From patchwork Wed Jan 7 09:27:44 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 78147 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5A3E0CDC198 for ; Wed, 7 Jan 2026 09:28:03 +0000 (UTC) Received: from mail-wm1-f52.google.com (mail-wm1-f52.google.com [209.85.128.52]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.2338.1767778071750290218 for ; Wed, 07 Jan 2026 01:27:52 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=k3AgJatp; spf=pass (domain: gmail.com, ip: 209.85.128.52, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f52.google.com with SMTP id 5b1f17b1804b1-47d3ffa5f33so8787465e9.2 for ; Wed, 07 Jan 2026 01:27:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767778070; x=1768382870; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:from:to:cc:subject:date:message-id:reply-to; bh=KAeL4NkJgFKllRwH2Q8cPB33/7uOR35ZLMjEPRlsa4s=; b=k3AgJatpO3CpXwypBXjqKHCLJK1dl/NxpNiELFilfdHvgjQnFYa1Tda7N5hNmKcnSm SrV87XN3lG3WlsX5N24G0UH/VwenSjb3OOZqA8juc8u1C3kgbh7VG8VXN8jQIcJX3gOY 08WbihSvE4f6qsCd7c13nz5E3TaHKdXqrz4Eqam/VD68cUvs83LdVRzWWvuAXWLcD/EN /x2xwJDYGGKx4/eYguzHZNPfcJhIwmUEC59d8ee5apyamDVw7KrgGZMU2zd0BCoqdaLk FRxtB+yzzbRrH6wMr2LZrQVY/CpCPq2/osr/+RR60nWl/pCdv94eF7lZvuR0xWDqDFit 0cHw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767778070; x=1768382870; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=KAeL4NkJgFKllRwH2Q8cPB33/7uOR35ZLMjEPRlsa4s=; b=SjLWzp0V9fHw2iQUY9rLK+IkaGZIqGnARgRE/mUXzDLQGpsjmOQZ7zd7Jc6iNZBSsl CloXt0AMwfH8c3OkUVGe64ljBOKhFu0sg1XTI7QDVsXs0Cg2jRTiI/scvqZsY5B+4nrr zp0Eqc9IxaBiEP8rPlKzjpxXDfGSYWMne8oxsonRyU8kpQQ6+JC2dZGTvU2uHxEWLbb6 9D7j51w99kMMzM0u1OsfZReWbCeWXdBr9RP17X4Pcb/Kq7AadrvaAlOwMGjegR8d4k75 qWnVg5hmYbVhlU+00JbSL2D35Gpbop9Q36vyuT+ohyAT/Xm8GjVtyNwBZjUeYagq8VPw 6pYA== X-Gm-Message-State: AOJu0YxVzN7TtHK4w27A84P/k6k52t0mLIeN9ITK4FU4lHF9u5xA98uD S4ZcGpVvV5dvBqRfxlHIAE13jb3+CnN9qiSA5xW/zpcuAwujB34bSzkjh4X5YA== X-Gm-Gg: AY/fxX6eVWjXDN8qTjyojjdp33//GAksPyup/KuzhdqPOzaCCHIk11oR9TmOGR7QVgt 53IM8KilFskPDCR8y45Ntrk9tkVL3kf4NbDugWJiBVZpdeh/YxuTKVYIZ76PjWHejqgcCIF32Me ao6F05hvB0VTduxXoETi2lEwS57jxtzp6OUA+a7V4QVNPmRroqwrxDIeP9Mw4u6EdZBmC2/nbGJ Xn9dI3Az/BEJtwgxTnATDG5X593lRehqQZmpfHdP1zmJsfXJl5wTeS0ydi+5Umib+o/WMgjUTwa 0e7nHtsAel+HlT5dToQcmD4WhSh33RqHq2j1BWkzv711Z7hK5ZFkzr5aJX/ZmzT/xYlvirs87zk +EbigA5Jh5cbkQhzyByQHzE0w9oZ7NYV0D9niiKNZ96u7PpMLz86QC/ZWH219irZnzoWGcbiDVy rr4xs62XFX X-Google-Smtp-Source: AGHT+IGswg6Za0DxkZAFeZANIiSgQXzaENglcitJLZnvYY14TOAJ4HkZWQGlYsMu73nJ8AtlF+x6tQ== X-Received: by 2002:a05:600c:5391:b0:479:3a89:121d with SMTP id 5b1f17b1804b1-47d84b614b8mr18710645e9.36.1767778069886; Wed, 07 Jan 2026 01:27:49 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47d8719d057sm7236255e9.16.2026.01.07.01.27.48 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 07 Jan 2026 01:27:49 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-python][kirkstone][PATCH 1/5] python3-waitress: upgrade 2.1.1 -> 2.1.2 Date: Wed, 7 Jan 2026 10:27:44 +0100 Message-ID: <20260107092748.1930960-1-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 07 Jan 2026 09:28:03 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123184 From: wangmy Remove change of default for clear_untrusted_proxy_headers Signed-off-by: Wang Mingyu Signed-off-by: Khem Raj (cherry picked from commit ef4e48c7a06b16755181a11d1d2d0d823353a95d) Contains fix for CVE-2022-31015 Signed-off-by: Gyorgy Sarvari --- .../{python3-waitress_2.1.1.bb => python3-waitress_2.1.2.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta-python/recipes-devtools/python/{python3-waitress_2.1.1.bb => python3-waitress_2.1.2.bb} (82%) diff --git a/meta-python/recipes-devtools/python/python3-waitress_2.1.1.bb b/meta-python/recipes-devtools/python/python3-waitress_2.1.2.bb similarity index 82% rename from meta-python/recipes-devtools/python/python3-waitress_2.1.1.bb rename to meta-python/recipes-devtools/python/python3-waitress_2.1.2.bb index b7f8099790..061586b5df 100644 --- a/meta-python/recipes-devtools/python/python3-waitress_2.1.1.bb +++ b/meta-python/recipes-devtools/python/python3-waitress_2.1.2.bb @@ -10,6 +10,6 @@ RDEPENDS:${PN} += " \ python3-logging \ " -SRC_URI[sha256sum] = "e2e60576cf14a1539da79f7b7ee1e79a71e64f366a0b47db54a15e971f57bb16" +SRC_URI[sha256sum] = "780a4082c5fbc0fde6a2fcfe5e26e6efc1e8f425730863c04085769781f51eba" inherit python_setuptools_build_meta pypi From patchwork Wed Jan 7 09:27:45 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 78144 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6C012CF6C1D for ; Wed, 7 Jan 2026 09:27:53 +0000 (UTC) Received: from mail-wm1-f53.google.com (mail-wm1-f53.google.com [209.85.128.53]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.2384.1767778072842287985 for ; Wed, 07 Jan 2026 01:27:53 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=E2XMOf1O; spf=pass (domain: gmail.com, ip: 209.85.128.53, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f53.google.com with SMTP id 5b1f17b1804b1-47d3ffa6720so18151755e9.0 for ; Wed, 07 Jan 2026 01:27:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767778071; x=1768382871; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=V8Ot5Fjfd3UWPf3ylkiV/oCXvcNlZLRsV9zilQY3sdI=; b=E2XMOf1Oz86W1GjCoAwXBeqBF038CFfRxn2ZBtHUNPKF5aqz7em1K1YiLemvAfWgCi AWQ4s5iSEY7wo+gQBjuaSBzt9kDRN10c/HFrl8DInuvQ4BoJAXH6s+EAmRWgpTYEbjRl R2TuXlUthIaO4ML4ddsbbiKT33xTeT7JdfLYIkWDEsJ4nyOx07GJdB9dpN4z89D8+YZD gv2feMQW1TXtE1uqz/sVhECZa5iSJFC7pxh6+43c+BKwIGcpjJCjox4whpZYqUh41wv+ PCvj9O4gTi0zWzyiyUjLjRBL+ZaTcttGuFUAMSvYvom/B5HL3qGq2nd5FjEIQjEPAmCp zM+w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767778071; x=1768382871; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=V8Ot5Fjfd3UWPf3ylkiV/oCXvcNlZLRsV9zilQY3sdI=; b=bVt1AOETUAKzSneJ3pK2wWbCQfsWI5QlgNwgqYZiyjCy33VBZNd56R/wG9GerGTpb4 7Ty1vijNa/nTW4gW2wO84QSyxq+H3kzDM5Al7WwvsE+XWYL7XFd1R5IF0tJjKA47cxbX BkE5mwl0krmFeKSNlQubDsUhhBrcyuiYAAqVFY+UNQtk8gMIsR9jvDsjy96E6kMigVVM nzka5ZFAjTB+0oxToBcUkkty0wc1BfWHkKHkBO+n82ipRPO4Fahtdl+uzVE1dnhxo7fY oep114+gW3XLO+0zGainiFPUmJIGqB0ncSFZXvKD0Vo/BGf0tsZuJpkecValMGuYtuBY cyjA== X-Gm-Message-State: AOJu0YxVOwBCvLF4/B/QLmAEWIxnG43oWIE+koScJHwHech4t7Qapp7g BxCaInJq3Y4mIzXh9fA/NLWHsJzWeYde94lDuTLsg0NdpzmkzUhcbYU3RSCh0Q== X-Gm-Gg: AY/fxX7vgEJw5pVtU7OswBVIvnvGYUFEnNRe6TSGic14Eo1/eSt2C/kuPWR5GiSnv9j NsPMQSzra7nwAh7evneQ4g6VAPCOozduXDsXu8YHJEJkkD3J1i3KbSsOAiMwe2qIkzE5sM4Lkb7 bNnkNSZrfDsfhd62lk0lOekyBHf3sWst8icif5YECytQpEleeo4TPfJmUiiT+m0Gbh9pu7chcNT wsycjotbkCCs9AjgOS72wgf58TlM8qK5E2Ge52ynuWNVSOaH+9TUPCIWfv0VyAzeR2xQpY8dTfj UlbC3zwsesvv6+Pfc5YWcbuG5ImeATX5bJMz9Wq/t3Cbq3NbA4VonNY4fcGd9LgcQo0dRGORFkZ Kmz4s420qWwbBQHTicYJqq1JD0Bp3ra2IJr8reaBUnlNRAXnyrydpj90OdfB84tH3dQLIokEfl1 mxy9pUPC3t X-Google-Smtp-Source: AGHT+IECzAaED0129Z1ohgTEI/vJwyE6t0Fj+2nQ8UVMC9wiQEzeWVc8eFmBqjx4XZAJjDOAF9ttpA== X-Received: by 2002:a05:600c:4ed4:b0:471:14f5:126f with SMTP id 5b1f17b1804b1-47d84b41181mr20422775e9.33.1767778071141; Wed, 07 Jan 2026 01:27:51 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47d8719d057sm7236255e9.16.2026.01.07.01.27.49 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 07 Jan 2026 01:27:50 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-python][kirkstone][PATCH 2/5] python3-werkzeug: ignore CVE-2024-49766 and CVE-2025-66221 Date: Wed, 7 Jan 2026 10:27:45 +0100 Message-ID: <20260107092748.1930960-2-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260107092748.1930960-1-skandigraun@gmail.com> References: <20260107092748.1930960-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 07 Jan 2026 09:27:53 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123185 Details: https://nvd.nist.gov/vuln/detail/CVE-2024-49766 https://nvd.nist.gov/vuln/detail/CVE-2025-66221 Both vulnerabilities affect Windows only - ignore them. Signed-off-by: Gyorgy Sarvari --- meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb b/meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb index 5529686aac..f795da80a3 100644 --- a/meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb +++ b/meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb @@ -43,3 +43,6 @@ RDEPENDS:${PN} += " \ ${PYTHON_PN}-misc \ ${PYTHON_PN}-profile \ " + +# Windows-only vulnerabilities +CVE_CHECK_IGNORE = "CVE-2024-49766 CVE-2025-66221" From patchwork Wed Jan 7 09:27:46 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 78145 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4C5F3CD0432 for ; Wed, 7 Jan 2026 09:28:03 +0000 (UTC) Received: from mail-wm1-f51.google.com (mail-wm1-f51.google.com [209.85.128.51]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.2385.1767778073900406402 for ; Wed, 07 Jan 2026 01:27:54 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=BE1qd5Mq; spf=pass (domain: gmail.com, ip: 209.85.128.51, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f51.google.com with SMTP id 5b1f17b1804b1-4779cc419b2so15699045e9.3 for ; Wed, 07 Jan 2026 01:27:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767778072; x=1768382872; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=l/0eiwOvhbF1KEvNrTA/vgsGE/488VttoRooQIzvib0=; b=BE1qd5Mqy54MKNreVNFK9kG88AD6ubAJ4vE9GAEh7iU4K4hwsd2rXHHwxf0IZpaYiX 9gGsLeuAMhd3pcGixK1R2PJffBX0yII5KhkESMRJpLxiW/38kTMtVgFZhgteeQ+UeCJD WmnkWDj+XMar1Mib01604+jaSjKzaYiX81Z3S8LuullmxlUTIO/uF1wMEG0vtFvO2RtM DOyUfeOVmExm0lE6DdP2G7tdWfHb0Gumk6Hc7sXicmNtlJCxEw8tlrUp5T6XnQ/K/Ee/ yVh+vYBR7xAuJ1F4vX9Q15Ja35YZaPBO29lqkmS1DqptBFjymi9CvnvaHF7ZYt6GxcNL gj1g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767778072; x=1768382872; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=l/0eiwOvhbF1KEvNrTA/vgsGE/488VttoRooQIzvib0=; b=v2Ky9K//3eTQVv5AmKaisL3TYU6DRkpEvfEqdDCu1+yK9xu9vlXkvDzULT4PMbTb+K Tm8m+gj1P05g8RnpM8k5kSZtk+PLTvhsTbYXCE6+vAkqm9xAPTf7uTEvkCq38lRIiUl5 qaoXK9M5mhzc9nmfIIuPXaj2nUKFbQM+U5/d9HQk+Iqn/JPxZcBP9Ls2J6O2mKrL8h8H fiLte0hezecHAJMIwPWCUrNQA09CJdDqgpSf9Nt4H6hJrurnrMt2UYyW0o14NDbsWBSb ev01SMbw3lcveh5O9EbNhTuywdAhhVOCH/tqyGLZVca0Bne8nkS3d3RCk7b9b5Rvlp/V PFFA== X-Gm-Message-State: AOJu0YwgPWoEvxiB3+ZzkGq1KsFmpFiNy6iRJVB1Y35fxxyoGorqy6oh JEHOazdb+pLR8iYkEsVbzfGVl8lvw7iJq4meIZFEU8mvDa5mnOfBlvpvMvHx3g== X-Gm-Gg: AY/fxX4hritmtvyQ5b79UCxvRndMcUeE7Ev/M9CahHawuqzMLaYC3sABczebelXPzgK 3kNmJqxjVt1qWJI5cs1yWQiKlgMc5CKqvkVHK3SRvyZdmWRZgzHytTONhPLVMqqZaBM4mxBGMUH y8KXBmU+MF0/xpv0dN5aboro4RCKj4dsOTDujPidy4qIEVaosR8mX7bIhcVB6CQt05ltzBgmfp+ Vtq8qnfD6BYGDlRC8ZG3fVafraRf6ViwfljCRj3UMBx0CbLcXKYnNlpD626OMxlZpAIfgGZuSLO GW2N66McPnMFRSeJ15+zpTx6A8wSucORCSGZrXS5HGfxZw448bw1epyx0h3Bc8hX+fh/y1mlzeM dmZJZse5hMARrALYdY7Oemb96Me/Dx4E3a2TPhGL7TI0kLzqZNN+e7xViGszB/Y+4MXLWEdUhpR NZz1I03ISO X-Google-Smtp-Source: AGHT+IFPe3yigz2cAAUpjvgM33l47jxVh6MtzExGugzd4NTfgIQzWjqappZ6DL2irEHZTB5qnPQr4w== X-Received: by 2002:a5d:5d02:0:b0:42b:2fb5:73c9 with SMTP id ffacd0b85a97d-432c3775aecmr2110884f8f.58.1767778071974; Wed, 07 Jan 2026 01:27:51 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47d8719d057sm7236255e9.16.2026.01.07.01.27.51 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 07 Jan 2026 01:27:51 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-python][kirkstone][PATCH 3/5] python3-waitress: patch CVE-2024-49768 Date: Wed, 7 Jan 2026 10:27:46 +0100 Message-ID: <20260107092748.1930960-3-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260107092748.1930960-1-skandigraun@gmail.com> References: <20260107092748.1930960-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 07 Jan 2026 09:28:03 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123186 Details: https://nvd.nist.gov/vuln/detail/CVE-2024-49768 Pick the patch mentioned in the NVD report (which is a merge commit, and the patches here are the individual commits from that merge) Signed-off-by: Gyorgy Sarvari --- .../python3-waitress/CVE-2024-49768-1.patch | 162 ++++++++++++++++++ .../python3-waitress/CVE-2024-49768-2.patch | 89 ++++++++++ .../python3-waitress/CVE-2024-49768-3.patch | 60 +++++++ .../python3-waitress/CVE-2024-49768-4.patch | 34 ++++ .../python/python3-waitress_2.1.2.bb | 5 + 5 files changed, 350 insertions(+) create mode 100644 meta-python/recipes-devtools/python/python3-waitress/CVE-2024-49768-1.patch create mode 100644 meta-python/recipes-devtools/python/python3-waitress/CVE-2024-49768-2.patch create mode 100644 meta-python/recipes-devtools/python/python3-waitress/CVE-2024-49768-3.patch create mode 100644 meta-python/recipes-devtools/python/python3-waitress/CVE-2024-49768-4.patch diff --git a/meta-python/recipes-devtools/python/python3-waitress/CVE-2024-49768-1.patch b/meta-python/recipes-devtools/python/python3-waitress/CVE-2024-49768-1.patch new file mode 100644 index 0000000000..5d80a267fd --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-waitress/CVE-2024-49768-1.patch @@ -0,0 +1,162 @@ +From f2ffe56f990a74450143901ac1cfd7138f75ec78 Mon Sep 17 00:00:00 2001 +From: Delta Regeer +Date: Sat, 26 Oct 2024 22:10:36 -0600 +Subject: [PATCH] Make DummySock() look more like an actual socket + +This forces DummySock() to look like a properly connected socket where +there is a buffer that is read from by the remote, and a buffer that is +written to by the remote. + +The local side does the opposite, this way data written by the local +side can be read by the remote without operating on the same buffer. + +CVE: CVE-2024-49768 +Upstream-Status: Backport [https://github.com/Pylons/waitress/commit/6943dcf556610ece2ff3cddb39e59a05ef110661] +Signed-off-by: Gyorgy Sarvari +--- + tests/test_channel.py | 57 +++++++++++++++++++++++++++++++++---------- + 1 file changed, 44 insertions(+), 13 deletions(-) + +diff --git a/tests/test_channel.py b/tests/test_channel.py +index 8467ae7..7d677e9 100644 +--- a/tests/test_channel.py ++++ b/tests/test_channel.py +@@ -18,7 +18,7 @@ class TestHTTPChannel(unittest.TestCase): + map = {} + inst = self._makeOne(sock, "127.0.0.1", adj, map=map) + inst.outbuf_lock = DummyLock() +- return inst, sock, map ++ return inst, sock.local(), map + + def test_ctor(self): + inst, _, map = self._makeOneWithMap() +@@ -218,7 +218,7 @@ class TestHTTPChannel(unittest.TestCase): + def send(_): + return 0 + +- sock.send = send ++ sock.remote.send = send + + wrote = inst.write_soon(b"a") + self.assertEqual(wrote, 1) +@@ -236,7 +236,7 @@ class TestHTTPChannel(unittest.TestCase): + def send(_): + return 0 + +- sock.send = send ++ sock.remote.send = send + + outbufs = inst.outbufs + wrote = inst.write_soon(wrapper) +@@ -270,7 +270,7 @@ class TestHTTPChannel(unittest.TestCase): + def send(_): + return 0 + +- sock.send = send ++ sock.remote.send = send + + inst.adj.outbuf_high_watermark = 3 + inst.current_outbuf_count = 4 +@@ -286,7 +286,7 @@ class TestHTTPChannel(unittest.TestCase): + def send(_): + return 0 + +- sock.send = send ++ sock.remote.send = send + + inst.adj.outbuf_high_watermark = 3 + inst.total_outbufs_len = 4 +@@ -315,7 +315,7 @@ class TestHTTPChannel(unittest.TestCase): + inst.connected = False + raise Exception() + +- sock.send = send ++ sock.remote.send = send + + inst.adj.outbuf_high_watermark = 3 + inst.total_outbufs_len = 4 +@@ -345,7 +345,7 @@ class TestHTTPChannel(unittest.TestCase): + inst.connected = False + raise Exception() + +- sock.send = send ++ sock.remote.send = send + + wrote = inst.write_soon(b"xyz") + self.assertEqual(wrote, 3) +@@ -376,7 +376,7 @@ class TestHTTPChannel(unittest.TestCase): + inst.total_outbufs_len = len(inst.outbufs[0]) + inst.adj.send_bytes = 1 + inst.adj.outbuf_high_watermark = 2 +- sock.send = lambda x, do_close=True: False ++ sock.remote.send = lambda x, do_close=True: False + inst.will_close = False + inst.last_activity = 0 + result = inst.handle_write() +@@ -400,7 +400,7 @@ class TestHTTPChannel(unittest.TestCase): + + def test__flush_some_full_outbuf_socket_returns_zero(self): + inst, sock, map = self._makeOneWithMap() +- sock.send = lambda x: False ++ sock.remote.send = lambda x: False + inst.outbufs[0].append(b"abc") + inst.total_outbufs_len = sum(len(x) for x in inst.outbufs) + result = inst._flush_some() +@@ -907,7 +907,8 @@ class DummySock: + closed = False + + def __init__(self): +- self.sent = b"" ++ self.local_sent = b"" ++ self.remote_sent = b"" + + def setblocking(self, *arg): + self.blocking = True +@@ -925,14 +926,44 @@ class DummySock: + self.closed = True + + def send(self, data): +- self.sent += data ++ self.remote_sent += data + return len(data) + + def recv(self, buffer_size): +- result = self.sent[:buffer_size] +- self.sent = self.sent[buffer_size:] ++ result = self.local_sent[:buffer_size] ++ self.local_sent = self.local_sent[buffer_size:] + return result + ++ def local(self): ++ outer = self ++ ++ class LocalDummySock: ++ def send(self, data): ++ outer.local_sent += data ++ return len(data) ++ ++ def recv(self, buffer_size): ++ result = outer.remote_sent[:buffer_size] ++ outer.remote_sent = outer.remote_sent[buffer_size:] ++ return result ++ ++ def close(self): ++ outer.closed = True ++ ++ @property ++ def sent(self): ++ return outer.remote_sent ++ ++ @property ++ def closed(self): ++ return outer.closed ++ ++ @property ++ def remote(self): ++ return outer ++ ++ return LocalDummySock() ++ + + class DummyLock: + notified = False diff --git a/meta-python/recipes-devtools/python/python3-waitress/CVE-2024-49768-2.patch b/meta-python/recipes-devtools/python/python3-waitress/CVE-2024-49768-2.patch new file mode 100644 index 0000000000..88d6aba0e2 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-waitress/CVE-2024-49768-2.patch @@ -0,0 +1,89 @@ +From 7f40812194ebbf189692f530422204b41204eecb Mon Sep 17 00:00:00 2001 +From: Delta Regeer +Date: Sat, 26 Oct 2024 22:12:14 -0600 +Subject: [PATCH] Add a new test to validate the lookahead race condition + +CVE: CVE-2024-49768 +Upstream-Status: Backport [https://github.com/Pylons/waitress/commit/6943dcf556610ece2ff3cddb39e59a05ef110661] +Signed-off-by: Gyorgy Sarvari +--- + tests/test_channel.py | 55 ++++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 54 insertions(+), 1 deletion(-) + +diff --git a/tests/test_channel.py b/tests/test_channel.py +index 7d677e9..d798091 100644 +--- a/tests/test_channel.py ++++ b/tests/test_channel.py +@@ -805,11 +805,12 @@ class TestHTTPChannelLookahead(TestHTTPChannel): + ) + return [body] + +- def _make_app_with_lookahead(self): ++ def _make_app_with_lookahead(self, recv_bytes=8192): + """ + Setup a channel with lookahead and store it and the socket in self + """ + adj = DummyAdjustments() ++ adj.recv_bytes = recv_bytes + adj.channel_request_lookahead = 5 + channel, sock, map = self._makeOneWithMap(adj=adj) + channel.server.application = self.app_check_disconnect +@@ -901,6 +902,58 @@ class TestHTTPChannelLookahead(TestHTTPChannel): + self.assertEqual(data.split("\r\n")[-1], "finished") + self.assertEqual(self.request_body, b"x") + ++ def test_lookahead_bad_request_drop_extra_data(self): ++ """ ++ Send two requests, the first one being bad, split on the recv_bytes ++ limit, then emulate a race that could happen whereby we read data from ++ the socket while the service thread is cleaning up due to an error ++ processing the request. ++ """ ++ ++ invalid_request = [ ++ "GET / HTTP/1.1", ++ "Host: localhost:8080", ++ "Content-length: -1", ++ "", ++ ] ++ ++ invalid_request_len = len("".join([x + "\r\n" for x in invalid_request])) ++ ++ second_request = [ ++ "POST / HTTP/1.1", ++ "Host: localhost:8080", ++ "Content-Length: 1", ++ "", ++ "x", ++ ] ++ ++ full_request = invalid_request + second_request ++ ++ self._make_app_with_lookahead(recv_bytes=invalid_request_len) ++ self._send(*full_request) ++ self.channel.handle_read() ++ self.assertEqual(len(self.channel.requests), 1) ++ self.channel.server.tasks[0].service() ++ self.assertTrue(self.channel.close_when_flushed) ++ # Read all of the next request ++ self.channel.handle_read() ++ self.channel.handle_read() ++ # Validate that there is no more data to be read ++ self.assertEqual(self.sock.remote.local_sent, b"") ++ # Validate that we dropped the data from the second read, and did not ++ # create a new request ++ self.assertEqual(len(self.channel.requests), 0) ++ data = self.sock.recv(256).decode("ascii") ++ self.assertFalse(self.channel.readable()) ++ self.assertTrue(self.channel.writable()) ++ ++ # Handle the write, which will close the socket ++ self.channel.handle_write() ++ self.assertTrue(self.sock.closed) ++ ++ data = self.sock.recv(256) ++ self.assertEqual(len(data), 0) ++ + + class DummySock: + blocking = False diff --git a/meta-python/recipes-devtools/python/python3-waitress/CVE-2024-49768-3.patch b/meta-python/recipes-devtools/python/python3-waitress/CVE-2024-49768-3.patch new file mode 100644 index 0000000000..086c569233 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-waitress/CVE-2024-49768-3.patch @@ -0,0 +1,60 @@ +From 5cf72c7d9f60e96a3ca65e410098e11d8053749d Mon Sep 17 00:00:00 2001 +From: Delta Regeer +Date: Sat, 26 Oct 2024 22:13:08 -0600 +Subject: [PATCH] Fix a race condition on recv_bytes boundary when request is + invalid + +A remote client may send a request that is exactly recv_bytes long, +followed by a secondary request using HTTP pipelining. + +When request lookahead is disabled (default) we won't read any more +requests, and when the first request fails due to a parsing error, we +simply close the connection. + +However when request lookahead is enabled, it is possible to process and +receive the first request, start sending the error message back to the +client while we read the next request and queue it. This will allow the +secondar request to be serviced by the worker thread while the +connection should be closed. + +The fix here checks if we should not have read the data in the first +place (because the conection is going to be torn down) while we hold the +`requests_lock` which means the service thread can't be in the middle of +flipping the `close_when_flushed` flag. + +CVE: CVE-2024-49768 +Upstream-Status: Backport [https://github.com/Pylons/waitress/commit/f4ba1c260cf17156b582c6252496213ddc96b591] +Signed-off-by: Gyorgy Sarvari +--- + src/waitress/channel.py | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/src/waitress/channel.py b/src/waitress/channel.py +index eb59dd3..756adce 100644 +--- a/src/waitress/channel.py ++++ b/src/waitress/channel.py +@@ -147,7 +147,7 @@ class HTTPChannel(wasyncore.dispatcher): + # 1. We're not already about to close the connection. + # 2. We're not waiting to flush remaining data before closing the + # connection +- # 3. There are not too many tasks already queued ++ # 3. There are not too many tasks already queued (if lookahead is enabled) + # 4. There's no data in the output buffer that needs to be sent + # before we potentially create a new task. + +@@ -203,6 +203,15 @@ class HTTPChannel(wasyncore.dispatcher): + return False + + with self.requests_lock: ++ # Don't bother processing anymore data if this connection is about ++ # to close. This may happen if readable() returned True, on the ++ # main thread before the service thread set the close_when_flushed ++ # flag, and we read data but our service thread is attempting to ++ # shut down the connection due to an error. We want to make sure we ++ # do this while holding the request_lock so that we can't race ++ if self.will_close or self.close_when_flushed: ++ return False ++ + while data: + if self.request is None: + self.request = self.parser_class(self.adj) diff --git a/meta-python/recipes-devtools/python/python3-waitress/CVE-2024-49768-4.patch b/meta-python/recipes-devtools/python/python3-waitress/CVE-2024-49768-4.patch new file mode 100644 index 0000000000..11c9dd4ccd --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-waitress/CVE-2024-49768-4.patch @@ -0,0 +1,34 @@ +From c516dad4f749d1b1b1c675680a76c1f6d2523857 Mon Sep 17 00:00:00 2001 +From: Delta Regeer +Date: Sat, 26 Oct 2024 22:22:32 -0600 +Subject: [PATCH] Add documentation for channel_request_lookahead + +CVE: CVE-2024-49768 +Upstream-Status: Backport [https://github.com/Pylons/waitress/commit/810a435f9e9e293bd3446a5ce2df86f59c4e7b1b] +Signed-off-by: Gyorgy Sarvari +--- + docs/arguments.rst | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/docs/arguments.rst b/docs/arguments.rst +index f9b9310..ba1797a 100644 +--- a/docs/arguments.rst ++++ b/docs/arguments.rst +@@ -301,3 +301,17 @@ url_prefix + be stripped of the prefix. + + Default: ``''`` ++ ++channel_request_lookahead ++ Sets the amount of requests we can continue to read from the socket, while ++ we are processing current requests. The default value won't allow any ++ lookahead, increase it above ``0`` to enable. ++ ++ When enabled this inserts a callable ``waitress.client_disconnected`` into ++ the environment that allows the task to check if the client disconnected ++ while waiting for the response at strategic points in the execution and to ++ cancel the operation. ++ ++ Default: ``0`` ++ ++ .. versionadded:: 2.0.0 diff --git a/meta-python/recipes-devtools/python/python3-waitress_2.1.2.bb b/meta-python/recipes-devtools/python/python3-waitress_2.1.2.bb index 061586b5df..dbb8b05e52 100644 --- a/meta-python/recipes-devtools/python/python3-waitress_2.1.2.bb +++ b/meta-python/recipes-devtools/python/python3-waitress_2.1.2.bb @@ -10,6 +10,11 @@ RDEPENDS:${PN} += " \ python3-logging \ " +SRC_URI += "file://CVE-2024-49768-1.patch \ + file://CVE-2024-49768-2.patch \ + file://CVE-2024-49768-3.patch \ + file://CVE-2024-49768-4.patch \ + " SRC_URI[sha256sum] = "780a4082c5fbc0fde6a2fcfe5e26e6efc1e8f425730863c04085769781f51eba" inherit python_setuptools_build_meta pypi From patchwork Wed Jan 7 09:27:47 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 78146 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 479E5CF6C1F for ; Wed, 7 Jan 2026 09:28:03 +0000 (UTC) Received: from mail-wm1-f43.google.com (mail-wm1-f43.google.com [209.85.128.43]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.2339.1767778074771869100 for ; Wed, 07 Jan 2026 01:27:55 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=j9DUUEQP; spf=pass (domain: gmail.com, ip: 209.85.128.43, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f43.google.com with SMTP id 5b1f17b1804b1-477563e28a3so4501285e9.1 for ; Wed, 07 Jan 2026 01:27:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767778073; x=1768382873; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=PsMuwsLlP+tiZV+eGtJSNGo1a2WKJi2fB31tky09xS0=; b=j9DUUEQPyDjIA2GxV3CnggNWprCJ5zHaBqlGdJ/dazMRAQYMg3FeG3G57H2CjAcCNk lTBImm7FQmNjf+4GVZK+nIQjmK1e4lj96BmlfEKoPcEb6YKOZvCCr8I7ngci8D8ERfKS bU/OiunkBQtHpakJlZjXrnhJG14PJKTlaVXwQZNcX3lG/7OdFLEg5wcCVDiYkYvXF8NL Wt4J9fmzFvkyzX6OHegQZu1LfNthJ5BU1nCiQkixZ1DbeE1EG5JmnJnTq+9OeyP5N9Kp zGOweBFdUiXO6XZBn3XTiN2Q5d1DGPw+/oBEjn8UeOdjZfyLJwNO8IU8ZB2f3Z+O16Z6 Hfqg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767778073; x=1768382873; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=PsMuwsLlP+tiZV+eGtJSNGo1a2WKJi2fB31tky09xS0=; b=YDVVJrzZZ8EQX8Vv4SU900oVbInXvLWlG1AIiyEo8xJVC0NrLhUW5n+vUqK4+0TCQ7 HGIGUmJCP390eVduNWaVaCIsXURitqXR4MT4aJ47HgRhaT/D5bt064qutXegjV3/HgvP ddxqAf+nTQ60Kj2EvaqpLQyIRXcBl6BygXuXgIeg2Ej0/m1kN/rtdx/m3y2/4XFVB/rp rP4g/mT1/tUz7mYX0gDzRMIT0qeojgll9V+t/hWU5XJxtDDX06cQ30glAoZIow2TGxxG iO1dEJ/BqwoAd2UQdyrIENtzYHLlOcXK0Sb6GesBMo5qRb7q+/K9sApxknm2zMMfDfUk 28/A== X-Gm-Message-State: AOJu0YwHQm5K9q3wwMmautIJ8GUodPISPpDryDBklDbe12AuE8a25Q3F dbTIL5kS/C1gqUcEaEZoCOftM9mAt4JysgFLVRO7SWdNeh+nAL5o2wQWODmcWA== X-Gm-Gg: AY/fxX7u+YL4RY7mQUR2xi9iwyHPhEIfzVbhFRJBgw+NoGcSgk3y62a/zvmudyuvywH tOARx+er1wABxmhKIRuFWBDknjklldhHQOG8yCqyjz7BgoLPBiVN6KqJmuVlBjNz0b7o++pl1jm pTEB7SFiJ+c/vUV6cpc80B/BUkV5S9eKVuRQNgQEv+PV1K43WHu9I5A87NHYFuugc3jX4t4lMKi RPpUQtkdTsnrB+ZBPRnZLiMtb3rX5D8jD11TPZGtbH+9pVGsfKM7MhV98t+43cH9b5OIgH2t+Ed Ww/mOu78bF0khcjOvubsoJChyl+53vfDWeA66b/98MCXLEEVkcgWAe3Gz1WFNvBnkcO4+PNp0ze SbzSMk6muwqNoDg+GM5qqbc7foJBWdP3Y7c52ZqHiqqPxhIK6REANtvqKbmh/xFi84L4B+uriAe cj0adLjabLeOZ27pNIOow= X-Google-Smtp-Source: AGHT+IGVbhCZuh7SxSkm3WZGjgW5qoQOasOHBuXO2hCuybG6Wc89FVPktAgkuSRTW+dpGdVhOtsVLw== X-Received: by 2002:a05:600c:4ec7:b0:477:9e0c:f59 with SMTP id 5b1f17b1804b1-47d8483cc5cmr21645465e9.2.1767778072978; Wed, 07 Jan 2026 01:27:52 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47d8719d057sm7236255e9.16.2026.01.07.01.27.52 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 07 Jan 2026 01:27:52 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-python][kirkstone][PATCH 4/5] python3-waitress: patch CVE-2024-49769 Date: Wed, 7 Jan 2026 10:27:47 +0100 Message-ID: <20260107092748.1930960-4-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260107092748.1930960-1-skandigraun@gmail.com> References: <20260107092748.1930960-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 07 Jan 2026 09:28:03 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123187 Details: https://nvd.nist.gov/vuln/detail/CVE-2024-49769 Pick the patch that is referenced in the NVD report (which is a merge commit. The patches here are the individual patches from that merge). Signed-off-by: Gyorgy Sarvari --- .../python3-waitress/CVE-2024-49769-1.patch | 27 +++ .../python3-waitress/CVE-2024-49769-2.patch | 53 +++++ .../python3-waitress/CVE-2024-49769-3.patch | 34 +++ .../python3-waitress/CVE-2024-49769-4.patch | 34 +++ .../python3-waitress/CVE-2024-49769-5.patch | 211 ++++++++++++++++++ .../python3-waitress/CVE-2024-49769-6.patch | 41 ++++ .../python/python3-waitress_2.1.2.bb | 6 + 7 files changed, 406 insertions(+) create mode 100644 meta-python/recipes-devtools/python/python3-waitress/CVE-2024-49769-1.patch create mode 100644 meta-python/recipes-devtools/python/python3-waitress/CVE-2024-49769-2.patch create mode 100644 meta-python/recipes-devtools/python/python3-waitress/CVE-2024-49769-3.patch create mode 100644 meta-python/recipes-devtools/python/python3-waitress/CVE-2024-49769-4.patch create mode 100644 meta-python/recipes-devtools/python/python3-waitress/CVE-2024-49769-5.patch create mode 100644 meta-python/recipes-devtools/python/python3-waitress/CVE-2024-49769-6.patch diff --git a/meta-python/recipes-devtools/python/python3-waitress/CVE-2024-49769-1.patch b/meta-python/recipes-devtools/python/python3-waitress/CVE-2024-49769-1.patch new file mode 100644 index 0000000000..a8a0a2e594 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-waitress/CVE-2024-49769-1.patch @@ -0,0 +1,27 @@ +From fdabcb31093507f50fcaeb46012ec8df8bf76359 Mon Sep 17 00:00:00 2001 +From: Delta Regeer +Date: Sun, 3 Mar 2024 16:15:51 -0700 +Subject: [PATCH] HTTPChannel is always created from accept, explicitly set + self.connected to True + +CVE: CVE-2024-49769 +Upstream-Status: Backport [https://github.com/Pylons/waitress/commit/03cc640fe7106902899f82115c26e37002bca7f1] +Signed-off-by: Gyorgy Sarvari +--- + src/waitress/channel.py | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/src/waitress/channel.py b/src/waitress/channel.py +index 756adce..cf19ef2 100644 +--- a/src/waitress/channel.py ++++ b/src/waitress/channel.py +@@ -67,8 +67,7 @@ class HTTPChannel(wasyncore.dispatcher): + self.outbuf_lock = threading.Condition() + + wasyncore.dispatcher.__init__(self, sock, map=map) +- +- # Don't let wasyncore.dispatcher throttle self.addr on us. ++ self.connected = True + self.addr = addr + self.requests = [] + diff --git a/meta-python/recipes-devtools/python/python3-waitress/CVE-2024-49769-2.patch b/meta-python/recipes-devtools/python/python3-waitress/CVE-2024-49769-2.patch new file mode 100644 index 0000000000..a34ee4fb11 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-waitress/CVE-2024-49769-2.patch @@ -0,0 +1,53 @@ +From 646d7bfa81185b961b4797965f5c7ff0e380bc5c Mon Sep 17 00:00:00 2001 +From: Delta Regeer +Date: Sun, 3 Mar 2024 16:16:48 -0700 +Subject: [PATCH] Assume socket is not connected when passed to + wasyncore.dispatcher + +No longer call getpeername() on the remote socket either, as it is not +necessary for any of the places where waitress requires that self.addr +in a subclass of the dispatcher needs it. + +This removes a race condition when setting up a HTTPChannel where we +accepted the socket, and know the remote address, yet call getpeername() +again which would have the unintended side effect of potentially setting +self.connected to False because the remote has already shut down part of +the socket. + +This issue was uncovered in #418, where the server would go into a hard +loop because self.connected was used in various parts of the code base. + +CVE: CVE-2024-49769 +Upstream-Status: Backport [https://github.com/Pylons/waitress/commit/840aebce1c4c1bfd9036f402c1f5d5a4d2f4a1c2] +Signed-off-by: Gyorgy Sarvari +--- + src/waitress/wasyncore.py | 16 ---------------- + 1 file changed, 16 deletions(-) + +diff --git a/src/waitress/wasyncore.py b/src/waitress/wasyncore.py +index b3459e0..b5ddce2 100644 +--- a/src/waitress/wasyncore.py ++++ b/src/waitress/wasyncore.py +@@ -298,22 +298,6 @@ class dispatcher: + # get a socket from a blocking source. + sock.setblocking(0) + self.set_socket(sock, map) +- self.connected = True +- # The constructor no longer requires that the socket +- # passed be connected. +- try: +- self.addr = sock.getpeername() +- except OSError as err: +- if err.args[0] in (ENOTCONN, EINVAL): +- # To handle the case where we got an unconnected +- # socket. +- self.connected = False +- else: +- # The socket is broken in some unknown way, alert +- # the user and remove it from the map (to prevent +- # polling of broken sockets). +- self.del_channel(map) +- raise + else: + self.socket = None + diff --git a/meta-python/recipes-devtools/python/python3-waitress/CVE-2024-49769-3.patch b/meta-python/recipes-devtools/python/python3-waitress/CVE-2024-49769-3.patch new file mode 100644 index 0000000000..165ede95c7 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-waitress/CVE-2024-49769-3.patch @@ -0,0 +1,34 @@ +From 28377c0e0fdd8669fb250e69745caf1c27ba541b Mon Sep 17 00:00:00 2001 +From: Delta Regeer +Date: Sun, 3 Mar 2024 16:23:33 -0700 +Subject: [PATCH] Remove test for getpeername() + +CVE: CVE-2024-49769 +Upstream-Status: Backport [https://github.com/Pylons/waitress/commit/86c680df4e4bdd40c78dec771cddcee059e802c4] +Signed-off-by: Gyorgy Sarvari +--- + tests/test_wasyncore.py | 11 ----------- + 1 file changed, 11 deletions(-) + +diff --git a/tests/test_wasyncore.py b/tests/test_wasyncore.py +index e833c7e..5f38bd9 100644 +--- a/tests/test_wasyncore.py ++++ b/tests/test_wasyncore.py +@@ -1451,17 +1451,6 @@ class Test_dispatcher(unittest.TestCase): + + return dispatcher(sock=sock, map=map) + +- def test_unexpected_getpeername_exc(self): +- sock = dummysocket() +- +- def getpeername(): +- raise OSError(errno.EBADF) +- +- map = {} +- sock.getpeername = getpeername +- self.assertRaises(socket.error, self._makeOne, sock=sock, map=map) +- self.assertEqual(map, {}) +- + def test___repr__accepting(self): + sock = dummysocket() + map = {} diff --git a/meta-python/recipes-devtools/python/python3-waitress/CVE-2024-49769-4.patch b/meta-python/recipes-devtools/python/python3-waitress/CVE-2024-49769-4.patch new file mode 100644 index 0000000000..6ea5bdb065 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-waitress/CVE-2024-49769-4.patch @@ -0,0 +1,34 @@ +From ee501847c38e21be0683ba81925472f219044a65 Mon Sep 17 00:00:00 2001 +From: Delta Regeer +Date: Sun, 3 Mar 2024 16:26:22 -0700 +Subject: [PATCH] Don't exit handle_write early -- even if socket is not + connected + +Calling handle_close() multiple times does not hurt anything, and is +safe. + +CVE: CVE-2024-49769 +Upstream-Status: Backport [https://github.com/Pylons/waitress/commit/8cba302b1ac08c2874ae179b2af2445e89311bac] +Signed-off-by: Gyorgy Sarvari +--- + src/waitress/channel.py | 6 ------ + 1 file changed, 6 deletions(-) + +diff --git a/src/waitress/channel.py b/src/waitress/channel.py +index cf19ef2..f4d9677 100644 +--- a/src/waitress/channel.py ++++ b/src/waitress/channel.py +@@ -91,13 +91,7 @@ class HTTPChannel(wasyncore.dispatcher): + # Precondition: there's data in the out buffer to be sent, or + # there's a pending will_close request + +- if not self.connected: +- # we dont want to close the channel twice +- +- return +- + # try to flush any pending output +- + if not self.requests: + # 1. There are no running tasks, so we don't need to try to lock + # the outbuf before sending diff --git a/meta-python/recipes-devtools/python/python3-waitress/CVE-2024-49769-5.patch b/meta-python/recipes-devtools/python/python3-waitress/CVE-2024-49769-5.patch new file mode 100644 index 0000000000..14fe56e021 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-waitress/CVE-2024-49769-5.patch @@ -0,0 +1,211 @@ +From aa161b98cc787f266d8ef358f00fc5b2b3944157 Mon Sep 17 00:00:00 2001 +From: Delta Regeer +Date: Sun, 3 Mar 2024 16:35:39 -0700 +Subject: [PATCH] Remove code not used by waitress from vendored asyncore + +CVE: CVE-2024-49769 +Upstream-Status: Backport [https://github.com/Pylons/waitress/commit/63678e652d912e67621580123c603e37c319d8c4] +Signed-off-by: Gyorgy Sarvari +--- + src/waitress/wasyncore.py | 45 ------------------ + tests/test_wasyncore.py | 96 ++++++++------------------------------- + 2 files changed, 18 insertions(+), 123 deletions(-) + +diff --git a/src/waitress/wasyncore.py b/src/waitress/wasyncore.py +index b5ddce2..117f78a 100644 +--- a/src/waitress/wasyncore.py ++++ b/src/waitress/wasyncore.py +@@ -379,23 +379,6 @@ class dispatcher: + self.addr = addr + return self.socket.bind(addr) + +- def connect(self, address): +- self.connected = False +- self.connecting = True +- err = self.socket.connect_ex(address) +- if ( +- err in (EINPROGRESS, EALREADY, EWOULDBLOCK) +- or err == EINVAL +- and os.name == "nt" +- ): # pragma: no cover +- self.addr = address +- return +- if err in (0, EISCONN): +- self.addr = address +- self.handle_connect_event() +- else: +- raise OSError(err, errorcode[err]) +- + def accept(self): + # XXX can return either an address pair or None + try: +@@ -557,34 +540,6 @@ class dispatcher: + self.close() + + +-# --------------------------------------------------------------------------- +-# adds simple buffered output capability, useful for simple clients. +-# [for more sophisticated usage use asynchat.async_chat] +-# --------------------------------------------------------------------------- +- +- +-class dispatcher_with_send(dispatcher): +- def __init__(self, sock=None, map=None): +- dispatcher.__init__(self, sock, map) +- self.out_buffer = b"" +- +- def initiate_send(self): +- num_sent = 0 +- num_sent = dispatcher.send(self, self.out_buffer[:65536]) +- self.out_buffer = self.out_buffer[num_sent:] +- +- handle_write = initiate_send +- +- def writable(self): +- return (not self.connected) or len(self.out_buffer) +- +- def send(self, data): +- if self.debug: # pragma: no cover +- self.log_info("sending %s" % repr(data)) +- self.out_buffer = self.out_buffer + data +- self.initiate_send() +- +- + def close_all(map=None, ignore_all=False): + if map is None: # pragma: no cover + map = socket_map +diff --git a/tests/test_wasyncore.py b/tests/test_wasyncore.py +index 5f38bd9..44b8e19 100644 +--- a/tests/test_wasyncore.py ++++ b/tests/test_wasyncore.py +@@ -1,6 +1,7 @@ + import _thread as thread + import contextlib + import errno ++from errno import EALREADY, EINPROGRESS, EINVAL, EISCONN, EWOULDBLOCK, errorcode + import functools + import gc + from io import BytesIO +@@ -641,62 +642,6 @@ class DispatcherTests(unittest.TestCase): + self.assertTrue(err != "") + + +-class dispatcherwithsend_noread(asyncore.dispatcher_with_send): # pragma: no cover +- def readable(self): +- return False +- +- def handle_connect(self): +- pass +- +- +-class DispatcherWithSendTests(unittest.TestCase): +- def setUp(self): +- pass +- +- def tearDown(self): +- asyncore.close_all() +- +- @reap_threads +- def test_send(self): +- evt = threading.Event() +- sock = socket.socket() +- sock.settimeout(3) +- port = bind_port(sock) +- +- cap = BytesIO() +- args = (evt, cap, sock) +- t = threading.Thread(target=capture_server, args=args) +- t.start() +- try: +- # wait a little longer for the server to initialize (it sometimes +- # refuses connections on slow machines without this wait) +- time.sleep(0.2) +- +- data = b"Suppose there isn't a 16-ton weight?" +- d = dispatcherwithsend_noread() +- d.create_socket() +- d.connect((HOST, port)) +- +- # give time for socket to connect +- time.sleep(0.1) +- +- d.send(data) +- d.send(data) +- d.send(b"\n") +- +- n = 1000 +- +- while d.out_buffer and n > 0: # pragma: no cover +- asyncore.poll() +- n -= 1 +- +- evt.wait() +- +- self.assertEqual(cap.getvalue(), data * 2) +- finally: +- join_thread(t, timeout=TIMEOUT) +- +- + @unittest.skipUnless( + hasattr(asyncore, "file_wrapper"), "asyncore.file_wrapper required" + ) +@@ -839,6 +784,23 @@ class BaseClient(BaseTestHandler): + self.create_socket(family) + self.connect(address) + ++ def connect(self, address): ++ self.connected = False ++ self.connecting = True ++ err = self.socket.connect_ex(address) ++ if ( ++ err in (EINPROGRESS, EALREADY, EWOULDBLOCK) ++ or err == EINVAL ++ and os.name == "nt" ++ ): # pragma: no cover ++ self.addr = address ++ return ++ if err in (0, EISCONN): ++ self.addr = address ++ self.handle_connect_event() ++ else: ++ raise OSError(err, errorcode[err]) ++ + def handle_connect(self): + pass + +@@ -1486,13 +1448,6 @@ class Test_dispatcher(unittest.TestCase): + inst.set_reuse_addr() + self.assertTrue(sock.errored) + +- def test_connect_raise_socket_error(self): +- sock = dummysocket() +- map = {} +- sock.connect_ex = lambda *arg: 1 +- inst = self._makeOne(sock=sock, map=map) +- self.assertRaises(socket.error, inst.connect, 0) +- + def test_accept_raise_TypeError(self): + sock = dummysocket() + map = {} +@@ -1661,21 +1616,6 @@ class Test_dispatcher(unittest.TestCase): + self.assertTrue(sock.closed) + + +-class Test_dispatcher_with_send(unittest.TestCase): +- def _makeOne(self, sock=None, map=None): +- from waitress.wasyncore import dispatcher_with_send +- +- return dispatcher_with_send(sock=sock, map=map) +- +- def test_writable(self): +- sock = dummysocket() +- map = {} +- inst = self._makeOne(sock=sock, map=map) +- inst.out_buffer = b"123" +- inst.connected = True +- self.assertTrue(inst.writable()) +- +- + class Test_close_all(unittest.TestCase): + def _callFUT(self, map=None, ignore_all=False): + from waitress.wasyncore import close_all diff --git a/meta-python/recipes-devtools/python/python3-waitress/CVE-2024-49769-6.patch b/meta-python/recipes-devtools/python/python3-waitress/CVE-2024-49769-6.patch new file mode 100644 index 0000000000..dedfa0d41c --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-waitress/CVE-2024-49769-6.patch @@ -0,0 +1,41 @@ +From 4a5ce98ecaed785a14781700106d60c4072c9b87 Mon Sep 17 00:00:00 2001 +From: Delta Regeer +Date: Sun, 3 Mar 2024 16:37:12 -0700 +Subject: [PATCH] When closing the socket, set it to None + +This avoids calling close() twice on the same socket if self.close() or +self.handle_close() is called multiple times + +CVE: CVE-2024-49769 +Upstream-Status: Backport [https://github.com/Pylons/waitress/commit/9d99c89ae4aa8449313eea210a5ec9f3994a87b2] +Signed-off-by: Gyorgy Sarvari +--- + src/waitress/wasyncore.py | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/src/waitress/wasyncore.py b/src/waitress/wasyncore.py +index 117f78a..f0cd23e 100644 +--- a/src/waitress/wasyncore.py ++++ b/src/waitress/wasyncore.py +@@ -437,6 +437,8 @@ class dispatcher: + if why.args[0] not in (ENOTCONN, EBADF): + raise + ++ self.socket = None ++ + # log and log_info may be overridden to provide more sophisticated + # logging and warning methods. In general, log is for 'hit' logging + # and 'log_info' is for informational, warning and error logging. +@@ -487,7 +489,11 @@ class dispatcher: + # handle_expt_event() is called if there might be an error on the + # socket, or if there is OOB data + # check for the error condition first +- err = self.socket.getsockopt(socket.SOL_SOCKET, socket.SO_ERROR) ++ err = ( ++ self.socket.getsockopt(socket.SOL_SOCKET, socket.SO_ERROR) ++ if self.socket is not None ++ else 1 ++ ) + if err != 0: + # we can get here when select.select() says that there is an + # exceptional condition on the socket diff --git a/meta-python/recipes-devtools/python/python3-waitress_2.1.2.bb b/meta-python/recipes-devtools/python/python3-waitress_2.1.2.bb index dbb8b05e52..a480c1ac55 100644 --- a/meta-python/recipes-devtools/python/python3-waitress_2.1.2.bb +++ b/meta-python/recipes-devtools/python/python3-waitress_2.1.2.bb @@ -14,6 +14,12 @@ SRC_URI += "file://CVE-2024-49768-1.patch \ file://CVE-2024-49768-2.patch \ file://CVE-2024-49768-3.patch \ file://CVE-2024-49768-4.patch \ + file://CVE-2024-49769-1.patch \ + file://CVE-2024-49769-2.patch \ + file://CVE-2024-49769-3.patch \ + file://CVE-2024-49769-4.patch \ + file://CVE-2024-49769-5.patch \ + file://CVE-2024-49769-6.patch \ " SRC_URI[sha256sum] = "780a4082c5fbc0fde6a2fcfe5e26e6efc1e8f425730863c04085769781f51eba" From patchwork Wed Jan 7 09:27:48 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 78148 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4CFBBCD0433 for ; Wed, 7 Jan 2026 09:28:03 +0000 (UTC) Received: from mail-wm1-f46.google.com (mail-wm1-f46.google.com [209.85.128.46]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.2340.1767778075501092710 for ; Wed, 07 Jan 2026 01:27:55 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=c/FyrST+; spf=pass (domain: gmail.com, ip: 209.85.128.46, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f46.google.com with SMTP id 5b1f17b1804b1-47aa03d3326so15299225e9.3 for ; Wed, 07 Jan 2026 01:27:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767778074; x=1768382874; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=+eOLMB/e/9/Hs3qYtIeWorrV8ckikxO2hI3aU64HS84=; b=c/FyrST+ISuVAc7OBrTybMCe2P9cqiKY2J3S1b88D8/qLdiwgnF2f0s3CzdoqALNt2 hurrgAwV3CH8Og2I9pmdoofMIXixrmH7M345Taz7nsXzeobHMVha/FAfyedHmA/JSS+F Y0/R8G3gs1uf//kFIqBhqMnpEkiHYcrz5imEdAzJ2nWoSRiXcJWPdbxlCAvDpciS+8T5 GJF9U3SPkn37Mvoh1WFNHYeOtA+Bub46S5w59QfZKFWEwX+qvOy0Y6eNAkjI5wCTt190 6rBMwkuApvZXWKYDOXoWk3aRLJTw9yuitp8Nxt1Dtf+4RcNGwu81MjzCiO1sb0Rq+k/0 +QZQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767778074; x=1768382874; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=+eOLMB/e/9/Hs3qYtIeWorrV8ckikxO2hI3aU64HS84=; b=ttPZgw4bmk3shYin6aSY8GoHWGi5YRkT1yOYFsOp257kscsAasDJTD1BnV2qK5iIWE 8uzSdLXkpjkwfebqBTgJyUQdBpsw9NnaJ+bt3eVBcJgVwy4plnZr4ZC7i5DBMZvPBVjs K9EF+HO6NqUBchywrD6B75R/L/7yl1Q67tERxUXYvkjzpH9cMkLzk5z+Kjsw7yuXjBeo pKuAii23AIDNJFjjPFtBoKMCiGSf/I3SY5sDuSvPeMhf9Q5SDTyOmtcJnzMyVaNLKU1M urpQBYeoAY1phv+YbyL/h2rziu8i6/NFnhXZnO9vpBwa3MP69apuPM2CHJb90lmi1Vvo dTcQ== X-Gm-Message-State: AOJu0YwhHKaBkEk9zxJN6dmYBLY/TAVAXNBKB7aGDwZ+BM0udc7bWqcB +E0mhp/EtO9wZKALUVeAkqgSK/Gp8g7zBDyj0HH8fPRH8BwIVWfcC1f53cR/Jg== X-Gm-Gg: AY/fxX5T2cfPnNFzeNjsLuvgpwxcbOSE9GL0w4N5Kfi9oME4dU1h4cnknWqfekPOvYn VmPY886+sn6Hzx8cu/KiVbbBaeDqz9YEADbDJGEizW+xjpBUvfJ0SoLRSBRdVUSq0z/ree1WJ/5 8PEWk1a3sh6mLK4aaYSAwOS6SS45OTE8Bs0u/XlKMSd8Wily7C1w4np9L+PTBv8aTxV3d/rYtiH DEcreiPbzH8OY8khQiq5If2vKYAgnShRshwTA8mA9IdGDLajpeyyuU0SqUXwpWa26a1uXiRQSZ0 cylLMBsa8Cy2YXUAMsLF/z0Z+I2N7/eSZHGH92snBjxR0z8zwSvU4gJBSAdkFenDby0+2A0UCvy UqBXN7bJrm5SE9ykCvEjGTA+ZPgBrX3GtwfKcEtHE7NpFzKxgCwrOwxi0jT0EKcAgR0tLvWwGtH 2Jg0J82zU1 X-Google-Smtp-Source: AGHT+IHJESSrxfJ3ly07IWZ53TYp9CbwrFVBBkFlLHtLrVoarAJveUyPem11AYjyEZjCEOyISqyqNA== X-Received: by 2002:a05:600c:c8a:b0:479:3a88:de5e with SMTP id 5b1f17b1804b1-47d84b4a079mr15348415e9.37.1767778073792; Wed, 07 Jan 2026 01:27:53 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47d8719d057sm7236255e9.16.2026.01.07.01.27.53 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 07 Jan 2026 01:27:53 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-python][kirkstone][PATCH 5/5] python3-m2crypto: ignore CVE-2009-0127 Date: Wed, 7 Jan 2026 10:27:48 +0100 Message-ID: <20260107092748.1930960-5-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260107092748.1930960-1-skandigraun@gmail.com> References: <20260107092748.1930960-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 07 Jan 2026 09:28:03 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123188 Details: https://nvd.nist.gov/vuln/detail/CVE-2009-0127 The vulnerability is disputed[1] by upstream: "There is no vulnerability in M2Crypto. Nowhere in the functions are the return values of OpenSSL functions interpreted incorrectly. The functions provide an interface to their users that may be considered confusing, but is not incorrect, nor it is a vulnerability." [1]: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-0127 Signed-off-by: Gyorgy Sarvari --- meta-python/recipes-devtools/python/python3-m2crypto_0.38.0.bb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta-python/recipes-devtools/python/python3-m2crypto_0.38.0.bb b/meta-python/recipes-devtools/python/python3-m2crypto_0.38.0.bb index 155a9066ca..8fc9c9ce4f 100644 --- a/meta-python/recipes-devtools/python/python3-m2crypto_0.38.0.bb +++ b/meta-python/recipes-devtools/python/python3-m2crypto_0.38.0.bb @@ -45,4 +45,7 @@ export SWIG_FEATURES export STAGING_DIR +# disputed, upstream claims there is no bug +CVE_CHECK_IGNORE = "CVE-2009-0127" + BBCLASSEXTEND = "native"