<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux/poky.git/meta/recipes-devtools/python, branch yocto-5.0.14</title>
<subtitle>Mirror of git.yoctoproject.org/poky</subtitle>
<id>https://git.enea.com/cgit/linux/poky.git/atom?h=yocto-5.0.14</id>
<link rel='self' href='https://git.enea.com/cgit/linux/poky.git/atom?h=yocto-5.0.14'/>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/'/>
<updated>2025-10-24T13:23:40+00:00</updated>
<entry>
<title>python3: upgrade 3.12.11 -&gt; 3.12.12</title>
<updated>2025-10-24T13:23:40+00:00</updated>
<author>
<name>Peter Marko</name>
<email>peter.marko@siemens.com</email>
</author>
<published>2025-10-16T16:11:53+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=2e5bb26c2c0b5956a7208867823dd703c382328a'/>
<id>urn:sha1:2e5bb26c2c0b5956a7208867823dd703c382328a</id>
<content type='text'>
Drop upstreamed patch and refresh remaining patches.

Release information:
* https://www.python.org/downloads/release/python-31212/
* The release you're looking at is Python 3.12.12, a security bugfix
  release for the legacy 3.12 series.

Handles CVE-2025-59375.

(From OE-Core rev: f1234b8451ba843b5f9ec1d2066c21f54d6bc3b8)

Signed-off-by: Peter Marko &lt;peter.marko@siemens.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>python3-xmltodict: fix CVE-2025-9375</title>
<updated>2025-10-24T13:23:39+00:00</updated>
<author>
<name>Saravanan</name>
<email>saravanan.kadambathursubramaniyam@windriver.com</email>
</author>
<published>2025-10-13T11:52:44+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=2ab1bedda9e081dbf01d4c3069d247efc6c3c55e'/>
<id>urn:sha1:2ab1bedda9e081dbf01d4c3069d247efc6c3c55e</id>
<content type='text'>
Reference:
	https://nvd.nist.gov/vuln/detail/CVE-2025-9375
	https://security-tracker.debian.org/tracker/CVE-2025-9375
	https://git.launchpad.net/ubuntu/+source/python-xmltodict/commit/?id=e8110a20e00d80db31d5fc9f8f4577328385d6b6

Upstream-patch:
	https://github.com/martinblech/xmltodict/commit/ecd456ab88d379514b116ef9293318b74e5ed3ee
	https://github.com/martinblech/xmltodict/commit/f98c90f071228ed73df997807298e1df4f790c33

(From OE-Core rev: 30624cce634cade0b030aa71a03be754abbf3da9)

Signed-off-by: Saravanan &lt;saravanan.kadambathursubramaniyam@windriver.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>buildtools-tarball: fix unbound variable issues under 'set -u'</title>
<updated>2025-09-22T20:17:52+00:00</updated>
<author>
<name>Haixiao Yan</name>
<email>haixiao.yan.cn@windriver.com</email>
</author>
<published>2025-09-16T13:19:18+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=e3ce89324da1e33c17c9180ef846f41d92616254'/>
<id>urn:sha1:e3ce89324da1e33c17c9180ef846f41d92616254</id>
<content type='text'>
When Bash runs with 'set -u' (nounset), accessing an unset variable
directly (e.g. [ -z "$SSL_CERT_FILE" ]) causes a fatal "unbound variable"
error. As a result, the fallback logic to set SSL_CERT_FILE/SSL_CERT_DIR
is never triggered and the script aborts.

The current code assumes these variables may be unset or empty, but does
not guard against 'set -u'. This breaks builds in stricter shell
environments or when users explicitly enable 'set -u'.

Fix this by using parameter expansion with a default value, e.g.
"${SSL_CERT_FILE:-}", so that unset variables are treated as empty
strings. This preserves the intended logic (respect host env first, then
CAFILE/CAPATH, then buildtools defaults) and makes the script robust
under 'set -u'.

(From OE-Core rev: 4cf131ebd157b79226533b5a5074691dd0e1a4ab)

Signed-off-by: Haixiao Yan &lt;haixiao.yan.cn@windriver.com&gt;
Signed-off-by: Mathieu Dubois-Briand &lt;mathieu.dubois-briand@bootlin.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
(cherry picked from commit 4d880c2eccd534133a2a4e6579d955605c0956ec)
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>python3: patch CVE-2025-8194</title>
<updated>2025-08-20T14:37:19+00:00</updated>
<author>
<name>Peter Marko</name>
<email>peter.marko@siemens.com</email>
</author>
<published>2025-08-09T20:37:21+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=6d83b872af7421e1e4f18c999f356855116dc238'/>
<id>urn:sha1:6d83b872af7421e1e4f18c999f356855116dc238</id>
<content type='text'>
Pick commit from 3.12 branch mentioned in NVD report.
https://nvd.nist.gov/vuln/detail/CVE-2025-8194

(From OE-Core rev: 34f1b4877a0601d2057453c159c76a54754f229a)

Signed-off-by: Peter Marko &lt;peter.marko@siemens.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>python3: update CVE product</title>
<updated>2025-07-21T16:07:21+00:00</updated>
<author>
<name>Peter Marko</name>
<email>peter.marko@siemens.com</email>
</author>
<published>2025-07-09T18:53:21+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=ae35f06bb16d4fb9d2cb99451bed0e7bda645476'/>
<id>urn:sha1:ae35f06bb16d4fb9d2cb99451bed0e7bda645476</id>
<content type='text'>
There are two "new" CVEs reported for python3, their CPEs are:
* CVE-2020-1171: cpe:2.3:a:microsoft:python:*:*:*:*:*:visual_studio_code:*:* (&lt; 2020.5.0)
* CVE-2020-1192: cpe:2.3:a:microsoft:python:*:*:*:*:*:visual_studio_code:*:* (&lt; 2020.5.0)
These are for "Visual Studio Code Python extension".

Solve this by addding CVE vendor to python CVE product to avoid
confusion with Microsoft as vendor.

Examining CVE DB for historical python entries shows:
sqlite&gt; select vendor, product, count(*) from products where product = 'python' or product = 'cpython'
   ...&gt; or product like 'python%3' group by vendor, product;
microsoft|python|2
python|python|1054
python_software_foundation|python|2

Note that this already shows that cpython product is not used, so
CVE-2023-33595 mentioned in 62598e1138f21a16d8b1cdd1cfe902aeed854c5c
was updated.
But let's keep it for future in case new CVE starts with that again.

(From OE-Core rev: 72369cd66f78a371608c3fff205e0e96c248f2b3)

Signed-off-by: Peter Marko &lt;peter.marko@siemens.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>python3-urllib3: fix CVE-2025-50181</title>
<updated>2025-07-11T15:11:53+00:00</updated>
<author>
<name>Yogita Urade</name>
<email>yogita.urade@windriver.com</email>
</author>
<published>2025-07-04T10:35:38+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=23e57638efa26f6f65890cbe610bc557b6b33d7e'/>
<id>urn:sha1:23e57638efa26f6f65890cbe610bc557b6b33d7e</id>
<content type='text'>
urllib3 is a user-friendly HTTP client library for Python. Prior to
2.5.0, it is possible to disable redirects for all requests by
instantiating a PoolManager and specifying retries in a way that
disable redirects. By default, requests and botocore users are not
affected. An application attempting to mitigate SSRF or open redirect
vulnerabilities by disabling redirects at the PoolManager level will
remain vulnerable. This issue has been patched in version 2.5.0.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-50181

Upstream patch:
https://github.com/urllib3/urllib3/commit/f05b1329126d5be6de501f9d1e3e36738bc08857

(From OE-Core rev: cf10eafb333daf8acfd3b8bfcb42c1fe6c26a8a5)

Signed-off-by: Yogita Urade &lt;yogita.urade@windriver.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>python3-requests: upgrade 2.32.3 -&gt; 2.32.4</title>
<updated>2025-06-20T15:38:12+00:00</updated>
<author>
<name>Jiaying Song</name>
<email>jiaying.song.cn@windriver.com</email>
</author>
<published>2025-06-13T03:01:37+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=dbc06dd7b1ca7a24483d999a7e0fd75b3904f758'/>
<id>urn:sha1:dbc06dd7b1ca7a24483d999a7e0fd75b3904f758</id>
<content type='text'>
Changelog:
https://requests.readthedocs.io/en/latest/community/updates/#release-history

(From OE-Core rev: 0f0a06ccef45792f65b823ecc0ef10525d94084f)

Signed-off-by: Jiaying Song &lt;jiaying.song.cn@windriver.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>python3: upgrade 3.12.9 -&gt; 3.12.11</title>
<updated>2025-06-13T15:58:01+00:00</updated>
<author>
<name>Peter Marko</name>
<email>peter.marko@siemens.com</email>
</author>
<published>2025-06-08T21:43:27+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=c4f82e3fd561ac83c8c836e43d701cff36ca2f42'/>
<id>urn:sha1:c4f82e3fd561ac83c8c836e43d701cff36ca2f42</id>
<content type='text'>
Drop upstreamed patch and refresh remaining patches.

* https://www.python.org/downloads/release/python-31210/

  Python 3.12.10 is the latest maintenance release of Python 3.12, and
  the last full maintenance release. Subsequent releases of 3.12 will be
  security-fixes only.

* https://www.python.org/downloads/release/python-31211/

  Security content in this release
  * gh-135034: [CVE 2024-12718] [CVE 2025-4138] [CVE 2025-4330]
    [CVE 2025-4435] [CVE 2025-4517] Fixes multiple issues that allowed
    tarfile extraction filters (filter="data" and filter="tar") to be
    bypassed using crafted symlinks and hard links.
  * gh-133767: Fix use-after-free in the “unicode-escape” decoder with a
    non-“strict” error handler.
  * gh-128840: Short-circuit the processing of long IPv6 addresses early
    in ipaddress to prevent excessive memory consumption and a minor
    denial-of-service.

gh-133767 got meawhile CVE-2025-4516 assigned.

(From OE-Core rev: 6cca08b2857efd5481e837ecd6bb295cb8a99ee1)

Signed-off-by: Peter Marko &lt;peter.marko@siemens.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>python3-setuptools: Fix CVE-2025-47273</title>
<updated>2025-06-11T15:17:34+00:00</updated>
<author>
<name>Vijay Anusuri</name>
<email>vanusuri@mvista.com</email>
</author>
<published>2025-06-05T07:14:10+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=6ba8b8a487f61d511904dd7263a58a794d3d3bb5'/>
<id>urn:sha1:6ba8b8a487f61d511904dd7263a58a794d3d3bb5</id>
<content type='text'>
Upstream-Status: Backport from
https://github.com/pypa/setuptools/commit/d8390feaa99091d1ba9626bec0e4ba7072fc507a
&amp; https://github.com/pypa/setuptools/commit/250a6d17978f9f6ac3ac887091f2d32886fbbb0b

(From OE-Core rev: 9769cd99c32faf7d95a7cab07b8550b438ccaf0c)

Signed-off-by: Vijay Anusuri &lt;vanusuri@mvista.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>buildtools-tarball: Make buildtools respects host CA certificates</title>
<updated>2025-05-02T15:20:12+00:00</updated>
<author>
<name>Changqing Li</name>
<email>changqing.li@windriver.com</email>
</author>
<published>2025-04-28T05:53:07+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=18206fc2dba1684bc96efecf95c65450f9577203'/>
<id>urn:sha1:18206fc2dba1684bc96efecf95c65450f9577203</id>
<content type='text'>
To adapt user network enviroment, buildtools should first try to use
the user configured envs like SSL_CERT_FILE/CURL_CA_BUNDLE/..., if these
envs is not set, then use the auto-detected ca file and ca path, and
finally use the CA certificates in buildtools.

nativesdk-openssl set OPENSSLDIR as "/not/builtin", need set SSL_CERT_FILE/SSL_CERT_DIR to work

nativesdk-curl don't set default ca file, need
SSL_CERT_FILE/SSL_CERT_DIR or CURL_CA_BUNDLE/CURL_CA_PATH to work

nativesdk-git actually use libcurl, and GIT_SSL_CAPATH/GIT_SSL_CAINFO
also works

nativesdk-python3-requests will use cacert.pem under python module certifi by
default, need to set REQUESTS_CA_BUNDLE

(From OE-Core rev: 0653b96bac6d0800dc5154557706a323418808be)

Signed-off-by: Changqing Li &lt;changqing.li@windriver.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
</feed>
