed-off-by: Guocai He <guocai.he.cn@windriver.com> Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev> python3-pyasn1: fix CVE-2026-23490 2026-05-04T12:57:31+00:00 Jiaying Song jiaying.song.cn@windriver.com 2026-04-09T06:16:32+00:00 urn:sha1:60345ecc4bcc2a7b1b9b497f8b6e1fa8cff7e935 pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.2, a Denial-of-Service issue has been found that leads to memory exhaustion from malformed RELATIVE-OID with excessive continuation octets. This vulnerability is fixed in 0.6.2. References: https://nvd.nist.gov/vuln/detail/CVE-2026-23490 (From OE-Core rev: 205d360b49c7bbaa8709cb5a0b2e57457c32ad22) Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com> Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev> python3: upgrade 3.12.12 -> 3.12.13 2026-05-04T12:57:31+00:00 Vijay Anusuri vanusuri@mvista.com 2026-04-04T15:52:31+00:00 urn:sha1:2820a673f1a39b95dc187aa32155c7ff6d80ca15 Drop upstreamed patches. Release information: * https://www.python.org/downloads/release/python-31213/ * The release you're looking at is Python 3.12.13, a security bugfix release for the legacy 3.12 series. Handles CVE-2024-6923 CVE-2025-12084 CVE-2025-13836 CVE-2025-13837 CVE-2025-15282 CVE-2025-59375 CVE-2026-0865 CVE-2026-24515 CVE-2026-25210 (From OE-Core rev: 8b0c626633a1e443cfb6e5f73c6120bff5f6a5ef) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> [YC: Full changelog: https://docs.python.org/release/3.12.13/whatsnew/changelog.html#python-3-12-13] Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev> python3-pyopenssl: Fix CVE-2026-27459 2026-04-02T12:41:55+00:00 Vijay Anusuri vanusuri@mvista.com 2026-03-25T07:23:40+00:00 urn:sha1:fdc811c17e274cbaf4ab85c618577dc210d186f1 Pick patch mentioned in NVD [1] https://nvd.nist.gov/vuln/detail/CVE-2026-27459 [2] https://ubuntu.com/security/CVE-2026-27459 (From OE-Core rev: 94c6f16933b9ff4c4a2ea46be1e3fc5f2979a49d) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev> python3-pyopenssl: Fix CVE-2026-27448 2026-04-02T12:41:54+00:00 Vijay Anusuri vanusuri@mvista.com 2026-03-25T07:23:39+00:00 urn:sha1:d86323342e01332d40e96a4f4fa059ec0c85b200 Pick patch mentioned in NVD [1] https://nvd.nist.gov/vuln/detail/CVE-2026-27448 [2] https://ubuntu.com/security/CVE-2026-27448 (From OE-Core rev: 6349510d2ae9d8f4ad1c52d7356d2359b7bf4826) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev> python3-cryptography: Fix CVE-2026-26007 2026-04-02T12:41:54+00:00 Nguyen Dat Tho tho3.nguyen@lge.com 2026-03-30T08:17:19+00:00 urn:sha1:7421603502b72418aee17e57184acc6dd9355bdf CVE-2026-26007 is fixed upstream in version 46.0.5. Our current version (42.0.5, scarthgap) is still reported as vulnerable by NVD. Backport the upstream fix to address this CVE. Upstream commit: https://github.com/pyca/cryptography/commit/0eebb9dbb6343d9bc1d91e5a2482ed4e054a6d8c CVE report: https://nvd.nist.gov/vuln/detail/CVE-2026-26007 (From OE-Core rev: a363958725430237160b0a83a6a6acbe8380fba3) Signed-off-by: Nguyen Dat Tho <tho3.nguyen@lge.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev> python3-pip: drop unused Windows distlib launcher templates 2026-03-25T17:34:13+00:00 Krupal Ka Patel krkapate@cisco.com 2026-03-09T05:18:26+00:00 urn:sha1:6637678682c305c8fc6bbc75e29781ac78af6cb7 pip vendors distlib which ships Windows launcher template binaries (*.exe) under pip/_vendor/distlib. These files are only used on Windows systems but are installed and packaged for target, native, and nativesdk builds. Remove the distlib *.exe templates when not building for a mingw (mingw32/mingw64) host to avoid shipping unused Windows binaries and reduce package noise. (From OE-Core rev: 9f2a6cfda6a2305f52411ca8121f27c8a5a91fa2) Signed-off-by: Krupal Ka Patel <krkapate@cisco.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 90d208fbb06b6e6b5aaddb0048fd6e2e1d46c8bd) Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev> python3-setuptools: drop Windows launcher executables on non-mingw builds 2026-03-25T17:34:13+00:00 Krupal Ka Patel krkapate@cisco.com 2026-03-09T05:19:33+00:00 urn:sha1:8acfa6cc83191a62fef0f451aff493ac60e0ee34 setuptools installs Windows launcher executables (cli*.exe, gui*.exe) into site-packages. These binaries are only used on Windows platforms but are packaged for target, native, and nativesdk builds. Remove the Windows launcher executables when not building for a mingw (mingw32/mingw64) host to avoid shipping unused Windows binaries. (From OE-Core rev: a618c504ba69d20eec08944c577b15a48b1ac578) Signed-off-by: Krupal Ka Patel <krkapate@cisco.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit cf7c79f3962f2be99cfda47e8cc730091e6a18cb) Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev> python3-pip: Fix CVE-2026-1703 2026-03-25T17:34:13+00:00 Vijay Anusuri vanusuri@mvista.com 2026-03-11T06:35:13+00:00 urn:sha1:49bfa3f8e0d12fde399b45b1690c89c9a0489224 Pick patch according to [1] [1] https://security-tracker.debian.org/tracker/CVE-2026-1703 [2] https://nvd.nist.gov/vuln/detail/CVE-2026-1703 [3] https://github.com/pypa/pip/pull/13777 (From OE-Core rev: 29c72a4729a42f75af47b6a7e04c9d52155e3c1f) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev> python-urllib3: Backport fix for CVE-2026-21441 2026-02-16T09:52:35+00:00 Adarsh Jagadish Kamini adarsh.jagadish.kamini@est.tech 2026-01-30T07:46:07+00:00 urn:sha1:54e7eb595192794693d65789da18bdf959a7ec84 Include the patch linked in the NVD report : https://nvd.nist.gov/vuln/detail/CVE-2026-21441 (From OE-Core rev: bf85dff7bf4340a691df3da21f04a651fff11a17) Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>