From patchwork Tue Jan  6 07:33:25 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gyorgy Sarvari <skandigraun@gmail.com>
X-Patchwork-Id: 78047
Return-Path: <skandigraun@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id BA23EC9833B
	for <webhook@archiver.kernel.org>; Tue,  6 Jan 2026 07:33:46 +0000 (UTC)
Received: from mail-wm1-f49.google.com (mail-wm1-f49.google.com
 [209.85.128.49])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.85362.1767684817854345450
 for <openembedded-devel@lists.openembedded.org>;
 Mon, 05 Jan 2026 23:33:38 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=eL+zcPA1;
 spf=pass (domain: gmail.com, ip: 209.85.128.49,
 mailfrom: skandigraun@gmail.com)
Received: by mail-wm1-f49.google.com with SMTP id
 5b1f17b1804b1-47774d3536dso6179825e9.0
        for <openembedded-devel@lists.openembedded.org>;
 Mon, 05 Jan 2026 23:33:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1767684816; x=1768289616;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:to
         :from:from:to:cc:subject:date:message-id:reply-to;
        bh=aA8NdNZqwumt5Uyx6VLIPCv4Au/LtXyZ5KZWAmv8d0s=;
        b=eL+zcPA1AzsjnMRiHwP2HjrPJZV6QqhOMmzcwtCkJ+YCNXTWCRzdPrF+mdTRpJsy6W
         j7Wl7WuPxWRxHEbp7o/PlVJsJINomZ/pmtVTMa1Kmj9YXrkXRvgMMpLHooOmBKGwnDyK
         N3Wg98nkBaVmk4Ey+KhodmhPmglX+/mTfv3LXEJeZkUwmZXylp0la6lgFdihAUkeZJL0
         1pr/2yBixaNkKd3Jqbdz83CiPFjqAaJcl5Tm4AuCY2KN9YhKBsPYZuJj4OAelw9uak7l
         Z3mGLWuKMRRZjpVGBlHvkx+bURtZ+0zpSn5aroFq3o7OOzxxdzy+fh3q9cF8IuZyeZzV
         UasQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1767684816; x=1768289616;
        h=content-transfer-encoding:mime-version:message-id:date:subject:to
         :from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=aA8NdNZqwumt5Uyx6VLIPCv4Au/LtXyZ5KZWAmv8d0s=;
        b=Rys9ZYBEnIqSmjOb/1ZkQKwKuAGK5yTJVJnzk5L9llmai0No6CJMoqGTCS7clg+qPY
         3rJJugWMPeuFysvBQiBn1xvTB5EN6qpJ2w8RxUj0TLpDWrDqnUAOUZcsW0LPBR7l5Ly5
         sBGqZk1O3JdHO7uXELvouvgJjntkfFElzCr3G+7q/PNpaXkUmrCsvdan/Wgu60U4+EpY
         Ww9VAPF4cj59X2Sd388zGFfJnnZ5mE0jvhfcrSEUasP9YKNOMMbqdqQovfvgE72KW1NM
         QP/EkApIcK6DacgquQHjXjOhDRrCVKPGUGHGw5LKCN+Du2e0J1rfREaoxPnlez18olG0
         eiCQ==
X-Gm-Message-State: AOJu0YzUfg72fWQc5KgFPp6j02upE6DTJRknsesV2vyXtBYLIXZMpKsV
	UfWZFCERvVLudqdxLsVoyOvCvAskDXTFrXxqYFLjVzhnXgRx1rV2JVNIhg3XgA==
X-Gm-Gg: AY/fxX7q5QabyAJu0YVUCKUdywR/u/M66uRdUJ44tRuvuSTGy7JSlb9B7HqtyDyn6Gc
	5Gys3P3fY/O/22ceE3ohXvzOd04G/fL16A3r3DP8ObczCiqx1bvDD0xGK6hMgFj4Tx76++XdnTM
	tk4gaD1NMEttdscf0Iinvp/fizhrsq/fyk4b8oZ7MRHdkp0WyYGTLRkobG3zTmwL/l0y2RQDNZ5
	Fwa3WwmrOWLBNYYdxq7sDVJTd9wm4zJ+ODmBIKVTzL6ywgy0cGRxQmboCbYoSKg1lG716yymut/
	i9i1ViGcoD/1+akwUShiW/TH+j9lPfuKBHP3ArIjoSpqNpzX/G22y+8jA62gAhtzRD000F4Gzfd
	3iw9ji5U9zRnIgH9st+Z23Yu0D8t9sRR5CPRHLgyltrSOu5JuAPN924anphCUXJFRw9D/pz+km2
	IjR8P61VNL
X-Google-Smtp-Source: 
 AGHT+IEbYYTuR7Jf7AaZSChhBVDQ97imPnT+OnoGr2Lpazg6NVTEk2JA2KgXSflZRn5kklXwZIFwuw==
X-Received: by 2002:a05:600c:5646:b0:471:793:e795 with SMTP id
 5b1f17b1804b1-47d7f398fffmr14760595e9.0.1767684815877;
        Mon, 05 Jan 2026 23:33:35 -0800 (PST)
Received: from desktop ([51.154.145.205])
        by smtp.gmail.com with ESMTPSA id
 ffacd0b85a97d-432bd0e16f4sm2811251f8f.11.2026.01.05.23.33.35
        for <openembedded-devel@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 05 Jan 2026 23:33:35 -0800 (PST)
From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-python][kirkstone][PATCH 1/5] tinyproxy: patch CVE-2025-63938
Date: Tue,  6 Jan 2026 08:33:25 +0100
Message-ID: <20260106073334.3462222-1-skandigraun@gmail.com>
X-Mailer: git-send-email 2.52.0
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Tue, 06 Jan 2026 07:33:46 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/123163

Details: https://nvd.nist.gov/vuln/detail/CVE-2025-63938

Pick the patch that is referenced by the NVD advisory.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../tinyproxy/tinyproxy/CVE-2025-63938.patch  | 41 +++++++++++++++++++
 .../tinyproxy/tinyproxy_1.11.0.bb             |  1 +
 2 files changed, 42 insertions(+)
 create mode 100644 meta-networking/recipes-support/tinyproxy/tinyproxy/CVE-2025-63938.patch

diff --git a/meta-networking/recipes-support/tinyproxy/tinyproxy/CVE-2025-63938.patch b/meta-networking/recipes-support/tinyproxy/tinyproxy/CVE-2025-63938.patch
new file mode 100644
index 0000000000..538908863e
--- /dev/null
+++ b/meta-networking/recipes-support/tinyproxy/tinyproxy/CVE-2025-63938.patch
@@ -0,0 +1,41 @@
+From 0e4906a4d4dd12f78870c418f0b68812a329a16a Mon Sep 17 00:00:00 2001
+From: rofl0r <rofl0r@users.noreply.github.com>
+Date: Fri, 17 Oct 2025 22:57:39 +0000
+Subject: [PATCH] reqs: fix integer overflow in port number processing
+
+closes #586
+
+CVE: CVE-2025-63938
+Upstream-Status: Backport [https://github.com/tinyproxy/tinyproxy/commit/3c0fde94981b025271ffa1788ae425257841bf5a]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/reqs.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/src/reqs.c b/src/reqs.c
+index cfa87ed..e4c0c77 100644
+--- a/src/reqs.c
++++ b/src/reqs.c
+@@ -174,7 +174,7 @@ static int strip_return_port (char *host)
+ {
+         char *ptr1;
+         char *ptr2;
+-        int port;
++        unsigned port;
+ 
+         ptr1 = strrchr (host, ':');
+         if (ptr1 == NULL)
+@@ -186,8 +186,11 @@ static int strip_return_port (char *host)
+                 return 0;
+ 
+         *ptr1++ = '\0';
+-        if (sscanf (ptr1, "%d", &port) != 1)    /* one conversion required */
+-                return 0;
++
++        port = atoi(ptr1);
++        /* check that port string is in the valid range 1-0xffff) */
++        if(strlen(ptr1) > 5 || (port & 0xffff0000)) return 0;
++
+         return port;
+ }
+ 
diff --git a/meta-networking/recipes-support/tinyproxy/tinyproxy_1.11.0.bb b/meta-networking/recipes-support/tinyproxy/tinyproxy_1.11.0.bb
index 4ddb202268..57acbc451a 100644
--- a/meta-networking/recipes-support/tinyproxy/tinyproxy_1.11.0.bb
+++ b/meta-networking/recipes-support/tinyproxy/tinyproxy_1.11.0.bb
@@ -8,6 +8,7 @@ SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/${PV}/${BP}.tar.gz
            file://tinyproxy.service \
            file://tinyproxy.conf \
            file://CVE-2022-40468.patch \
+           file://CVE-2025-63938.patch \
            "
 
 SRC_URI[md5sum] = "658db5558ffb849414341b756a546a99"

From patchwork Tue Jan  6 07:33:26 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gyorgy Sarvari <skandigraun@gmail.com>
X-Patchwork-Id: 78049
Return-Path: <skandigraun@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id BFB65C79FA0
	for <webhook@archiver.kernel.org>; Tue,  6 Jan 2026 07:33:46 +0000 (UTC)
Received: from mail-wr1-f44.google.com (mail-wr1-f44.google.com
 [209.85.221.44])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.85363.1767684818534942583
 for <openembedded-devel@lists.openembedded.org>;
 Mon, 05 Jan 2026 23:33:38 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=EmZZR5kc;
 spf=pass (domain: gmail.com, ip: 209.85.221.44,
 mailfrom: skandigraun@gmail.com)
Received: by mail-wr1-f44.google.com with SMTP id
 ffacd0b85a97d-43260a5a096so390025f8f.0
        for <openembedded-devel@lists.openembedded.org>;
 Mon, 05 Jan 2026 23:33:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1767684817; x=1768289617;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=ZbIMaZhCrXzSBjvG0SZc3jPmf4DSjURleuW/Jk9CVEg=;
        b=EmZZR5kcRbrXWIX/Il1rd8NXLzR7X8n15hsNyPttWStaHxoGOh19cLxnPVmn90pwO4
         zlUqUYkOs+xvsj0m4zSb7N/7rvjmsSgDIlQQReMJhxj8C6rDehCBOTqXGyl5uvjLO22a
         oxlBzf2XtZOqRJ10fwwjEXjm9zido008BtlF1e33ZMHbo6IyZ1LDm8tj2+rCRSRZWD8g
         nDT6yYBGprgMfIMD0+3IENGFUKrKeRtxfENYW6KGURS3QJPKg5UXkLutVpgyJWMztAqJ
         GaovO6aN6rhPr2mD2F3a5rs6P9GK5pRV4iPJ1MRNntaJtFoThsMeHDfIe1IMUjRuO2S+
         02CA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1767684817; x=1768289617;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=ZbIMaZhCrXzSBjvG0SZc3jPmf4DSjURleuW/Jk9CVEg=;
        b=r/i4g/h9bf6mZ3nVN3iHVB6w90EGmEbWNtpc4fFS4IgSmVNUQ3U6LN17Wb52Gru3yg
         pOXbXnk5rvPRew4wtU/VwOeAezIjNYKqa2yB++VgNmbI+lHChXzw4v/TVuppaZckGwoL
         A1B/Iwu+J0rANK1BoLOwWwu3OsHom1z3fRTEcB0v2H33AUDb8CvbnW4GmVozCmON4WYz
         I5nGoF6SnB7Ey+/Oe3QQbAwjm/zh20MrNgls9qS/LiSAOQqmUCtnSCa0Kbu+bIYMZOIr
         2zAlJRTn0Z8LDkJxzCeo4pLjDKWs93n3fA41jWVSb1xAglzcX/YpSjqhITv+leO8Qcvz
         DlRQ==
X-Gm-Message-State: AOJu0YwNRgaECDyq2HLCPcLeoa70JdHwriNnUv8n+OYdP7UMD7xw2a90
	qmT5SpAYbKKA+5RJRPpt8WJOHbRbnjIuMEAlxqi4ZftNIFTm4mqfbDO6FWxr+g==
X-Gm-Gg: AY/fxX5Ui1RXtGtVVZWMtvFLtA0mOA5JMdNacbEBIJhNnvQysAkhe8YNLy8uLdO4lkN
	V9k8oMV7TbTa8H7GwqvpzPu7UMfRqsNhOymfJkmugB5jlMNFLalOqbb6+MWP3dVy04C/HW2ZzkU
	LhG5psN7qgPn170GkYhDLwAU6xuzsXsG5ttMA+sRRf2CwqV7rAPxhE5Fuo2ZU4HVACqAVn2Mwai
	1r5PZSg1+tVu2B1MNJzyH0u6mPTf59EFt0GGANb9ieQZtUO8KGBH0A4BDS/zFiQNuNePJ3g3B1I
	shsKvjLqWqPPjOVUkrT/UOmTHGGqSoy7ukIPRxah7Z7Ke1sWFMaU4SGLRHxaWSZM21Ri+u4Nr3V
	E+z8iDG1qylhf3zZ15sj2s6G2oVFL/RvOXkYEiZvRQx+SrcSAFEWlWrZnhMHmymgJDBoxIVpds6
	07hnhIl3spmP+gq81Pt8I=
X-Google-Smtp-Source: 
 AGHT+IF729q60L32gxjncKdUgiUTIZ9+SwINxRNAxwy29ouN79wghl08wlT+cltcb6dX/8ag3z0QLQ==
X-Received: by 2002:a05:6000:2511:b0:430:f5ab:dc8e with SMTP id
 ffacd0b85a97d-432bca18775mr2956266f8f.13.1767684816571;
        Mon, 05 Jan 2026 23:33:36 -0800 (PST)
Received: from desktop ([51.154.145.205])
        by smtp.gmail.com with ESMTPSA id
 ffacd0b85a97d-432bd0e16f4sm2811251f8f.11.2026.01.05.23.33.35
        for <openembedded-devel@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 05 Jan 2026 23:33:36 -0800 (PST)
From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-python][kirkstone][PATCH 2/5] python3-ipython: patch
 CVE-2023-24816
Date: Tue,  6 Jan 2026 08:33:26 +0100
Message-ID: <20260106073334.3462222-2-skandigraun@gmail.com>
X-Mailer: git-send-email 2.52.0
In-Reply-To: <20260106073334.3462222-1-skandigraun@gmail.com>
References: <20260106073334.3462222-1-skandigraun@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Tue, 06 Jan 2026 07:33:46 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/123164

Details: https://nvd.nist.gov/vuln/detail/CVE-2023-24816

Pick the patch referenced by the NVD report.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../python3-ipython/CVE-2023-24816.patch      | 94 +++++++++++++++++++
 .../python/python3-ipython_8.2.0.bb           |  1 +
 2 files changed, 95 insertions(+)
 create mode 100644 meta-python/recipes-devtools/python/python3-ipython/CVE-2023-24816.patch

diff --git a/meta-python/recipes-devtools/python/python3-ipython/CVE-2023-24816.patch b/meta-python/recipes-devtools/python/python3-ipython/CVE-2023-24816.patch
new file mode 100644
index 0000000000..e5f65fbb68
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-ipython/CVE-2023-24816.patch
@@ -0,0 +1,94 @@
+From 06db417ff15192d73ddac4bf0e2f20579d47b2e0 Mon Sep 17 00:00:00 2001
+From: Konstantin Weddige <konstantin.weddige@lutrasecurity.com>
+Date: Sat, 3 Dec 2022 19:14:09 +0100
+Subject: [PATCH] Fix CVE-2023-24816 by removing legacy code.
+
+Remove legacy code that might trigger a CVE.
+
+Currently set_term_title is only called with (semi-)trusted input that
+contain the current working directory of the current IPython session. If
+an attacker can control directory names, and manage to get a user cd
+into this directory the attacker can execute arbitrary commands
+contained in the folder names.
+
+Example:
+
+    - On a windows machine where python is built without _ctypes, create
+      a folder called && echo "pwn" > pwn.txt. This can be done by for
+      example cloning a git repository.
+    - call toggled_set_term_title(True), (or have the preference to
+      true)
+    - Open IPython and cd into this directory.
+    - the folder now contain a pwn.txt, with pwn as content, despite the
+      user not asking for any code execution.
+
+Workaround:
+
+    Set the configuration option
+    c.TerminalInteractiveShell.term_title_format='IPython' (or to any
+    other fixed, safe string).
+
+CVE: CVE-2023-24816
+Upstream-Status: Backport [https://github.com/ipython/ipython/commit/385d69325319a5972ee9b5983638e3617f21cb1f]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ IPython/__init__.py       |  2 +-
+ IPython/utils/terminal.py | 32 ++++++++------------------------
+ 2 files changed, 9 insertions(+), 25 deletions(-)
+
+diff --git a/IPython/__init__.py b/IPython/__init__.py
+index e12da90..20e6e48 100644
+--- a/IPython/__init__.py
++++ b/IPython/__init__.py
+@@ -62,7 +62,7 @@ __version__  = release.version
+ version_info = release.version_info
+ # list of CVEs that should have been patched in this release.
+ # this is informational and should not be relied upon.
+-__patched_cves__ = {"CVE-2022-21699"}
++__patched_cves__ = {"CVE-2022-21699", "CVE-2023-24816"}
+ 
+ 
+ def embed_kernel(module=None, local_ns=None, **kwargs):
+diff --git a/IPython/utils/terminal.py b/IPython/utils/terminal.py
+index 49fd3fe..d884799 100644
+--- a/IPython/utils/terminal.py
++++ b/IPython/utils/terminal.py
+@@ -79,30 +79,14 @@ if os.name == 'posix':
+         _set_term_title = _set_term_title_xterm
+         _restore_term_title = _restore_term_title_xterm
+ elif sys.platform == 'win32':
+-    try:
+-        import ctypes
+-
+-        SetConsoleTitleW = ctypes.windll.kernel32.SetConsoleTitleW
+-        SetConsoleTitleW.argtypes = [ctypes.c_wchar_p]
+-    
+-        def _set_term_title(title):
+-            """Set terminal title using ctypes to access the Win32 APIs."""
+-            SetConsoleTitleW(title)
+-    except ImportError:
+-        def _set_term_title(title):
+-            """Set terminal title using the 'title' command."""
+-            global ignore_termtitle
+-
+-            try:
+-                # Cannot be on network share when issuing system commands
+-                curr = os.getcwd()
+-                os.chdir("C:")
+-                ret = os.system("title " + title)
+-            finally:
+-                os.chdir(curr)
+-            if ret:
+-                # non-zero return code signals error, don't try again
+-                ignore_termtitle = True
++    import ctypes
++
++    SetConsoleTitleW = ctypes.windll.kernel32.SetConsoleTitleW
++    SetConsoleTitleW.argtypes = [ctypes.c_wchar_p]
++
++    def _set_term_title(title):
++        """Set terminal title using ctypes to access the Win32 APIs."""
++        SetConsoleTitleW(title)
+ 
+ 
+ def set_term_title(title):
diff --git a/meta-python/recipes-devtools/python/python3-ipython_8.2.0.bb b/meta-python/recipes-devtools/python/python3-ipython_8.2.0.bb
index 35af7dd4d8..197578ae41 100644
--- a/meta-python/recipes-devtools/python/python3-ipython_8.2.0.bb
+++ b/meta-python/recipes-devtools/python/python3-ipython_8.2.0.bb
@@ -6,6 +6,7 @@ LIC_FILES_CHKSUM = "file://COPYING.rst;md5=59b20262b8663cdd094005bddf47af5f"
 
 PYPI_PACKAGE = "ipython"
 
+SRC_URI += "file://CVE-2023-24816.patch"
 SRC_URI[sha256sum] = "70e5eb132cac594a34b5f799bd252589009905f05104728aea6a403ec2519dc1"
 
 RDEPENDS:${PN} = "\

From patchwork Tue Jan  6 07:33:27 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gyorgy Sarvari <skandigraun@gmail.com>
X-Patchwork-Id: 78046
Return-Path: <skandigraun@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id B8C67C9833A
	for <webhook@archiver.kernel.org>; Tue,  6 Jan 2026 07:33:46 +0000 (UTC)
Received: from mail-wr1-f47.google.com (mail-wr1-f47.google.com
 [209.85.221.47])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.85414.1767684818895888073
 for <openembedded-devel@lists.openembedded.org>;
 Mon, 05 Jan 2026 23:33:39 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=C4cGs8n5;
 spf=pass (domain: gmail.com, ip: 209.85.221.47,
 mailfrom: skandigraun@gmail.com)
Received: by mail-wr1-f47.google.com with SMTP id
 ffacd0b85a97d-43284ed32a0so264657f8f.3
        for <openembedded-devel@lists.openembedded.org>;
 Mon, 05 Jan 2026 23:33:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1767684817; x=1768289617;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=g+C2luxz2AvIUghWKCFX03/xm4EGZ2ZmZDGVCbjHzjo=;
        b=C4cGs8n5ciY8FjmJiqhci316Ef7PkZMDhX8uJ1RnxipQWoeYNCC/a83C3jHEby0RRV
         Srkgki4yhl5E8rtOPNl0Tkw6kmgGh48o1JOW5pmGsbc3HF6X67WNE8Q7Qfu3Aw3Q6TQz
         DvbrnMkCgcjj8dG86ZQ1GHb+87xNsm5halQPbGvqWOd71rbBxQM/2rDxGkjBXkNd94Jd
         xNS+U11J9fj+ZJaUar2mnK6Uwu2nOsgLCp92ZAUjFXvqTzHwGrf4LQLyBxEpm+r72xtG
         cysMPFeTfmJ6OzSUM4KhzjmZsMbgHUP6vKTsJaXAhhkHw7CIxsOzAFUvijStkZKDaWbe
         9qhA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1767684817; x=1768289617;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=g+C2luxz2AvIUghWKCFX03/xm4EGZ2ZmZDGVCbjHzjo=;
        b=aG1g0oRbFnkP1vKxwy6w1KqBPR3wmvV15xZYpJklRLYY+ucO5VHSykyc+Lz/GuHopQ
         Ilu0SZnS/mxVpU1xGb20CXlcsnSmVtl4DJOZyNtIk7RNC9TeiD2dO1U0k+GvLrNjK3Lu
         j/s9D1sne7LYceP0BUJrAqzeNzL6QBQL2haptBrjPmcKA/FxbqzM7VkIUAIKtM7xo/PE
         kCORFmGdX+ePf/P0L4HqNMEA/somdl/rk6R96DO2YN42JCXInwWFbFl4Y3yEItwwYtpG
         7tadJbUpamqPkQQ3MA9dZ4iNb+4/fcSQDcisz4ss495PJDH+1x+LAhA8paF9EANH3zav
         yjTQ==
X-Gm-Message-State: AOJu0YxnwyKcRFNjs2yP9i6SeZRku8KKq4KQHpIbdsxxj2v3MpUOOUoM
	ag8qePslDZURvnc2cPJXeSTXd0K9gRR7vgf5hSYtQcW4CNQbODtoN7AJYAXJtw==
X-Gm-Gg: AY/fxX7KI8N2wmvp593a6XX5Tcs5tPAJb7TSmDg+bWdqJcd+PIb/54nEd3agqUuIT1K
	P6B4X8nF6dria0WisHctO7Y6nwkz8OQe0Y2bKUyE3cLjFboIGkk9+/ata83oZP1XuygXy05w8dY
	E9PI8nmDQIUgw+YDycdDOodV3Id6R7nOk/SmZQmlcwisSVPDRh+MBeuju44S8Rr49vh3k8W7QjJ
	yiIAuhGolbXNhp59IME4sde7d7PtESXEfEI+DBTsKznWxI21OvkovRHGJ02+x36xQRSgnAC6/JL
	eUnBTxPH02/pfS3e6o00KfyRimgW8J9UE9nJf98z0y0jaOEx2yztFm61BYICCrpF4UjT2JaKkDv
	7nsRAPsXGYRRYnGo0oJfQVEwxNv6uXdkOX1H47B9/z3x7tlZAeBNnpcBdE00JiH+8CJqxSG8lJj
	IpOKqmip3y
X-Google-Smtp-Source: 
 AGHT+IHyQHeZ3rWxhkILZAaBbVURR8cDIVrZorJOLGkx50P8M5z6OYyANOR0Uddu4oiTB3WL2jRFDQ==
X-Received: by 2002:adf:f1cc:0:b0:432:5c43:53 with SMTP id
 ffacd0b85a97d-432bca4feb6mr2091483f8f.36.1767684817200;
        Mon, 05 Jan 2026 23:33:37 -0800 (PST)
Received: from desktop ([51.154.145.205])
        by smtp.gmail.com with ESMTPSA id
 ffacd0b85a97d-432bd0e16f4sm2811251f8f.11.2026.01.05.23.33.36
        for <openembedded-devel@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 05 Jan 2026 23:33:36 -0800 (PST)
From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-python][kirkstone][PATCH 3/5] python3-joblib: upgrade 1.1.0 ->
 1.1.1
Date: Tue,  6 Jan 2026 08:33:27 +0100
Message-ID: <20260106073334.3462222-3-skandigraun@gmail.com>
X-Mailer: git-send-email 2.52.0
In-Reply-To: <20260106073334.3462222-1-skandigraun@gmail.com>
References: <20260106073334.3462222-1-skandigraun@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Tue, 06 Jan 2026 07:33:46 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/123165

The only change is a fix for CVE-2022-21797

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../python/{python3-joblib_1.1.0.bb => python3-joblib_1.1.1.bb} | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta-python/recipes-devtools/python/{python3-joblib_1.1.0.bb => python3-joblib_1.1.1.bb} (80%)

diff --git a/meta-python/recipes-devtools/python/python3-joblib_1.1.0.bb b/meta-python/recipes-devtools/python/python3-joblib_1.1.1.bb
similarity index 80%
rename from meta-python/recipes-devtools/python/python3-joblib_1.1.0.bb
rename to meta-python/recipes-devtools/python/python3-joblib_1.1.1.bb
index e69cfefd1f..0ff6b643a2 100644
--- a/meta-python/recipes-devtools/python/python3-joblib_1.1.0.bb
+++ b/meta-python/recipes-devtools/python/python3-joblib_1.1.1.bb
@@ -4,7 +4,7 @@ LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=2e481820abf0a70a18011a30153df066"
 
 inherit setuptools3 pypi
 
-SRC_URI[sha256sum] = "4158fcecd13733f8be669be0683b96ebdbbd38d23559f54dca7205aea1bf1e35"
+SRC_URI[sha256sum] = "301f0375f49586a7effee3f6348c419d5765fca1c750186b20690a0d90b82900"
 
 RDEPENDS:${PN} += " \
     python3-asyncio \

From patchwork Tue Jan  6 07:33:28 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Gyorgy Sarvari <skandigraun@gmail.com>
X-Patchwork-Id: 78050
Return-Path: <skandigraun@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id D7CEFC47BC2
	for <webhook@archiver.kernel.org>; Tue,  6 Jan 2026 07:33:46 +0000 (UTC)
Received: from mail-wr1-f53.google.com (mail-wr1-f53.google.com
 [209.85.221.53])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.85415.1767684819742062763
 for <openembedded-devel@lists.openembedded.org>;
 Mon, 05 Jan 2026 23:33:40 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=UIFu9IiI;
 spf=pass (domain: gmail.com, ip: 209.85.221.53,
 mailfrom: skandigraun@gmail.com)
Received: by mail-wr1-f53.google.com with SMTP id
 ffacd0b85a97d-42fb5810d39so355580f8f.2
        for <openembedded-devel@lists.openembedded.org>;
 Mon, 05 Jan 2026 23:33:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1767684818; x=1768289618;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=9R3LCE+al7V2RxdBjZ5ZKfabEAklgA+pTYHqbANOX5w=;
        b=UIFu9IiIFR0CgzaIz4Oi9s4VHWfQc37VY1CiIn5Hr98jFA/VWAbJUd+0HpnoBxX5Uo
         IyKHJVTVKb1dwrtK8nUdf/meQ7MaeoebMSFSOWC8jccuifqS+MG/F8m+NZaIJ/FW0UVr
         2bU7ujoXXI0RvQ4lDbXBnQZMD+HotmIMsf9BRRVgYADlwJMJPUX7wWF21kU/up/DGiso
         7q0krPgCaa05HTOudjBcYe8hU023T+V+yrWT5BlGtAxmzg2lkzxQS62ophlOkXfKXOv8
         h3JqZN8tSgSzV4h02e6AAbbQzEawS01Oli/lCG5D6k1nj20fKPMtiaeGEZoeILpemHRG
         Q5dQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1767684818; x=1768289618;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=9R3LCE+al7V2RxdBjZ5ZKfabEAklgA+pTYHqbANOX5w=;
        b=GGOx9Y0FgZD9oJ8Ng83m0zaJCnLqiB820Xykaz/X+jFrzzNsTrc8c6uSkIUykpbeBe
         CrEzue6uBs+Dql63Qie21sv3r9sHBa3kuoo8RApsXIMqwURbjQntoiArgzBfhgbl43J1
         RtcZtEVZg5KGwnhNuUwjqzicMZoQr72z+sbHWN1igziT4gC8RhLBkx8i4NpRKgWI4/a2
         tCXrScVpyxFaADJMvkHTBCBR5mavoHj1PBQQBHyz+DJ8O3+1jty0cn1CuLrIAfXXAYR6
         Dg5HFOqNKfaFyNxJgccWQc9gv0sKpqw8WNPpPaEPIqRXOXEeu4O8sEuCtZTKbobwg/M9
         dhWw==
X-Gm-Message-State: AOJu0Yy3LS74kUwnKLU1oVNv6NBoHLHRxyA+D1W4P3l6HBqJ4uv+C7+N
	pA6h37+tI/PzKuoS7zkQgDz+XHRu+xsl+Rlx9ILCRBd8bFVf3vdbUkT1WaymkA==
X-Gm-Gg: AY/fxX7fEGKXa27NNa1BjIZ3hVrcvJdKqhuj2leCHO3QTmQfNc0qXugmyrMMJhFz7PI
	9ukkK6V5ijX71OcQ+0SheeGkkRhQ9pC2NaUKGNWpWL5OI5WucKpQdtQ+S53s2P9JDBps8hCshUg
	yviQNEk1tT7XBO/iDdTNGiTI1fG4TBu6E9ueAy/iyMUE+62+I5UFAKwjKh1I7wPvGYKjtrN1I/U
	5lfD6SyETFNkJ2jheHkO3ULKs0iE5/HE5QOOx41yt28ex9mIdGAsNcvDr018Jh3FhEeJ4w+nU8a
	+2/QNflFV3lNkgxOTvZ644DsY4RNaJBIOGeMGwV4XbY9K6+rqN2qmAYRr1SnUtp8qWsvWovm9z0
	NVcrMpbhi3iAKQiWi0hAy17P0HaY/lxVaiU5tCY60F7Ky+vAiM6u/xAQfhzImmho78lagpXJOsA
	amt++HqIWr
X-Google-Smtp-Source: 
 AGHT+IEYQd4DCULc+Ed5wq/rCGycg885IhupfUIdkVE05hOzg544yqCz8GfKslu3blrNcDhGoELXkw==
X-Received: by 2002:a05:6000:3111:b0:430:fced:909 with SMTP id
 ffacd0b85a97d-432bca3a273mr2633005f8f.24.1767684817834;
        Mon, 05 Jan 2026 23:33:37 -0800 (PST)
Received: from desktop ([51.154.145.205])
        by smtp.gmail.com with ESMTPSA id
 ffacd0b85a97d-432bd0e16f4sm2811251f8f.11.2026.01.05.23.33.37
        for <openembedded-devel@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 05 Jan 2026 23:33:37 -0800 (PST)
From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-python][kirkstone][PATCH 4/5] python3-pyjwt: patch
 CVE-2022-29217
Date: Tue,  6 Jan 2026 08:33:28 +0100
Message-ID: <20260106073334.3462222-4-skandigraun@gmail.com>
X-Mailer: git-send-email 2.52.0
In-Reply-To: <20260106073334.3462222-1-skandigraun@gmail.com>
References: <20260106073334.3462222-1-skandigraun@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Tue, 06 Jan 2026 07:33:46 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/123166

Details: https://nvd.nist.gov/vuln/detail/CVE-2022-29217

Pick the patch referenced by the NVD advsory.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../python/python3-pyjwt/CVE-2022-29217.patch | 295 ++++++++++++++++++
 .../python/python3-pyjwt_2.3.0.bb             |   1 +
 2 files changed, 296 insertions(+)
 create mode 100644 meta-python/recipes-devtools/python/python3-pyjwt/CVE-2022-29217.patch

diff --git a/meta-python/recipes-devtools/python/python3-pyjwt/CVE-2022-29217.patch b/meta-python/recipes-devtools/python/python3-pyjwt/CVE-2022-29217.patch
new file mode 100644
index 0000000000..8bb80f39a4
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-pyjwt/CVE-2022-29217.patch
@@ -0,0 +1,295 @@
+From 0ab93eb55a182f190dea55cc048dcb50bf97724c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Padilla?= <jpadilla@webapplicate.com>
+Date: Thu, 12 May 2022 14:31:00 -0400
+Subject: [PATCH] Merge pull request from GHSA-ffqj-6fqr-9h24
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Co-authored-by: José Padilla <jpadilla@users.noreply.github.com>
+
+CVE: CVE-2022-29217
+Upstream-Status: Backport [https://github.com/jpadilla/pyjwt/commit/9c528670c455b8d948aff95ed50e22940d1ad3fc]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ jwt/algorithms.py        |  39 +++++++-------
+ jwt/utils.py             |  61 ++++++++++++++++++++++
+ tests/test_advisory.py   | 109 +++++++++++++++++++++++++++++++++++++++
+ tests/test_algorithms.py |   2 +-
+ 4 files changed, 189 insertions(+), 22 deletions(-)
+ create mode 100644 tests/test_advisory.py
+
+diff --git a/jwt/algorithms.py b/jwt/algorithms.py
+index 1f8865a..1aa30ed 100644
+--- a/jwt/algorithms.py
++++ b/jwt/algorithms.py
+@@ -9,6 +9,8 @@ from .utils import (
+     der_to_raw_signature,
+     force_bytes,
+     from_base64url_uint,
++    is_pem_format,
++    is_ssh_key,
+     raw_to_der_signature,
+     to_base64url_uint,
+ )
+@@ -183,14 +185,7 @@ class HMACAlgorithm(Algorithm):
+     def prepare_key(self, key):
+         key = force_bytes(key)
+ 
+-        invalid_strings = [
+-            b"-----BEGIN PUBLIC KEY-----",
+-            b"-----BEGIN CERTIFICATE-----",
+-            b"-----BEGIN RSA PUBLIC KEY-----",
+-            b"ssh-rsa",
+-        ]
+-
+-        if any(string_value in key for string_value in invalid_strings):
++        if is_pem_format(key) or is_ssh_key(key):
+             raise InvalidKeyError(
+                 "The specified key is an asymmetric key or x509 certificate and"
+                 " should not be used as an HMAC secret."
+@@ -545,26 +540,28 @@ if has_crypto:
+             pass
+ 
+         def prepare_key(self, key):
+-
+-            if isinstance(
+-                key,
+-                (Ed25519PrivateKey, Ed25519PublicKey, Ed448PrivateKey, Ed448PublicKey),
+-            ):
+-                return key
+-
+             if isinstance(key, (bytes, str)):
+                 if isinstance(key, str):
+                     key = key.encode("utf-8")
+                 str_key = key.decode("utf-8")
+ 
+                 if "-----BEGIN PUBLIC" in str_key:
+-                    return load_pem_public_key(key)
+-                if "-----BEGIN PRIVATE" in str_key:
+-                    return load_pem_private_key(key, password=None)
+-                if str_key[0:4] == "ssh-":
+-                    return load_ssh_public_key(key)
++                    key = load_pem_public_key(key)
++                elif "-----BEGIN PRIVATE" in str_key:
++                    key = load_pem_private_key(key, password=None)
++                elif str_key[0:4] == "ssh-":
++                    key = load_ssh_public_key(key)
++
++            # Explicit check the key to prevent confusing errors from cryptography
++            if not isinstance(
++                key,
++                (Ed25519PrivateKey, Ed25519PublicKey, Ed448PrivateKey, Ed448PublicKey),
++            ):
++                raise InvalidKeyError(
++                    "Expecting a EllipticCurvePrivateKey/EllipticCurvePublicKey. Wrong key provided for EdDSA algorithms"
++                )
+ 
+-            raise TypeError("Expecting a PEM-formatted or OpenSSH key.")
++            return key
+ 
+         def sign(self, msg, key):
+             """
+diff --git a/jwt/utils.py b/jwt/utils.py
+index 9dde10c..8ab73b4 100644
+--- a/jwt/utils.py
++++ b/jwt/utils.py
+@@ -1,5 +1,6 @@
+ import base64
+ import binascii
++import re
+ from typing import Any, Union
+ 
+ try:
+@@ -97,3 +98,63 @@ def raw_to_der_signature(raw_sig: bytes, curve: EllipticCurve) -> bytes:
+     s = bytes_to_number(raw_sig[num_bytes:])
+ 
+     return encode_dss_signature(r, s)
++
++
++# Based on https://github.com/hynek/pem/blob/7ad94db26b0bc21d10953f5dbad3acfdfacf57aa/src/pem/_core.py#L224-L252
++_PEMS = {
++    b"CERTIFICATE",
++    b"TRUSTED CERTIFICATE",
++    b"PRIVATE KEY",
++    b"PUBLIC KEY",
++    b"ENCRYPTED PRIVATE KEY",
++    b"OPENSSH PRIVATE KEY",
++    b"DSA PRIVATE KEY",
++    b"RSA PRIVATE KEY",
++    b"RSA PUBLIC KEY",
++    b"EC PRIVATE KEY",
++    b"DH PARAMETERS",
++    b"NEW CERTIFICATE REQUEST",
++    b"CERTIFICATE REQUEST",
++    b"SSH2 PUBLIC KEY",
++    b"SSH2 ENCRYPTED PRIVATE KEY",
++    b"X509 CRL",
++}
++
++_PEM_RE = re.compile(
++    b"----[- ]BEGIN ("
++    + b"|".join(_PEMS)
++    + b""")[- ]----\r?
++.+?\r?
++----[- ]END \\1[- ]----\r?\n?""",
++    re.DOTALL,
++)
++
++
++def is_pem_format(key: bytes) -> bool:
++    return bool(_PEM_RE.search(key))
++
++
++# Based on https://github.com/pyca/cryptography/blob/bcb70852d577b3f490f015378c75cba74986297b/src/cryptography/hazmat/primitives/serialization/ssh.py#L40-L46
++_CERT_SUFFIX = b"-cert-v01@openssh.com"
++_SSH_PUBKEY_RC = re.compile(br"\A(\S+)[ \t]+(\S+)")
++_SSH_KEY_FORMATS = [
++    b"ssh-ed25519",
++    b"ssh-rsa",
++    b"ssh-dss",
++    b"ecdsa-sha2-nistp256",
++    b"ecdsa-sha2-nistp384",
++    b"ecdsa-sha2-nistp521",
++]
++
++
++def is_ssh_key(key: bytes) -> bool:
++    if any(string_value in key for string_value in _SSH_KEY_FORMATS):
++        return True
++
++    ssh_pubkey_match = _SSH_PUBKEY_RC.match(key)
++    if ssh_pubkey_match:
++        key_type = ssh_pubkey_match.group(1)
++        if _CERT_SUFFIX == key_type[-len(_CERT_SUFFIX) :]:
++            return True
++
++    return False
+diff --git a/tests/test_advisory.py b/tests/test_advisory.py
+new file mode 100644
+index 0000000..f70f54b
+--- /dev/null
++++ b/tests/test_advisory.py
+@@ -0,0 +1,109 @@
++import jwt
++import pytest
++from jwt.exceptions import InvalidKeyError
++
++priv_key_bytes = b'''-----BEGIN PRIVATE KEY-----
++MC4CAQAwBQYDK2VwBCIEIIbBhdo2ah7X32i50GOzrCr4acZTe6BezUdRIixjTAdL
++-----END PRIVATE KEY-----'''
++
++pub_key_bytes = b'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPL1I9oiq+B8crkmuV4YViiUnhdLjCp3hvy1bNGuGfNL'
++
++ssh_priv_key_bytes = b"""-----BEGIN EC PRIVATE KEY-----
++MHcCAQEEIOWc7RbaNswMtNtc+n6WZDlUblMr2FBPo79fcGXsJlGQoAoGCCqGSM49
++AwEHoUQDQgAElcy2RSSSgn2RA/xCGko79N+7FwoLZr3Z0ij/ENjow2XpUDwwKEKk
++Ak3TDXC9U8nipMlGcY7sDpXp2XyhHEM+Rw==
++-----END EC PRIVATE KEY-----"""
++
++ssh_key_bytes = b"""ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJXMtkUkkoJ9kQP8QhpKO/TfuxcKC2a92dIo/xDY6MNl6VA8MChCpAJN0w1wvVPJ4qTJRnGO7A6V6dl8oRxDPkc="""
++
++
++class TestAdvisory:
++    def test_ghsa_ffqj_6fqr_9h24(self):
++        # Generate ed25519 private key
++        # private_key = ed25519.Ed25519PrivateKey.generate()
++
++        # Get private key bytes as they would be stored in a file
++        # priv_key_bytes = private_key.private_bytes(
++        #     encoding=serialization.Encoding.PEM,
++        #     format=serialization.PrivateFormat.PKCS8,
++        #     encryption_algorithm=serialization.NoEncryption(),
++        # )
++
++        # Get public key bytes as they would be stored in a file
++        # pub_key_bytes = private_key.public_key().public_bytes(
++        #     encoding=serialization.Encoding.OpenSSH,
++        #     format=serialization.PublicFormat.OpenSSH,
++        # )
++
++        # Making a good jwt token that should work by signing it
++        # with the private key
++        # encoded_good = jwt.encode({"test": 1234}, priv_key_bytes, algorithm="EdDSA")
++        encoded_good = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJFZERTQSJ9.eyJ0ZXN0IjoxMjM0fQ.M5y1EEavZkHSlj9i8yi9nXKKyPBSAUhDRTOYZi3zZY11tZItDaR3qwAye8pc74_lZY3Ogt9KPNFbVOSGnUBHDg'
++
++        # Using HMAC with the public key to trick the receiver to think that the
++        # public key is a HMAC secret
++        encoded_bad = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ0ZXN0IjoxMjM0fQ.6ulDpqSlbHmQ8bZXhZRLFko9SwcHrghCwh8d-exJEE4'
++
++        # Both of the jwt tokens are validated as valid
++        jwt.decode(
++            encoded_good,
++            pub_key_bytes,
++            algorithms=jwt.algorithms.get_default_algorithms(),
++        )
++
++        with pytest.raises(InvalidKeyError):
++            jwt.decode(
++                encoded_bad,
++                pub_key_bytes,
++                algorithms=jwt.algorithms.get_default_algorithms(),
++            )
++
++        # Of course the receiver should specify ed25519 algorithm to be used if
++        # they specify ed25519 public key. However, if other algorithms are used,
++        # the POC does not work
++        # HMAC specifies illegal strings for the HMAC secret in jwt/algorithms.py
++        #
++        #        invalid_str ings = [
++        #            b"-----BEGIN PUBLIC KEY-----",
++        #            b"-----BEGIN CERTIFICATE-----",
++        #            b"-----BEGIN RSA PUBLIC KEY-----",
++        #            b"ssh-rsa",
++        #        ]
++        #
++        # However, OKPAlgorithm (ed25519) accepts the following in  jwt/algorithms.py:
++        #
++        #                if "-----BEGIN PUBLIC" in str_key:
++        #                    return load_pem_public_key(key)
++        #                if "-----BEGIN PRIVATE" in str_key:
++        #                    return load_pem_private_key(key, password=None)
++        #                if str_key[0:4] == "ssh-":
++        #                    return load_ssh_public_key(key)
++        #
++        # These should most likely made to match each other to prevent this behavior
++
++        # POC for the ecdsa-sha2-nistp256 format.
++        # openssl ecparam -genkey -name prime256v1 -noout -out ec256-key-priv.pem
++        # openssl ec -in ec256-key-priv.pem -pubout > ec256-key-pub.pem
++        # ssh-keygen -y -f ec256-key-priv.pem > ec256-key-ssh.pub
++
++        # Making a good jwt token that should work by signing it with the private key
++        # encoded_good = jwt.encode({"test": 1234}, ssh_priv_key_bytes, algorithm="ES256")
++        encoded_good = "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0ZXN0IjoxMjM0fQ.NX42mS8cNqYoL3FOW9ZcKw8Nfq2mb6GqJVADeMA1-kyHAclilYo_edhdM_5eav9tBRQTlL0XMeu_WFE_mz3OXg"
++
++        # Using HMAC with the ssh public key to trick the receiver to think that the public key is a HMAC secret
++        # encoded_bad = jwt.encode({"test": 1234}, ssh_key_bytes, algorithm="HS256")
++        encoded_bad = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0ZXN0IjoxMjM0fQ.5eYfbrbeGYmWfypQ6rMWXNZ8bdHcqKng5GPr9MJZITU"
++
++        # Both of the jwt tokens are validated as valid
++        jwt.decode(
++            encoded_good,
++            ssh_key_bytes,
++            algorithms=jwt.algorithms.get_default_algorithms()
++        )
++
++        with pytest.raises(InvalidKeyError):
++            jwt.decode(
++                encoded_bad,
++                ssh_key_bytes,
++                algorithms=jwt.algorithms.get_default_algorithms()
++            )
+diff --git a/tests/test_algorithms.py b/tests/test_algorithms.py
+index b6a73fc..777c108 100644
+--- a/tests/test_algorithms.py
++++ b/tests/test_algorithms.py
+@@ -669,7 +669,7 @@ class TestOKPAlgorithms:
+     def test_okp_ed25519_should_reject_non_string_key(self):
+         algo = OKPAlgorithm()
+ 
+-        with pytest.raises(TypeError):
++        with pytest.raises(InvalidKeyError):
+             algo.prepare_key(None)
+ 
+         with open(key_path("testkey_ed25519")) as keyfile:
diff --git a/meta-python/recipes-devtools/python/python3-pyjwt_2.3.0.bb b/meta-python/recipes-devtools/python/python3-pyjwt_2.3.0.bb
index 19ba30780e..ad84e59d57 100644
--- a/meta-python/recipes-devtools/python/python3-pyjwt_2.3.0.bb
+++ b/meta-python/recipes-devtools/python/python3-pyjwt_2.3.0.bb
@@ -5,6 +5,7 @@ HOMEPAGE = "http://github.com/jpadilla/pyjwt"
 LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=68626705a7b513ca8d5f44a3e200ed0c"
 
+SRC_URI += "file://CVE-2022-29217.patch"
 SRC_URI[sha256sum] = "b888b4d56f06f6dcd777210c334e69c737be74755d3e5e9ee3fe67dc18a0ee41"
 
 PYPI_PACKAGE = "PyJWT"

From patchwork Tue Jan  6 07:33:29 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gyorgy Sarvari <skandigraun@gmail.com>
X-Patchwork-Id: 78048
Return-Path: <skandigraun@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id C850DC9833F
	for <webhook@archiver.kernel.org>; Tue,  6 Jan 2026 07:33:46 +0000 (UTC)
Received: from mail-wr1-f52.google.com (mail-wr1-f52.google.com
 [209.85.221.52])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.85364.1767684820276853665
 for <openembedded-devel@lists.openembedded.org>;
 Mon, 05 Jan 2026 23:33:40 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=H5MZ5zyt;
 spf=pass (domain: gmail.com, ip: 209.85.221.52,
 mailfrom: skandigraun@gmail.com)
Received: by mail-wr1-f52.google.com with SMTP id
 ffacd0b85a97d-42fb5810d39so355585f8f.2
        for <openembedded-devel@lists.openembedded.org>;
 Mon, 05 Jan 2026 23:33:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1767684819; x=1768289619;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=HJ5lSmIUph9dgY9L4dUKDvJ1eTbYB6wHNtTyftNU6g8=;
        b=H5MZ5zytVF/ODLEk+oGzIDbeSitwtcZu1CWN7cq9r7ty7HqHPwedsfnwDgf5VE/RPK
         anSeIGRahZR58I0UkjCMuk7Z5gBUdjdGEFFTQUunCHW1wWW7T4v7FnA8e7xMwtziF6EP
         OO4xEwhnPWttQuZPQcCOTx6MsSvcGoGYyyjd0nNajGXTmQ1b7GSF+9y5p1pUXScEi0Ki
         UKHQRVrrJgxfRG7KkGVwuGleWhhUzLV9hBvuM+Wq53Cw2/KH6eGlfE0vS687Aa1hRq/D
         ool3eSYNN9nbm/tRMgYwafZO8fkXLCEuPDnZvu5Bnw58F+lCPtEJPbXLtAG0zje6p8s2
         vaTg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1767684819; x=1768289619;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=HJ5lSmIUph9dgY9L4dUKDvJ1eTbYB6wHNtTyftNU6g8=;
        b=sE8DMwA1n5EBjLlfVkRoSRvTpG7Pp8VcCKIGMiRHAhCa2UiEghBuZWdKU4HUREv9rf
         HA891EmqQsZSWayKgsOLNzzryIGAdesIdtJME9tuERPur6r8m+C6WA75NS7wQWhLUb6P
         D7saQ4YT+pLTJD9r734x5hIIkfk3Orx3KsYD8DbaiJ+xnpxk7kdltVFIV10f2lU36zrw
         VcNyVqwP6Q9dDgwiKUyjxHgx54FwwfznzuSmm9VEB7D/7B49ZxY2T2ncyvFvhXgte/sN
         IeXPLe+tMVU0Va9OCAgIvXNcc14PdMZ/DTjbwSQXpnjeO3l0JwIxFGYl8ztE2n3rOZA1
         /Cnw==
X-Gm-Message-State: AOJu0YxGLiDTkBa5G4z0qXLEzKefiSWmdcTcsZQ2PPJfAaxBW8IMPNq7
	5mbGirCgdNB7iM1mgEqQN/5GVkHAqdUWeOJv/uIRttpnIMjJxj+frxf73tMFrA==
X-Gm-Gg: AY/fxX5cRUpdTK7rT/5x/oca0tGlBAKSa7axud01Xmv72SlZfkCfAqBdKc8l3c6RVvu
	ANtQmUS97oLJIlvJ6VIsgddTlQ5W8nfMhfOdQrNopZgplrnyMcQsSAL+xxhq/nQyLwXH+eIU/Jq
	Eh4pPhTtrPam/gRczYegHlWjRg3FNpnt3sOfRLH3wnZbo91TU2YpUaVXbcaMP1QtemJqgt34ADQ
	e6Eu676CVJbd+WgGsTNPyWyxIGyozO2+Jb9zqul6OnXO3fwLWksOmZrRgZgPsiVUMsypn6j3E7r
	HiPpvTJNX3OqaNMbDJcxV9gU1o5ZyoXFchZcRjRyAKShc3hkup96NsD6SFzdsyKMZCp1wNDEMqL
	xCzPk+6LZIzHGEKk4VJ3VUTbPkZxm54SUtVLaMY6W00yiyJsfobHtNma+5kguVhQK5cCk7M3q5M
	pSE25fdRj5
X-Google-Smtp-Source: 
 AGHT+IEqldzQ/QJVA96DBCbxMkjvwYj0buPUNvYtSj0r9zp5d87rC7nWaQrmxc+RVTki5zN3du6Vug==
X-Received: by 2002:a05:6000:26cb:b0:430:fcbb:2e6b with SMTP id
 ffacd0b85a97d-432bca3f1c9mr3221017f8f.27.1767684818516;
        Mon, 05 Jan 2026 23:33:38 -0800 (PST)
Received: from desktop ([51.154.145.205])
        by smtp.gmail.com with ESMTPSA id
 ffacd0b85a97d-432bd0e16f4sm2811251f8f.11.2026.01.05.23.33.37
        for <openembedded-devel@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 05 Jan 2026 23:33:38 -0800 (PST)
From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-python][kirkstone][PATCH 5/5] python3-mpmath: patch
 CVE-2021-29063
Date: Tue,  6 Jan 2026 08:33:29 +0100
Message-ID: <20260106073334.3462222-5-skandigraun@gmail.com>
X-Mailer: git-send-email 2.52.0
In-Reply-To: <20260106073334.3462222-1-skandigraun@gmail.com>
References: <20260106073334.3462222-1-skandigraun@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Tue, 06 Jan 2026 07:33:46 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/123167

Details: https://nvd.nist.gov/vuln/detail/CVE-2021-29063

Pick the patch referenced by the NVD advisory.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../python3-mpmath/CVE-2021-29063.patch       | 51 +++++++++++++++++++
 .../python/python3-mpmath_1.2.1.bb            |  1 +
 2 files changed, 52 insertions(+)
 create mode 100644 meta-python/recipes-devtools/python/python3-mpmath/CVE-2021-29063.patch

diff --git a/meta-python/recipes-devtools/python/python3-mpmath/CVE-2021-29063.patch b/meta-python/recipes-devtools/python/python3-mpmath/CVE-2021-29063.patch
new file mode 100644
index 0000000000..3674a32ea1
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-mpmath/CVE-2021-29063.patch
@@ -0,0 +1,51 @@
+From 2e196ba7e41a46b8cafa5971e559ca55171414dc Mon Sep 17 00:00:00 2001
+From: Vinzent Steinberg <Vinzent.Steinberg@gmail.com>
+Date: Wed, 10 Feb 2021 16:45:04 +0100
+Subject: [PATCH] Fix ReDOS vulnerability
+
+Fixes #548, with the workaround suggested by @yetingli.
+
+CVE: CVE-2021-29063
+Upstream-Status: Backport [https://github.com/mpmath/mpmath/commit/46d44c3c8f3244017fe1eb102d564eb4ab8ef750]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ mpmath/ctx_mp.py             |  4 ++--
+ mpmath/tests/test_convert.py | 10 ++++++++++
+ 2 files changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/mpmath/ctx_mp.py b/mpmath/ctx_mp.py
+index 39fc941..93594dd 100644
+--- a/mpmath/ctx_mp.py
++++ b/mpmath/ctx_mp.py
+@@ -42,8 +42,8 @@
+ 
+ new = object.__new__
+ 
+-get_complex = re.compile(r'^\(?(?P<re>[\+\-]?\d*\.?\d*(e[\+\-]?\d+)?)??'
+-                         r'(?P<im>[\+\-]?\d*\.?\d*(e[\+\-]?\d+)?j)?\)?$')
++get_complex = re.compile(r'^\(?(?P<re>[\+\-]?\d*(\.\d*)?(e[\+\-]?\d+)?)??'
++                         r'(?P<im>[\+\-]?\d*(\.\d*)?(e[\+\-]?\d+)?j)?\)?$')
+ 
+ if BACKEND == 'sage':
+     from sage.libs.mpmath.ext_main import Context as BaseMPContext
+diff --git a/mpmath/tests/test_convert.py b/mpmath/tests/test_convert.py
+index 3e2f555..cf1a91d 100644
+--- a/mpmath/tests/test_convert.py
++++ b/mpmath/tests/test_convert.py
+@@ -194,6 +194,16 @@ def test_mpmathify():
+     assert mpmathify('(1.2e-10 - 3.4e5j)') == mpc('1.2e-10', '-3.4e5')
+     assert mpmathify('1j') == mpc(1j)
+ 
++def test_issue548():
++    try:
++        # This expression is invalid, but may trigger the ReDOS vulnerability
++        # in the regular expression.
++        mpmathify('(' + '1' * 5000 + '!j')
++    except:
++        return
++    # The expression is invalid and should raise an exception.
++    assert False
++
+ def test_compatibility():
+     try:
+         import numpy as np
diff --git a/meta-python/recipes-devtools/python/python3-mpmath_1.2.1.bb b/meta-python/recipes-devtools/python/python3-mpmath_1.2.1.bb
index 3337df4903..bf883e0e9f 100644
--- a/meta-python/recipes-devtools/python/python3-mpmath_1.2.1.bb
+++ b/meta-python/recipes-devtools/python/python3-mpmath_1.2.1.bb
@@ -6,6 +6,7 @@ HOMEPAGE = "https://pypi.org/project/mpmath/"
 LICENSE = "BSD-3-Clause"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=71970bd3749eebe1bfef9f1efff5b37a"
 
+SRC_URI += "file://CVE-2021-29063.patch"
 SRC_URI[sha256sum] = "79ffb45cf9f4b101a807595bcb3e72e0396202e0b1d25d689134b48c4216a81a"
 
 inherit pypi setuptools3