| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
| |
References:
https://nvd.nist.gov/vuln/detail/CVE-2025-66418
https://nvd.nist.gov/vuln/detail/CVE-2025-66471
(From OE-Core rev: d9f52c5f86bcc4716e384fe5c01c03d386d60446)
Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the value passed to os.path.expandvars() is user-controlled a
performance degradation is possible when expanding environment variables.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-6075
Upstream-patch:
https://github.com/python/cpython/commit/9ab89c026aa9611c4b0b67c288b8303a480fe742
(From OE-Core rev: 5313fa5236cd3943f90804de2af81358971894bc)
Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Drop upstreamed patch and refresh remaining patches.
Release information:
* https://www.python.org/downloads/release/python-31212/
* The release you're looking at is Python 3.12.12, a security bugfix
release for the legacy 3.12 series.
Handles CVE-2025-59375.
(From OE-Core rev: f1234b8451ba843b5f9ec1d2066c21f54d6bc3b8)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-9375
https://security-tracker.debian.org/tracker/CVE-2025-9375
https://git.launchpad.net/ubuntu/+source/python-xmltodict/commit/?id=e8110a20e00d80db31d5fc9f8f4577328385d6b6
Upstream-patch:
https://github.com/martinblech/xmltodict/commit/ecd456ab88d379514b116ef9293318b74e5ed3ee
https://github.com/martinblech/xmltodict/commit/f98c90f071228ed73df997807298e1df4f790c33
(From OE-Core rev: 30624cce634cade0b030aa71a03be754abbf3da9)
Signed-off-by: Saravanan <saravanan.kadambathursubramaniyam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When Bash runs with 'set -u' (nounset), accessing an unset variable
directly (e.g. [ -z "$SSL_CERT_FILE" ]) causes a fatal "unbound variable"
error. As a result, the fallback logic to set SSL_CERT_FILE/SSL_CERT_DIR
is never triggered and the script aborts.
The current code assumes these variables may be unset or empty, but does
not guard against 'set -u'. This breaks builds in stricter shell
environments or when users explicitly enable 'set -u'.
Fix this by using parameter expansion with a default value, e.g.
"${SSL_CERT_FILE:-}", so that unset variables are treated as empty
strings. This preserves the intended logic (respect host env first, then
CAFILE/CAPATH, then buildtools defaults) and makes the script robust
under 'set -u'.
(From OE-Core rev: 4cf131ebd157b79226533b5a5074691dd0e1a4ab)
Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 4d880c2eccd534133a2a4e6579d955605c0956ec)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
| |
Pick commit from 3.12 branch mentioned in NVD report.
https://nvd.nist.gov/vuln/detail/CVE-2025-8194
(From OE-Core rev: 34f1b4877a0601d2057453c159c76a54754f229a)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There are two "new" CVEs reported for python3, their CPEs are:
* CVE-2020-1171: cpe:2.3:a:microsoft:python:*:*:*:*:*:visual_studio_code:*:* (< 2020.5.0)
* CVE-2020-1192: cpe:2.3:a:microsoft:python:*:*:*:*:*:visual_studio_code:*:* (< 2020.5.0)
These are for "Visual Studio Code Python extension".
Solve this by addding CVE vendor to python CVE product to avoid
confusion with Microsoft as vendor.
Examining CVE DB for historical python entries shows:
sqlite> select vendor, product, count(*) from products where product = 'python' or product = 'cpython'
...> or product like 'python%3' group by vendor, product;
microsoft|python|2
python|python|1054
python_software_foundation|python|2
Note that this already shows that cpython product is not used, so
CVE-2023-33595 mentioned in 62598e1138f21a16d8b1cdd1cfe902aeed854c5c
was updated.
But let's keep it for future in case new CVE starts with that again.
(From OE-Core rev: 72369cd66f78a371608c3fff205e0e96c248f2b3)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
urllib3 is a user-friendly HTTP client library for Python. Prior to
2.5.0, it is possible to disable redirects for all requests by
instantiating a PoolManager and specifying retries in a way that
disable redirects. By default, requests and botocore users are not
affected. An application attempting to mitigate SSRF or open redirect
vulnerabilities by disabling redirects at the PoolManager level will
remain vulnerable. This issue has been patched in version 2.5.0.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-50181
Upstream patch:
https://github.com/urllib3/urllib3/commit/f05b1329126d5be6de501f9d1e3e36738bc08857
(From OE-Core rev: cf10eafb333daf8acfd3b8bfcb42c1fe6c26a8a5)
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
| |
Changelog:
https://requests.readthedocs.io/en/latest/community/updates/#release-history
(From OE-Core rev: 0f0a06ccef45792f65b823ecc0ef10525d94084f)
Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Drop upstreamed patch and refresh remaining patches.
* https://www.python.org/downloads/release/python-31210/
Python 3.12.10 is the latest maintenance release of Python 3.12, and
the last full maintenance release. Subsequent releases of 3.12 will be
security-fixes only.
* https://www.python.org/downloads/release/python-31211/
Security content in this release
* gh-135034: [CVE 2024-12718] [CVE 2025-4138] [CVE 2025-4330]
[CVE 2025-4435] [CVE 2025-4517] Fixes multiple issues that allowed
tarfile extraction filters (filter="data" and filter="tar") to be
bypassed using crafted symlinks and hard links.
* gh-133767: Fix use-after-free in the “unicode-escape” decoder with a
non-“strict” error handler.
* gh-128840: Short-circuit the processing of long IPv6 addresses early
in ipaddress to prevent excessive memory consumption and a minor
denial-of-service.
gh-133767 got meawhile CVE-2025-4516 assigned.
(From OE-Core rev: 6cca08b2857efd5481e837ecd6bb295cb8a99ee1)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Upstream-Status: Backport from
https://github.com/pypa/setuptools/commit/d8390feaa99091d1ba9626bec0e4ba7072fc507a
& https://github.com/pypa/setuptools/commit/250a6d17978f9f6ac3ac887091f2d32886fbbb0b
(From OE-Core rev: 9769cd99c32faf7d95a7cab07b8550b438ccaf0c)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To adapt user network enviroment, buildtools should first try to use
the user configured envs like SSL_CERT_FILE/CURL_CA_BUNDLE/..., if these
envs is not set, then use the auto-detected ca file and ca path, and
finally use the CA certificates in buildtools.
nativesdk-openssl set OPENSSLDIR as "/not/builtin", need set SSL_CERT_FILE/SSL_CERT_DIR to work
nativesdk-curl don't set default ca file, need
SSL_CERT_FILE/SSL_CERT_DIR or CURL_CA_BUNDLE/CURL_CA_PATH to work
nativesdk-git actually use libcurl, and GIT_SSL_CAPATH/GIT_SSL_CAINFO
also works
nativesdk-python3-requests will use cacert.pem under python module certifi by
default, need to set REQUESTS_CA_BUNDLE
(From OE-Core rev: 0653b96bac6d0800dc5154557706a323418808be)
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Here is one testcase:
For recipe tensorflow-lite-host-tools_2.18.0.bb, refer [1],
do_configure[network] = "1"
and it will git clone some repos in CMakeLists.txt
When buildtools is used and nativesdk-git is installed into sdk,
do_configure failed with error:
[1/9] Performing download step (git clone) for 'protobuf-populate'
Cloning into 'protobuf'...
fatal: unable to access 'https://github.com/protocolbuffers/protobuf/': error setting certificate file: /usr/local/oe-sdk-hardcoded-buildpath/sysroots/x86_64-wrlinuxsdk-linux/etc/ssl/certs/ca-certificates.crt
Fix by adding GIT_SSL_CAINFO in BB_ENV_PASSTHROUGH_ADDITIONS, so that
user can export GIT_SSL_CAINFO=${GIT_SSL_CAINFO} in their
do_configure:prepend() to fix above do_configure failure
CURL_CA_BUNDLE and REQUESTS_CA_BUNDLE is similar envvars, so all add
into BB_ENV_PASSTHROUGH_ADDITIONS
[1] https://github.com/nxp-imx/meta-imx/blob/styhead-6.12.3-1.0.0/meta-imx-ml/recipes-libraries/tensorflow-lite/tensorflow-lite-host-tools_2.18.0.bb
(From OE-Core rev: 27f018d8e8ace97d0b1cdfb8782a2a7a0a319816)
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* make git,curl,python3-requests align with openssl, move the setting of
envvars into respective envfile
* for environment.d-openssl.sh, also check if ca-certificates.crt exist
before export envvars
(From OE-Core rev: 5f4fd544d3df7365224599c9efdce4e545f51d5e)
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Includes fix for - CVE-2024-56326, CVE-2025-27516, CVE-2024-56201
Changelog:
https://github.com/pallets/jinja/blob/3.1.6/CHANGES.rst
https://github.com/pallets/jinja/blob/3.1.5/CHANGES.rst
(From OE-Core rev: a935ef8f205c9510ebc5539c133960bc72504902)
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes https://bugzilla.yoctoproject.org/show_bug.cgi?id=15740
python3-setuptools-scm was ignoring GIT_CEILING_DIRECTORIES which is set by poky,
and it was thus finding a wrong value of "toplevel" in ./src/setuptools_scm/_file_finders/git.py
The code is supposed to generate the list of files contained in python3-setuptools-scm, but it was
instead running "git archive" on whatever git repository was above the build directory, because the
tarball containing the sources of python3-setuptools-scm does not contain a .git directory.
This is barely noticeable when building as a subdirectory of poky which is only 48MB, but this was
causing serious slowdowns of python3-setuptools-scm:do_compile when building
inside a big git repository with files tracked using git-lfs (50 minutes in my use-case).
Reported upstream as https://github.com/pypa/setuptools-scm/issues/1103
(From OE-Core rev: 4ebe72477484cf68165b6f736ce10373e97d0e6d)
(From OE-Core rev: 369eebad4f38c3641be73dbc0490c87636e0912d)
Signed-off-by: Etienne Cordonnier <ecordonnier@snap.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Release notes:
https://docs.python.org/release/3.12.9/whatsnew/changelog.html#python-3-12-9
Solves CVE-2025-0938, CVE-2024-12254 and 3 other vulnerabilities without
CVE number assigment.
Add a patch to fix failure of a new test.
(From OE-Core rev: 685b2719ae9b44c238e63942efabe52e5df7d640)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changelog:
https://requests.readthedocs.io/en/latest/community/updates/#release-history
2.32.3 (2024-05-29)
* Bugfixes - Fixed bug breaking the ability to specify custom SSLContexts
in sub-classes of HTTPAdapter. (#6716)
* Fixed issue where Requests started failing to run on Python versions
compiled without the ssl module. (#6724)
2.32.2 (2024-05-21)
* Deprecations - To provide a more stable migration for custom HTTPAdapters
impacted by the CVE changes in 2.32.0, we’ve renamed _get_connection to a
new public API, get_connection_with_tls_context. Existing custom
HTTPAdapters will need to migrate their code to use this new API.
get_connection is considered deprecated in all versions of
Requests>=2.32.0.
* A minimal (2-line) example has been provided in the linked PR to ease
migration, but we strongly urge users to evaluate if their custom adapter
is subject to the same issue described in CVE-2024-35195. (#6710)
2.32.1 (2024-05-20)
* Bugfixes - Add missing test certs to the sdist distributed on PyPI.
https://github.com/psf/requests/compare/v2.32.0...v2.32.3
Also transition to using python_setuptools_build_meta.
(From OE-Core rev: e1787271b07c605df2843d82d65e1c3d2e2114e6)
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
| |
Changelog:
https://docs.python.org/release/3.12.8/whatsnew/changelog.html#python-3-12-8
(From OE-Core rev: db5081254adacf6c87269fd43af7199267ad535c)
Signed-off-by: Guðni Már Gilbert <gudni.m.g@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
| |
Changelog:
https://docs.python.org/release/3.12.7/whatsnew/changelog.html#python-3-12-7
(From OE-Core rev: 197048667f69ed559baf54831eb7b1606320f3e8)
Signed-off-by: Guðni Már Gilbert <gudni.m.g@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
importlib.metadata is part of -core, but that will import zipfile which
is part of -compression.
Obviously this shows that our packaging of the Python modules is not
optimal. I plan to follow up with a redesign of the splitting which
focuses on simply pulling out the larger or esoteric modules and
having a more featureful core.
(From OE-Core rev: 05166eafb99cf8c7adb6879277069ab384a2f8df)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
The fix brought by this patch is already part of python 3.12.3
therefore drop it.
(From OE-Core rev: 555623d2378138fdcfae95c04e06ba384cebab5b)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Looking at the history, python3-six was removed as a dependency
in the poetry.lock file in v1.5.2
Even before v1.5.2 and until now (v1.9.1) there is no code in
the package which imports the six module. So it can be safely
dropped from the recipe.
(From OE-Core rev: 09378088bba46b6e505f69381496da0ecd0ecf2c)
Signed-off-by: Guðni Már Gilbert <gudni.m.g@gmail.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://requests.readthedocs.io/en/latest/community/updates/#id2
2.32.2 (2024-05-21)
* Deprecations - To provide a more stable migration for custom HTTPAdapters
impacted by the CVE changes in 2.32.0, we’ve renamed _get_connection to a
new public API, get_connection_with_tls_context. Existing custom
HTTPAdapters will need to migrate their code to use this new API.
get_connection is considered deprecated in all versions of
Requests>=2.32.0.
* A minimal (2-line) example has been provided in the linked PR to ease
migration, but we strongly urge users to evaluate if their custom adapter
is subject to the same issue described in CVE-2024-35195. (#6710)
https://github.com/psf/requests/compare/v2.32.1...v2.32.2
(From OE-Core rev: 5b420f3526729809f11b187f48469a7a86d6a93a)
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
(From OE-Core rev: 32fdd5673c25084af4ba295b271455cd92ca09d5)
(From OE-Core rev: ee42ec7146a7c3ceb25c1e0f5afee93849cf9143)
Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A Denial of Service (DoS) vulnerability exists in the jaraco/zipp
library, affecting all versions prior to 3.19.1. The vulnerability is
triggered when processing a specially crafted zip file that leads to an
infinite loop. This issue also impacts the zipfile module of CPython, as
features from the third-party zipp library are later merged into
CPython, and the affected code is identical in both projects. The
infinite loop can be initiated through the use of functions affecting
the `Path` module in both zipp and zipfile, such as `joinpath`, the
overloaded division operator, and `iterdir`. Although the infinite loop
is not resource exhaustive, it prevents the application from responding.
The vulnerability was addressed in version 3.19.1 of jaraco/zipp.
References:
https://nvd.nist.gov/vuln/detail/CVE-2024-5569
Upstream patches:
https://github.com/jaraco/zipp/pull/120/commits/79a309fe54dc6b7934fb72e9f31bcb58f2e9f547
https://github.com/jaraco/zipp/pull/120/commits/564fcc10cdbfdaecdb33688e149827465931c9e0
https://github.com/jaraco/zipp/pull/120/commits/58115d2be968644ce71ce6bcc9b79826c82a1806
https://github.com/jaraco/zipp/pull/120/commits/c18417ed2953e181728a7dac07bff88a2190abf7
(From OE-Core rev: ec77cfe12f0790c7e3cf2d9bf00e47b4c653997c)
Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* minor upgrade to fix building with gcc-14 on host
* contains 31 commits:
https://github.com/lxml/lxml/compare/lxml-5.0.0...lxml-5.0.2
the important one for gcc-14 is:
https://github.com/lxml/lxml/commit/663041a56a075a8fa1e6ca13ba4c6d1de7043ac2
* https://bugs.launchpad.net/lxml/+bug/2045435
* https://bugs.gentoo.org/917562
(From OE-Core rev: baa0ba7084533907c0735dcb58b4432e0b3072df)
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since there are vulnerabilities that cannot be detected by the existing
CVE_PRODUCT, add "python:setuptools" to CVE_PRODUCT.
https://nvd.nist.gov/vuln/detail/CVE-2013-1633
https://nvd.nist.gov/vuln/detail/CVE-2022-40897
(From OE-Core rev: 85b61bf9cefc024faefa083c37ce88ba9c7355e1)
Signed-off-by: Shunsuke Tokumoto <s-tokumoto@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit aa1c8d97efc6640a1cffa2459d9b20ad1f7309b0)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Includes security fixes for CVE-2024-7592, CVE-2024-8088, CVE-2024-6232,
CVE-2023-27043 and other bug fixes.
Removed below patches, as the fix is included in 3.12.6 upgrade:
1. CVE-2024-7592.patch
2. CVE-2024-8088.patch
Release Notes:
https://www.python.org/downloads/release/python-3126/
(From OE-Core rev: aa492b1fd5973c37b8fa2cd17d28199eba46afcc)
(From OE-Core rev: 6688a8ff2e1cbf6ad8ebd1b89ec6c929caf6a161)
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Python 3.12.5 is failing a newer ptest for reading/writing limited
history when editline (default) is set in PACKAGECONFIG. Skip it for now
until a proper fix (if any) is determined.
A bug has been opened upstream: https://github.com/python/cpython/issues/123018
(From OE-Core rev: de569ddffd5ea36b70c56df21dec9c892e5dee7d)
(From OE-Core rev: 98b3a3e3f79a3edaa4cf2cfbf58eb84553d65e1e)
Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changelog: https://docs.python.org/release/3.12.5/whatsnew/changelog.html
(From OE-Core rev: d9e2ebd6b24b802d1d4cd38b3b910e068c308809)
(From OE-Core rev: ae0e8f6932359959535e901e64bdb47189de14cd)
Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When bitbaking python3-rpds-py it built extension module as:
site-packages/rpds/rpds.cpython-312-armv7l-linux-gnueabihf.so
Which caused error on target:
root@qemuarm:~# python3 -c "from rpds import HashTrieMap, HashTrieSet, List"
Traceback (most recent call last):
File "<string>", line 1, in <module>
File "/usr/lib/python3.12/site-packages/rpds/__init__.py", line 1, in <module>
from .rpds import *
ModuleNotFoundError: No module named 'rpds.rpds'
Where as it should have been:
site-packages/rpds/rpds.cpython-312-arm-linux-gnueabihf.so
Associated upstream bug report:
https://github.com/PyO3/maturin/issues/2203
Associated upstream pull request:
https://github.com/PyO3/maturin/pull/2204
Note - mitigation has not been tested with musl:
https://github.com/PyO3/maturin/pull/2204#issuecomment-2323952320
(From OE-Core rev: 32a8a7379008cc6e367b7664c5b10b29f0bb8136)
(From OE-Core rev: d2f73e3840c21997b918d1f1cfae965c618c1076)
Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There is a HIGH severity vulnerability affecting the CPython "zipfile"
module. When iterating over names of entries in a zip archive (for example,
methodsof "zipfile.ZipFile" like "namelist()", "iterdir()", "extractall()",
etc) the process can be put into an infinite loop with a maliciously crafted
zip archive. This defect applies when reading only metadata or extracting
the contents of the zip archive. Programs that are not handling
user-controlled zip archives are not affected.
References:
https://nvd.nist.gov/vuln/detail/CVE-2024-8088
Upstream-Patch:
https://github.com/corydolphin/flask-cors/commit/7ae310c56ac30e0b94fb42129aa377bf633256ec
(From OE-Core rev: 2d98276ba70ed6c44afecd42a7352f1b3030438f)
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There is a LOW severity vulnerability affecting CPython, specifically the
'http.cookies' standard library module. When parsing cookies that contained
backslashes for quoted characters in the cookie value, the parser would use
an algorithm with quadratic complexity, resulting in excess CPU resources
being used while parsing the value.
References:
https://nvd.nist.gov/vuln/detail/CVE-2024-7592
Upstream-Patch:
https://github.com/python/cpython/commit/dcc3eaef98cd94d6cb6cb0f44bd1c903d04f33b1
(From OE-Core rev: 3bb9684eef5227e7b1280ee9051884310b0d0b7f)
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for
remote code execution via its download functions. These functions, which are used to download
packages from URLs provided by users or retrieved from package index servers, are susceptible
to code injection. If these functions are exposed to user-controlled inputs, such as package
URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.
References:
https://nvd.nist.gov/vuln/detail/CVE-2024-6345
Upstream-patch:
https://github.com/pypa/setuptools/commit/88807c7062788254f654ea8c03427adc859321f0
(From OE-Core rev: 468c5a4e12b9d38768b00151c55fd27b2b504f3b)
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
This package can be built using pep517 classes now.
(From OE-Core rev: a9ac262d9dbc57be6ac5c8905c803009e5c4ef4e)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit a32fa3e64d1daf5846c29403e9f258aea42212d3)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Certifi is a curated collection of Root Certificates for validating the
trustworthiness of SSL certificates while verifying the identity of TLS
hosts. Certifi starting in 2021.05.30 and prior to 2024.07.4 recognized
root certificates from `GLOBALTRUST`. Certifi 2024.07.04 removes root
certificates from `GLOBALTRUST` from the root store. These are in the
process of being removed from Mozilla's trust store. `GLOBALTRUST`'s root
certificates are being removed pursuant to an investigation which
identified "long-running and unresolved compliance issues."Certifi is a
curated collection of Root Certificates for validating the trustworthiness
of SSL certificates while verifying the identity of TLS hosts. Certifi
starting in 2021.05.30 and prior to 2024.07.4 recognized root certificates
from `GLOBALTRUST`. Certifi 2024.07.04 removes root certificates from
`GLOBALTRUST` from the root store. These are in the process of being removed
from Mozilla's trust store. `GLOBALTRUST`'s root certificates are being
removed pursuant to an investigation which identified "long-running and
unresolved compliance issues."
References:
https://nvd.nist.gov/vuln/detail/CVE-2024-39689
Upstream-patch:
https://github.com/certifi/python-certifi/commit/bd8153872e9c6fc98f4023df9c2deaffea2fa463
(From OE-Core rev: 2ec1ba32a23611484e5d3819008bbab85336ae20)
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
python3-ctypes was dropped as a dependency in v19.2.0
(From OE-Core rev: 48c43d2ff467c067d1518dc55d8d6da39bea159a)
Signed-off-by: Guðni Már Gilbert <gudni.m.g@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 8d06116caf2382ad4782b9b2da50534d076a736d)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
| |
(From OE-Core rev: eb3868d99ef2d5fa9fafc9cf947209d81ab5f11f)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit d77511cc9add70857e4a9d7237b23d7d6ae14e98)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
This test is causing problems on the Autobuilder, so disable it for now.
(From OE-Core rev: 9eafd0c56b279a7c3025b0dcd00745baead15bb6)
Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit ac000b00ec615b3e51dda8d819015d5e7110ed88)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
These tests are causing hangs on the Autobuilder, so disable them for
now.
(From OE-Core rev: 141c348ce83552beae88e115d9c4db5802c6e0f4)
Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 291f37808f1a2b2fdc8190696867f974994457c0)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This fixes ptest failures on 32bit architectures
AssertionError:
Failed ptests:
{'python3': ['test_extractall_none_gid',
'test_extractall_none_gname',
'test_extractall_none_mode',
'test_extractall_none_mtime',
'test_extractall_none_uid',
'test_extractall_none_uname',
'setUpClass',
'python3']}
(From OE-Core rev: 371124fa4bf1a255a4fc646b028398db8c9f3681)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 43104b547cb79693c83df0882773ae8dd74b1d35)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
License-Update: Updated copyright year
Changelog:
==========
* Fix issue where specially crafted inputs to encode() could take exceptionally
long amount of time to process. [CVE-2024-3651]
(From OE-Core rev: b6f8938c8048d08e29233fa29f5104b044353cf7)
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Python 2.7 support was dropped in version 22.0.0
python3-six was dropped as a dependency in 22.0.0
(From OE-Core rev: d7ad0495c543ec952817860595c047e5e4263978)
Signed-off-by: Guðni Már Gilbert <gudnimar@noxmedical.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 6eab37a0cdcc6071f79aa5c8198df0b2ba23dd7a)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Python 2.7 support was dropped in version 3.2.0 and
python3-six dependency was subsequently dropped in version 3.2.1
(From OE-Core rev: 214d41b73d235176123fd78143747845aa9c951e)
Signed-off-by: Guðni Már Gilbert <gudnimar@noxmedical.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 50757cc95b3062f11a7455af33e7a7e74ea1d0f7)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
| |
2to3 module was dropped as a dependency in setuptools 58.0
(From OE-Core rev: 0d5cd1d867a826cf83fcaee3e8390b9defec47d1)
Signed-off-by: Guðni Már Gilbert <gudni.m.g@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Drop the following dependencies from RDEPENDS:
- python3-ndg-httpsclient
- python3-pyasn1
- python3-pyopenssl
Add a missing dependency into RDEPENDS:
- python3-certifi
Additional fix HOMEPAGE, the old link doesn't work
(From OE-Core rev: 3d9072c346bf7bdeecd6197df8b14e39399bdabd)
Signed-off-by: Guðni Már Gilbert <gudni.m.g@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Switch to use flit core since upstream changed.
They also changed the capitalisation under pypi.
The license didn't change but the file was renamed, probably as it wasn't
rst.
(From OE-Core rev: ac35432687624ad58ff6586446e5e73710658a68)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit e352680528b18c3cdae26233bef7cddc2771d42d)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This release contains numerous security updates and fixes to
regressions. Changelog:
https://docs.python.org/release/3.12.4/whatsnew/changelog.html#python-3-12-4-final
Results of ptests in core-image-ptest-python3 (qemux86-64):
== Tests result: SUCCESS ==
26 tests skipped:
test.test_asyncio.test_windows_events
test.test_asyncio.test_windows_utils test.test_gdb.test_backtrace
test.test_gdb.test_cfunction test.test_gdb.test_cfunction_full
test.test_gdb.test_misc test.test_gdb.test_pretty_print
test_asdl_parser test_clinic test_devpoll test_idle test_ioctl
test_kqueue test_launcher test_msilib test_startfile test_tcl
test_tix test_tkinter test_ttk test_ttk_textonly test_turtle
test_winapi test_winconsoleio test_winreg test_wmi
9 tests skipped (resource denied):
test_curses test_ossaudiodev test_smtpnet test_socketserver
test_urllib2net test_urllibnet test_winsound test_xmlrpc_net
test_zipfile64
454 tests OK.
Total duration: 2 min 45 sec
Total tests: run=41,470 skipped=1,548
Total test files: run=480/489 skipped=26 resource_denied=9
Result: SUCCESS
DURATION: 165
END: /usr/lib/python3/ptest
2024-06-10T17:03
STOP: ptest-runner
TOTAL: 1 FAIL: 0
(From OE-Core rev: 621b0298e1829a86002ebb57d99850907e775b43)
Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 012aeee398af4d4cce4012f71007cfb31266dd6c)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
| |
|
|
|
|
|
|
|
|
| |
These tests are causing hangs on the Autobuilder, so disable them for
now.
(From OE-Core rev: e3b4a05f19e3ba8f84b5d892b787e67bef565e48)
Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
|
