<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux/poky.git/meta/recipes-devtools/python, branch yocto-5.0.4</title>
<subtitle>Mirror of git.yoctoproject.org/poky</subtitle>
<id>https://git.enea.com/cgit/linux/poky.git/atom?h=yocto-5.0.4</id>
<link rel='self' href='https://git.enea.com/cgit/linux/poky.git/atom?h=yocto-5.0.4'/>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/'/>
<updated>2024-09-25T12:07:47+00:00</updated>
<entry>
<title>python3: Upgrade 3.12.5 -&gt; 3.12.6</title>
<updated>2024-09-25T12:07:47+00:00</updated>
<author>
<name>Peter Marko</name>
<email>peter.marko@siemens.com</email>
</author>
<published>2024-09-17T21:34:24+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=d7249c50ecff3272afa699000884f17cce82222d'/>
<id>urn:sha1:d7249c50ecff3272afa699000884f17cce82222d</id>
<content type='text'>
Includes security fixes for CVE-2024-7592, CVE-2024-8088, CVE-2024-6232,
CVE-2023-27043 and other bug fixes.

Removed below patches, as the fix is included in 3.12.6 upgrade:
1. CVE-2024-7592.patch
2. CVE-2024-8088.patch

Release Notes:
https://www.python.org/downloads/release/python-3126/

(From OE-Core rev: aa492b1fd5973c37b8fa2cd17d28199eba46afcc)

(From OE-Core rev: 6688a8ff2e1cbf6ad8ebd1b89ec6c929caf6a161)

Signed-off-by: Divya Chellam &lt;divya.chellam@windriver.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
Signed-off-by: Peter Marko &lt;peter.marko@siemens.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>python3: skip readline limited history tests</title>
<updated>2024-09-25T12:07:47+00:00</updated>
<author>
<name>Trevor Gamblin</name>
<email>tgamblin@baylibre.com</email>
</author>
<published>2024-09-17T21:34:23+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=b9a2619bc8dd5ae58dbaeb8e507be45fc8f97ad1'/>
<id>urn:sha1:b9a2619bc8dd5ae58dbaeb8e507be45fc8f97ad1</id>
<content type='text'>
Python 3.12.5 is failing a newer ptest for reading/writing limited
history when editline (default) is set in PACKAGECONFIG. Skip it for now
until a proper fix (if any) is determined.

A bug has been opened upstream: https://github.com/python/cpython/issues/123018

(From OE-Core rev: de569ddffd5ea36b70c56df21dec9c892e5dee7d)

(From OE-Core rev: 98b3a3e3f79a3edaa4cf2cfbf58eb84553d65e1e)

Signed-off-by: Trevor Gamblin &lt;tgamblin@baylibre.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
Signed-off-by: Peter Marko &lt;peter.marko@siemens.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>python3: upgrade 3.12.4 -&gt; 3.12.5</title>
<updated>2024-09-25T12:07:47+00:00</updated>
<author>
<name>Trevor Gamblin</name>
<email>tgamblin@baylibre.com</email>
</author>
<published>2024-09-17T21:34:22+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=a8086d489e076eb145832d7c59bba616dac51481'/>
<id>urn:sha1:a8086d489e076eb145832d7c59bba616dac51481</id>
<content type='text'>
Changelog: https://docs.python.org/release/3.12.5/whatsnew/changelog.html

(From OE-Core rev: d9e2ebd6b24b802d1d4cd38b3b910e068c308809)

(From OE-Core rev: ae0e8f6932359959535e901e64bdb47189de14cd)

Signed-off-by: Trevor Gamblin &lt;tgamblin@baylibre.com&gt;
Signed-off-by: Alexandre Belloni &lt;alexandre.belloni@bootlin.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
Signed-off-by: Peter Marko &lt;peter.marko@siemens.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>python3-maturin: Fix cross compilation issue for armv7l, mips64, ppc</title>
<updated>2024-09-19T12:11:35+00:00</updated>
<author>
<name>Niko Mauno</name>
<email>niko.mauno@vaisala.com</email>
</author>
<published>2024-09-06T09:01:51+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=c5126983d918ccffc474c8a4a283acd9c6f8daa9'/>
<id>urn:sha1:c5126983d918ccffc474c8a4a283acd9c6f8daa9</id>
<content type='text'>
When bitbaking python3-rpds-py it built extension module as:

  site-packages/rpds/rpds.cpython-312-armv7l-linux-gnueabihf.so

Which caused error on target:

  root@qemuarm:~# python3 -c "from rpds import HashTrieMap, HashTrieSet, List"
  Traceback (most recent call last):
    File "&lt;string&gt;", line 1, in &lt;module&gt;
    File "/usr/lib/python3.12/site-packages/rpds/__init__.py", line 1, in &lt;module&gt;
      from .rpds import *
  ModuleNotFoundError: No module named 'rpds.rpds'

Where as it should have been:

  site-packages/rpds/rpds.cpython-312-arm-linux-gnueabihf.so

Associated upstream bug report:
https://github.com/PyO3/maturin/issues/2203

Associated upstream pull request:
https://github.com/PyO3/maturin/pull/2204

Note - mitigation has not been tested with musl:
https://github.com/PyO3/maturin/pull/2204#issuecomment-2323952320

(From OE-Core rev: 32a8a7379008cc6e367b7664c5b10b29f0bb8136)

(From OE-Core rev: d2f73e3840c21997b918d1f1cfae965c618c1076)

Signed-off-by: Vesa Jääskeläinen &lt;vesa.jaaskelainen@vaisala.com&gt;
Signed-off-by: Niko Mauno &lt;niko.mauno@vaisala.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>python3: Fix CVE-2024-8088</title>
<updated>2024-09-09T13:08:10+00:00</updated>
<author>
<name>Soumya Sambu</name>
<email>soumya.sambu@windriver.com</email>
</author>
<published>2024-09-03T12:50:49+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=31ea437bf7785201dd4fb04622ec97feba110c93'/>
<id>urn:sha1:31ea437bf7785201dd4fb04622ec97feba110c93</id>
<content type='text'>
There is a HIGH severity vulnerability affecting the CPython "zipfile"
module. When iterating over names of entries in a zip archive (for example,
methodsof "zipfile.ZipFile" like "namelist()", "iterdir()", "extractall()",
etc) the process can be put into an infinite loop with a maliciously crafted
zip archive. This defect applies when reading only metadata or extracting
the contents of the zip archive. Programs that are not handling
user-controlled zip archives are not affected.

References:
https://nvd.nist.gov/vuln/detail/CVE-2024-8088

Upstream-Patch:
https://github.com/corydolphin/flask-cors/commit/7ae310c56ac30e0b94fb42129aa377bf633256ec

(From OE-Core rev: 2d98276ba70ed6c44afecd42a7352f1b3030438f)

Signed-off-by: Soumya Sambu &lt;soumya.sambu@windriver.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>python3: Fix CVE-2024-7592</title>
<updated>2024-09-09T13:08:10+00:00</updated>
<author>
<name>Soumya Sambu</name>
<email>soumya.sambu@windriver.com</email>
</author>
<published>2024-09-03T12:50:34+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=9541ad965035b28697b8df400d7b9bddc4d2519a'/>
<id>urn:sha1:9541ad965035b28697b8df400d7b9bddc4d2519a</id>
<content type='text'>
There is a LOW severity vulnerability affecting CPython, specifically the
'http.cookies' standard library module. When parsing cookies that contained
backslashes for quoted characters in the cookie value, the parser would use
an algorithm with quadratic complexity, resulting in excess CPU resources
being used while parsing the value.

References:
https://nvd.nist.gov/vuln/detail/CVE-2024-7592

Upstream-Patch:
https://github.com/python/cpython/commit/dcc3eaef98cd94d6cb6cb0f44bd1c903d04f33b1

(From OE-Core rev: 3bb9684eef5227e7b1280ee9051884310b0d0b7f)

Signed-off-by: Soumya Sambu &lt;soumya.sambu@windriver.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>python3-setuptools: Fix CVE-2024-6345</title>
<updated>2024-09-09T13:08:10+00:00</updated>
<author>
<name>Soumya Sambu</name>
<email>soumya.sambu@windriver.com</email>
</author>
<published>2024-09-01T17:17:26+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=67aa29393db111a67b64f3394a0c490c33946c02'/>
<id>urn:sha1:67aa29393db111a67b64f3394a0c490c33946c02</id>
<content type='text'>
A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for
remote code execution via its download functions. These functions, which are used to download
packages from URLs provided by users or retrieved from package index servers, are susceptible
to code injection. If these functions are exposed to user-controlled inputs, such as package
URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.

References:
https://nvd.nist.gov/vuln/detail/CVE-2024-6345

Upstream-patch:
https://github.com/pypa/setuptools/commit/88807c7062788254f654ea8c03427adc859321f0

(From OE-Core rev: 468c5a4e12b9d38768b00151c55fd27b2b504f3b)

Signed-off-by: Soumya Sambu &lt;soumya.sambu@windriver.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>python3-pycryptodome(x): use python_setuptools_build_meta build class</title>
<updated>2024-08-19T13:09:14+00:00</updated>
<author>
<name>Ross Burton</name>
<email>ross.burton@arm.com</email>
</author>
<published>2024-07-23T14:51:26+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=3866a30eeefac2925c1b1c1361289b02e1fed916'/>
<id>urn:sha1:3866a30eeefac2925c1b1c1361289b02e1fed916</id>
<content type='text'>
This package can be built using pep517 classes now.

(From OE-Core rev: a9ac262d9dbc57be6ac5c8905c803009e5c4ef4e)

Signed-off-by: Ross Burton &lt;ross.burton@arm.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
(cherry picked from commit a32fa3e64d1daf5846c29403e9f258aea42212d3)
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>python3-certifi: Fix CVE-2024-39689</title>
<updated>2024-08-19T13:09:14+00:00</updated>
<author>
<name>Soumya Sambu</name>
<email>soumya.sambu@windriver.com</email>
</author>
<published>2024-08-12T06:01:28+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=b69d8694554a675e57be0a89fb533cd311487f9f'/>
<id>urn:sha1:b69d8694554a675e57be0a89fb533cd311487f9f</id>
<content type='text'>
Certifi is a curated collection of Root Certificates for validating the
trustworthiness of SSL certificates while verifying the identity of TLS
hosts. Certifi starting in 2021.05.30 and prior to 2024.07.4 recognized
root certificates from `GLOBALTRUST`. Certifi 2024.07.04 removes root
certificates from `GLOBALTRUST` from the root store. These are in the
process of being removed from Mozilla's trust store. `GLOBALTRUST`'s root
certificates are being removed pursuant to an investigation which
identified "long-running and unresolved compliance issues."Certifi is a
curated collection of Root Certificates for validating the trustworthiness
of SSL certificates while verifying the identity of TLS hosts. Certifi
starting in 2021.05.30 and prior to 2024.07.4 recognized root certificates
from `GLOBALTRUST`. Certifi 2024.07.04 removes root certificates from
`GLOBALTRUST` from the root store. These are in the process of being removed
from Mozilla's trust store. `GLOBALTRUST`'s root certificates are being
removed pursuant to an investigation which identified "long-running and
unresolved compliance issues."

References:
https://nvd.nist.gov/vuln/detail/CVE-2024-39689

Upstream-patch:
https://github.com/certifi/python-certifi/commit/bd8153872e9c6fc98f4023df9c2deaffea2fa463

(From OE-Core rev: 2ec1ba32a23611484e5d3819008bbab85336ae20)

Signed-off-by: Soumya Sambu &lt;soumya.sambu@windriver.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>python3-attrs: drop python3-ctypes from RDEPENDS</title>
<updated>2024-08-01T13:08:09+00:00</updated>
<author>
<name>Guðni Már Gilbert</name>
<email>gudni.m.g@gmail.com</email>
</author>
<published>2024-07-20T13:07:24+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=3bb68d43299aa1fbecbba1cfcc52d0f5c3daa8a3'/>
<id>urn:sha1:3bb68d43299aa1fbecbba1cfcc52d0f5c3daa8a3</id>
<content type='text'>
python3-ctypes was dropped as a dependency in v19.2.0

(From OE-Core rev: 48c43d2ff467c067d1518dc55d8d6da39bea159a)

Signed-off-by: Guðni Már Gilbert &lt;gudni.m.g@gmail.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
(cherry picked from commit 8d06116caf2382ad4782b9b2da50534d076a736d)
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
</feed>
