summaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools/python
Commit message (Collapse)AuthorAgeFilesLines
* python3-pyopenssl: Fix CVE-2026-27459Vijay Anusuri2026-04-102-0/+107
| | | | | | | | | | | | | Pick patch mentioned in NVD [1] https://nvd.nist.gov/vuln/detail/CVE-2026-27459 [2] https://ubuntu.com/security/CVE-2026-27459 (From OE-Core rev: b46b806b2ef773d7061923e7bab9184fb758a6b4) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev>
* python3-pyopenssl: Fix CVE-2026-27448Vijay Anusuri2026-04-102-0/+129
| | | | | | | | | | | | | Pick patch mentioned in NVD [1] https://nvd.nist.gov/vuln/detail/CVE-2026-27448 [2] https://ubuntu.com/security/CVE-2026-27448 (From OE-Core rev: c95d2068281fd88427a2e0a996d69c3898473e63) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev>
* python3: upgrade 3.10.19 -> 3.10.20Vijay Anusuri2026-04-105-865/+1
| | | | | | | | | | | | | | | | | | Drop upstreamed patches. Release information: * https://www.python.org/downloads/release/python-31020/ * The release you're looking at is Python 3.10.20, a security bugfix release for the legacy 3.10 series. Handles CVE-2024-6923 CVE-2025-6075 CVE-2025-12084 CVE-2025-13836 CVE-2025-13837 CVE-2025-15282 CVE-2025-59375 CVE-2026-0865 CVE-2026-24515 CVE-2026-25210 (From OE-Core rev: 51e1581d337b674272c1a71dfc366387577bc5df) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> [YC: rebased on top of kirkstone] Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev>
* python3-pip: Fix CVE-2026-1703Vijay Anusuri2026-03-202-0/+38
| | | | | | | | | | | | | | Pick patch according to [1] [1] https://security-tracker.debian.org/tracker/CVE-2026-1703 [2] https://nvd.nist.gov/vuln/detail/CVE-2026-1703 [3] https://github.com/pypa/pip/pull/13777 (From OE-Core rev: 0535436a9ceedcf690001cd705be753de4e4915f) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev>
* python3: patch CVE-2025-12084Peter Marko2026-02-272-0/+172
| | | | | | | | | | Pick patch for this CVE merged into 3.10 branch. (From OE-Core rev: 8888cd14eb102574d530b6c683ce5beaad1aaa39) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev>
* python3: patch CVE-2025-13837Peter Marko2026-02-272-0/+163
| | | | | | | | | | Pick patch from 3.12 branch per NVD report. (From OE-Core rev: cfbac1d5edae4b0204ec4c01b5f710d100ceb2ad) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev>
* python3: fix CVE-2025-13836Hitendra Prajapati2026-01-262-0/+164
| | | | | | | | | | | Upstream-Status: Backport from https://github.com/python/cpython/commit/289f29b0fe38baf2d7cb5854f4bb573cc34a6a15 (From OE-Core rev: d3bcb5ded27003612ad591764f648e83e91c27ca) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* python3-urllib3: patch CVE-2025-66418Peter Marko2026-01-262-0/+75
| | | | | | | | | | | | | Pick patch per [1]. [1] https://nvd.nist.gov/vuln/detail/CVE-2025-66418 (From OE-Core rev: 469fcdd5f07635fa9e308c968126807c1ca09647) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* python3: fix CVE-2025-6075Praveen Kumar2025-12-012-0/+365
| | | | | | | | | | | | | | | | If the value passed to os.path.expandvars() is user-controlled a performance degradation is possible when expanding environment variables. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-6075 Upstream-patch: https://github.com/python/cpython/commit/892747b4cf0f95ba8beb51c0d0658bfaa381ebca (From OE-Core rev: 9a7f33d85355ffbe382aa175c04c64541e77b441) Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3-idna: Fix CVE-2024-3651Vijay Anusuri2025-12-012-0/+2486
| | | | | | | | | | | | | | import patch from debian to fix CVE-2024-3651 Upstream-Status: Backport [import from debian 3.3-1+deb12u1 Upstream commit https://github.com/kjd/idna/commit/5beb28b9dd77912c0dd656d8b0fdba3eb80222e7] (From OE-Core rev: 7359d3cdf2210e81a26d8712769f7e23bfbc1bb7) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3-urllib3: Upgrade 1.26.18 -> 1.26.20Soumya Sambu2025-11-191-1/+1
| | | | | | | | | | | | | Includes fix for CVE-2024-37891 Changelog: ---------- https://github.com/urllib3/urllib3/blob/1.26.20/CHANGES.rst (From OE-Core rev: 2e805113fe0488224f05524360eeff729dd12d91) Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* Don't use ftp.gnome.orgJason Schonberg2025-11-061-1/+1
| | | | | | | | | | | http://ftp.gnome.org/pub/gnome redirects to https://download.gnome.org bitbake.conf defines ${GNOME_MIRROR} to be https://download.gnome.org/sources/ (From OE-Core rev: 1e1993b72f2b6109ce3d0ef950553b74b2b37b27) Signed-off-by: Jason Schonberg <schonm@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3: upgrade 3.10.18 -> 3.10.19Peter Marko2025-10-243-222/+2
| | | | | | | | | | | | | | | | Drop upstreamed patch and refresh remaining patches. Release information: * https://www.python.org/downloads/release/python-31019/ * The release you're looking at is Python 3.10.19, a security bugfix release for the legacy 3.10 series. Handles CVE-2025-59375, CVE-2025-47273 and CVE-2024-6345. (From OE-Core rev: 9b3dbd691f6ebdbdfe88cef3d3a676ddd1399c63) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3-jinja2: upgrade 3.1.4 -> 3.1.6Soumya Sambu2025-10-031-1/+4
| | | | | | | | | | | | | | | | | Includes fix for - CVE-2024-56326, CVE-2025-27516, CVE-2024-56201 Changelog: https://github.com/pallets/jinja/blob/3.1.6/CHANGES.rst https://github.com/pallets/jinja/blob/3.1.5/CHANGES.rst (From OE-Core rev: a935ef8f205c9510ebc5539c133960bc72504902) (From OE-Core rev: 7108dccff524888d77f0e5e02d9cc4523a700a91) Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3: patch CVE-2025-8194Peter Marko2025-08-182-3/+223
| | | | | | | | | | Pick commit from 3.12 branch mentioned in NVD report. https://nvd.nist.gov/vuln/detail/CVE-2025-8194 (From OE-Core rev: 4ae9daf3d05530952a8b002257dd9afda2e077e4) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3: update CVE productPeter Marko2025-07-181-1/+1
| | | | | | | | | | | | | | | | | | | | | | There are two "new" CVEs reported for python3, their CPEs are: * CVE-2020-1171: cpe:2.3:a:microsoft:python:*:*:*:*:*:visual_studio_code:*:* (< 2020.5.0) * CVE-2020-1192: cpe:2.3:a:microsoft:python:*:*:*:*:*:visual_studio_code:*:* (< 2020.5.0) These are for "Visual Studio Code Python extension". Solve this by addding CVE vendor to python CVE product to avoid confusion with Microsoft as vendor. Examining CVE DB for historical python entries shows: sqlite> select vendor, product, count(*) from products where product = 'python' or product = 'cpython' ...> or product like 'python%3' group by vendor, product; microsoft|python|2 python|python|1054 python_software_foundation|python|2 (From OE-Core rev: 06f615e6939a22bc8f12b30d8dea582ab3ccebe6) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3-urllib3: fix CVE-2025-50181Yogita Urade2025-07-092-0/+218
| | | | | | | | | | | | | | | | | | | | | urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, it is possible to disable redirects for all requests by instantiating a PoolManager and specifying retries in a way that disable redirects. By default, requests and botocore users are not affected. An application attempting to mitigate SSRF or open redirect vulnerabilities by disabling redirects at the PoolManager level will remain vulnerable. This issue has been patched in version 2.5.0. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-50181 Upstream patch: https://github.com/urllib3/urllib3/commit/f05b1329126d5be6de501f9d1e3e36738bc08857 (From OE-Core rev: 574146765ea3f9b36532abf4ebc8bd2976396f0b) Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3-requests: fix CVE-2024-47081Jiaying Song2025-06-202-0/+38
| | | | | | | | | | | | | | | | | | | | Requests is a HTTP library. Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. Users should upgrade to version 2.32.4 to receive a fix. For older versions of Requests, use of the .netrc file can be disabled with `trust_env=False` on one's Requests Session. Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-47081 Upstream patch: https://github.com/psf/requests/commit/96ba401c1296ab1dda74a2365ef36d88f7d144ef (From OE-Core rev: 37d746033710509ffabc244e0130d20fd81d9673) Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3: upgrade 3.10.16 -> 3.10.18Peter Marko2025-06-1314-155/+23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Drop upstreamed patch and refresh remaining patches. * https://www.python.org/downloads/release/python-31017/ Security content in this release * gh-131809: Upgrade vendored expat to 2.7.1 * gh-80222: Folding of quoted string in display_name violates RFC * gh-121284: Invalid RFC 2047 address header after refolding with email.policy.default * gh-131261: Update libexpat to 2.7.0 * gh-105704: CVE-2025-0938 urlparse does not flag hostname containing [ or ] as incorrect * gh-119511: OOM vulnerability in the imaplib module * https://www.python.org/downloads/release/python-31018/ Security content in this release * gh-135034: [CVE 2024-12718] [CVE 2025-4138] [CVE 2025-4330] [CVE 2025-4435] [CVE 2025-4517] Fixes multiple issues that allowed tarfile extraction filters (filter="data" and filter="tar") to be bypassed using crafted symlinks and hard links. * gh-133767: Fix use-after-free in the “unicode-escape” decoder with a non-“strict” error handler. * gh-128840: Short-circuit the processing of long IPv6 addresses early in ipaddress to prevent excessive memory consumption and a minor denial-of-service. gh-133767 got meawhile CVE-2025-4516 assigned. (From OE-Core rev: 838a8b5ca148dfa6c6c2c76f1705d1e358a31648) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3-setuptools: Fix CVE-2025-47273Vijay Anusuri2025-06-133-0/+115
| | | | | | | | | | | Upstream-Status: Backport from https://github.com/pypa/setuptools/commit/d8390feaa99091d1ba9626bec0e4ba7072fc507a & https://github.com/pypa/setuptools/commit/250a6d17978f9f6ac3ac887091f2d32886fbbb0b (From OE-Core rev: 6b6e556a226100205427c85e8064f7640a9da25e) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3-setuptools: Fix CVE-2024-6345Soumya Sambu2025-05-022-0/+354
| | | | | | | | | | | | | | | | | | | | | A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0. References: https://nvd.nist.gov/vuln/detail/CVE-2024-6345 https://ubuntu.com/security/CVE-2024-6345 Upstream patch: https://github.com/pypa/setuptools/commit/88807c7062788254f654ea8c03427adc859321f0 (From OE-Core rev: 238c305ba2c513a070818de4b6ad4316b54050a7) Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3: patch CVE-2025-0938Peter Marko2025-04-012-0/+132
| | | | | | | | | | | Pick commit mentioned in NDV CVE report https://github.com/python/cpython/commit/b8b4b713c5f8ec0958c7ef8d29d6711889bc94ab which is on 3.10 branch. (From OE-Core rev: 70036b4ea0ab968adab82fc632bb967f95203de2) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3: Treat UID/GID overflow as failureKhem Raj2025-02-152-0/+41
| | | | | | | | | | | | | | | | | | | | | | | | This fixes ptest failures on 32bit architectures AssertionError: Failed ptests: {'python3': ['test_extractall_none_gid', 'test_extractall_none_gname', 'test_extractall_none_mode', 'test_extractall_none_mtime', 'test_extractall_none_uid', 'test_extractall_none_uname', 'setUpClass', 'python3']} (From OE-Core rev: 838f3cff2a123fb7d5833b6760772ded6efb60bd) Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 43104b547cb79693c83df0882773ae8dd74b1d35) Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3: upgrade 3.10.15 -> 3.10.16Peter Marko2025-01-092-2/+2
| | | | | | | | | Handles CVE-2024-50602, CVE-2024-11168 and CVE-2024-9287. (From OE-Core rev: 5a611fbbdb3e373d379f922ffc5606ff70279831) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3-requests: fix CVE-2024-35195Jiaying Song2024-12-162-1/+124
| | | | | | | | | | | | | | | | | | | | | Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes to the value of `verify`. This behavior will continue for the lifecycle of the connection in the connection pool. This vulnerability is fixed in 2.32.0. References: https://nvd.nist.gov/vuln/detail/CVE-2024-35195 Upstream patches: https://github.com/psf/requests/commit/a58d7f2ffb4d00b46dca2d70a3932a0b37e22fac (From OE-Core rev: 8bc8d316a6e8ac08b4eb2b9e2ec30b1f2309c31c) Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3-zipp: fix CVE-2024-5569Hongxu Jia2024-12-096-0/+300
| | | | | | | | | | | | | | | | | | According to [1] which provided the fix link [2], but upstream author reworked it later [3][4][5] Backport and rebase all the patches for tracing [1] https://nvd.nist.gov/vuln/detail/CVE-2024-5569 [2] https://github.com/jaraco/zipp/commit/fd604bd34f0343472521a36da1fbd22e793e14fd [3] https://github.com/jaraco/zipp/commit/3cb5609002263eb19f7b5efda82d96f1f57fe876 [4] https://github.com/jaraco/zipp/commit/f89b93f0370dd85d23d243e25dfc1f99f4d8de48 [5] https://github.com/jaraco/zipp/commit/cc61e6140f0dfde2ff372db932442cf6df890f09 (From OE-Core rev: 13bd99e17f0aca108839e81e9aa0b14351116fdf) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3-pip: fix CVE-2023-5752Jiaying Song2024-12-022-3/+39
| | | | | | | | | | | | | | | | | | | | When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial. References: https://nvd.nist.gov/vuln/detail/CVE-2023-5752 Upstream patches: https://github.com/pypa/pip/pull/12306/commits/389cb799d0da9a840749fcd14878928467ed49b4 (From OE-Core rev: 862c0338fba06077a26c775b49f993eac63762c9) Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3: ignore fixed CVEsPeter Marko2024-11-021-0/+2
| | | | | | | | | | | | These CVEs were fixed in 3.10.15 Commit 487e8cdf1df6feba6d88fa29e11791f4ebaaa362 removed patches in favor of version upgrade, which caused the CVEs to re-appear in reports. (From OE-Core rev: 2cf10084c56c83da3deff4e65e619afab80e08e1) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3: Upgrade 3.10.14 -> 3.10.15Divya Chellam2024-09-275-1030/+1
| | | | | | | | | | | | | | | | | | | Includes security fixes for CVE-2024-4030, CVE-2024-7592, CVE-2024-4032, CVE-2024-8088 CVE-2024-6232, CVE-2024-6923, CVE-2023-27043 and other bug fixes. Removed below patches, as the fixes included in 3.10.15 upgrade: 1. CVE-2023-27043.patch 2. CVE-2024-6232.patch 3. CVE-2024-7592.patch 4. CVE-2024-8088.patch Release Notes: https://www.python.org/downloads/release/python-31015/ (From OE-Core rev: e64ead97ae3d680f97bf85422f777cd77ae7c434) Signed-off-by: Divya Chellam <divya.chellam@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3: fix CVE-2023-27043Hitendra Prajapati2024-09-162-0/+511
| | | | | | | | | Upstream-Status: Backport from https://github.com/python/cpython/commit/2a9273a0e4466e2f057f9ce6fe98cd8ce570331b (From OE-Core rev: 793c22623e8b3da2ca8e28fe662d8428b0f805a7) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3: CVE-2024-6232 CVE-2024-7592 fixesHugo SIMELIERE2024-09-163-0/+393
| | | | | | | | | | Upstream-Status: Backport from https://github.com/python/cpython/commit/b2f11ca7667e4d57c71c1c88b255115f16042d9a Upstream-Status: Backport from https://github.com/python/cpython/commit/743acbe872485dc18df4d8ab2dc7895187f062c4 (From OE-Core rev: 3e5697687c8fb0aa6312773b233442b8df974feb) Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3: Security fix for CVE-2024-8088Rohini Sangam2024-09-072-0/+125
| | | | | | | | | | | | CVE fixed: - CVE-2024-8088: python: cpython: denial of service in zipfile Upstream-Status: Backport from https://github.com/python/cpython/commit/e0264a61119d551658d9445af38323ba94fc16db (From OE-Core rev: 295addec33c83443423a3ef87905c3a70f44a4e7) Signed-off-by: Rohini Sangam <rsangam@mvista.com> Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3: add PACKAGECONFIG[editline]Leon Anavi2024-08-281-2/+3
| | | | | | | | | | | | | Backport PACKAGECONFIG[editline] from Scarthgap to Kirkstone because libedit has feature parity with readline but is more permissively licensed (BSD verses GPLv3). This patch provides means of enabling editline in a distribution without GPLv3 and in this case improves Python REPL keyboard support. (From OE-Core rev: 12dc7d2081a1aaec90ffb3ed6718d757ce14b5ab) Signed-off-by: Leon Anavi <leon.anavi@konsulko.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3-pycryptodome(x): use python_setuptools_build_meta build classRoss Burton2024-08-162-2/+2
| | | | | | | | | | | This package can be built using pep517 classes now. (From OE-Core rev: 6c1000a2bbfe5e618e42bc5be2058332337d4177) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit a32fa3e64d1daf5846c29403e9f258aea42212d3) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3-certifi: Fix CVE-2024-39689Soumya Sambu2024-08-162-0/+70
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi starting in 2021.05.30 and prior to 2024.07.4 recognized root certificates from `GLOBALTRUST`. Certifi 2024.07.04 removes root certificates from `GLOBALTRUST` from the root store. These are in the process of being removed from Mozilla's trust store. `GLOBALTRUST`'s root certificates are being removed pursuant to an investigation which identified "long-running and unresolved compliance issues."Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi starting in 2021.05.30 and prior to 2024.07.4 recognized root certificates from `GLOBALTRUST`. Certifi 2024.07.04 removes root certificates from `GLOBALTRUST` from the root store. These are in the process of being removed from Mozilla's trust store. `GLOBALTRUST`'s root certificates are being removed pursuant to an investigation which identified "long-running and unresolved compliance issues." References: https://nvd.nist.gov/vuln/detail/CVE-2024-39689 Upstream-patch: https://github.com/certifi/python-certifi/commit/bd8153872e9c6fc98f4023df9c2deaffea2fa463 (From OE-Core rev: 96c1e12dc6cb4c321a09a6ddcc4c9f27c30b4564) Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3-jinja2: Upgrade 3.1.3 -> 3.1.4Vijay Anusuri2024-07-241-4/+4
| | | | | | | | | | | | | | | | | | | Switch to use flit core since upstream changed. They also changed the capitalisation under pypi. The license didn't change but the file was renamed, probably as it wasn't rst. (From OE-Core rev: 58ee84c274b0c93902aad5d4f434daec5da55134) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit e352680528b18c3cdae26233bef7cddc2771d42d) Upgrade fixes CVE-2024-34064 Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3: Upgrade 3.10.13 -> 3.10.14Peter Marko2024-05-151-1/+1
| | | | | | | | | | | | | Addresses CVEs: * CVE-2023-52425 (bundled expat) * CVE-2023-6597 (https://github.com/python/cpython/pull/112840) News: https://github.com/python/cpython/blob/3.10/Misc/NEWS.d/3.10.14.rst (From OE-Core rev: e0b77aa347c03f520802c8235ae0389bb855c146) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3-urllib3: update to v1.26.18Tan Wen Yan2024-04-051-1/+1
| | | | | | | | | | | | | | | | https://github.com/urllib3/urllib3/releases/tag/1.26.18 Major changes in python3-urllib3 1.26.18: - Made body stripped from HTTP requests changing the request method to GET after HTTP 303 "See Other" redirect responses. (CVE-2023-45803) (cherry picked from OE-Core rev: 74da05b63634c248910594456dae286947f33da5) (From OE-Core rev: c473f32184ea0ab41f6eb4c8dcc1d7bb5fd7b16f) Signed-off-by: Tan Wen Yan <wen.yan.tan@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3-cryptography: Backport fix for CVE-2024-26130Vijay Anusuri2024-03-252-0/+67
| | | | | | | | | Upstream-Status: Backport from https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55 (From OE-Core rev: 7864c4605cde4851df644dd1d2867bd28d155710) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3-pycryptodome: Fix CVE-2023-52323Narpat Mali2024-02-154-0/+875
| | | | | | | | | | | | | | PyCryptodome and pycryptodomex before 3.19.1 allow side-channel leakage for OAEP decryption, exploitable for a Manger attack. References: https://security-tracker.debian.org/tracker/CVE-2023-52323 https://github.com/Legrandin/pycryptodome/blob/master/Changelog.rst (From OE-Core rev: 04c9b6b081914005209bac8eeb9f417e7b989cca) Signed-off-by: Narpat Mali <narpat.mali@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3-jinja2: upgrade 3.1.2 -> 3.1.3Wang Mingyu2024-02-071-1/+1
| | | | | | | | | | | | | | | | | | Changelog: ========== -Fix compiler error when checking if required blocks in parent templates are empty. -xmlattr filter does not allow keys with spaces. -Make error messages stemming from invalid nesting of {% trans %} blocks more helpful (cherry picked from OE-Core rev: 8a0524464583d69df7746253f5020c2c125a8e1f) (From OE-Core rev: 0f0dcf520505d809599a63961ecb5b1e74053b24) Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3-jinja2: upgrade 3.1.1 -> 3.1.2Alexander Kanavin2024-02-071-1/+1
| | | | | | | | | | | | (cherry picked from OE-Core rev: 1e58fa1fff649a4ab07290d2b0e5a8d69d51ef16) (From OE-Core rev: 90960bdef877c5dc03cc2cb03c77139d6d1e2f8f) Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3-ptest: skip test_storlinesTrevor Gamblin2023-12-222-0/+33
| | | | | | | | | | | | | | [YOCTO #14933] test_storlines is yet another Python ptest that fails intermittently on the Yocto AB, so disable it during ptests for now. (From OE-Core rev: b71d5ec10f8e64fc6102c66dfc36151f2b0b3c86) Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> (cherry picked from commit d7b9f8157e6214a83b5495e8a32e11540ae65ff8) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3-cryptography: fix CVE-2023-49083Narpat Mali2023-12-122-0/+54
| | | | | | | | | | | | | | | | | | | | cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling `load_pem_pkcs7_certificates` or `load_der_pkcs7_certificates` could lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system availability and stability. This vulnerability has been patched in version 41.0.6. References: https://nvd.nist.gov/vuln/detail/CVE-2023-49083 https://security-tracker.debian.org/tracker/CVE-2023-49083 (From OE-Core rev: 2d104f78cd13a10640bc284c7fc8358bf305279c) Signed-off-by: Narpat Mali <narpat.mali@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3-jinja2: Fixed ptest result output as per the standardNarpat Mali2023-11-141-1/+1
| | | | | | | | | | | There was an extra space between the result and ':'. After removing extra space, the ptest result will be: result : testname -> result: testname (From OE-Core rev: 4bb6373e5f4a1330a063d1afe855d6c24d5461e7) Signed-off-by: Narpat Mali <narpat.mali@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3-urllib3: 1.26.15 -> 1.26.17Lee Chee Yang2023-10-181-1/+1
| | | | | | | | | | | | | | | | | 1.26.17 (2023-10-02) Added the Cookie header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via Retry.remove_headers_on_redirect. (CVE-2023-43804) 1.26.16 (2023-05-23) Fixed thread-safety issue where accessing a PoolManager with many distinct origins would cause connection pools to be closed while requests are in progress (#2954) (From OE-Core rev: 27a1de55a46b7b313eb2a6370e9d779a7cd49154) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3-urllib3: upgrade 1.26.14 -> 1.26.15Wang Mingyu2023-10-181-1/+1
| | | | | | | | | | | | | | | | | Changelog: ========== * Fix socket timeout value when "HTTPConnection" is reused ('#2645 <https://github.com/urllib3/urllib3/issues/2645>'__) * Remove "!" character from the unreserved characters in IPv6 Zone ID parsing ('#2899 <https://github.com/urllib3/urllib3/issues/2899>'__) * Fix IDNA handling of '\x80' byte ('#2901 <https://github.com/urllib3/urllib3/issues/2901>'__) (From OE-Core rev: a335ccbcc9913e79bfe958c41690b7efa189ae93) Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 8e062efbac29a81831c3060bcae601dc533d65dd) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3-urllib3: upgrade 1.26.13 -> 1.26.14Tim Orling2023-10-181-1/+1
| | | | | | | | | | | | | | | | https://github.com/urllib3/urllib3/blob/1.26.14/CHANGES.rst#12614-2023-01-11 1.26.14 (2023-01-11) Fixed parsing of port 0 (zero) returning None, instead of 0. (#2850) Removed deprecated getheaders() calls in contrib module. (From OE-Core rev: aefb7af6b56269d45170beb99e6c878bf2448b78) Signed-off-by: Tim Orling <tim.orling@konsulko.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 55ab1bf20e6893088acb6460e9004dac8e205559) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3-urllib3: upgrade 1.26.12 -> 1.26.13Alexander Kanavin2023-10-181-1/+1
| | | | | | | | | | | (From OE-Core rev: e8ae3247795d9333f6252bbec85a8e09c0c9cb48) Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit b18552f69a2eb8900981a10ba386dc4f862b29c3) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3-urllib3: upgrade 1.26.11 -> 1.26.12wangmy2023-10-181-1/+1
| | | | | | | | | | (From OE-Core rev: 69a610b440b5e9e92931e43bd1c75230bb99f03e) Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> (cherry picked from commit cb05578af3ace6e3983f93e16d9ad1ac2a65fbe2) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>