From patchwork Mon Jan 19 17:55:02 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gyorgy Sarvari <skandigraun@gmail.com>
X-Patchwork-Id: 79091
Return-Path: <skandigraun@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 6CFC5D29C54
	for <webhook@archiver.kernel.org>; Mon, 19 Jan 2026 17:55:12 +0000 (UTC)
Received: from mail-wm1-f48.google.com (mail-wm1-f48.google.com
 [209.85.128.48])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.40944.1768845308584391932
 for <openembedded-devel@lists.openembedded.org>;
 Mon, 19 Jan 2026 09:55:08 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=MMJUI6YR;
 spf=pass (domain: gmail.com, ip: 209.85.128.48,
 mailfrom: skandigraun@gmail.com)
Received: by mail-wm1-f48.google.com with SMTP id
 5b1f17b1804b1-4801d21c411so15210455e9.3
        for <openembedded-devel@lists.openembedded.org>;
 Mon, 19 Jan 2026 09:55:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1768845307; x=1769450107;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:to
         :from:from:to:cc:subject:date:message-id:reply-to;
        bh=aDkmgUGnMNEXEkXjh8BdeqW4PL3/1EbxA+EJCjnlRLM=;
        b=MMJUI6YRH3KPP8GlC+sr2M9T1as4FEdPxrIS1IkHXv22Uhwe7p4mLbdjPuJtepR5+2
         HFfo9I7ej4AEjxr9bQ+tDJwCImQX8mbKItbVUwvsx0rqEJPgDgc7EbtH/KaQFB2YwU9h
         QZDGnTqj61+i2JQ3bvppQD1lJ+1AiTyj+Ci7vcfafSnptdjO/YMn9g28OM3p4cCkg6VQ
         BCz980vjuZU/JaNWtutuKWHSgJQuEdLGVgS4ryIECsYWYIU8tSukfYts11r+yUZSc+oa
         pEn9w5QWK3K8GOHTGyAF2dfr1195IHlCOqDge05ERsCJP3Jtbz43rdXq2IJ+TjdVhQTr
         /kOw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1768845307; x=1769450107;
        h=content-transfer-encoding:mime-version:message-id:date:subject:to
         :from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=aDkmgUGnMNEXEkXjh8BdeqW4PL3/1EbxA+EJCjnlRLM=;
        b=mLdxx688dE4pXqiGgwFLcYhrlw3BmthDMifHPrctrYdfjTbzPVCLHNOMk7wvhoBxkP
         27PA1P9CkWjXMMpFGLJo6TfJZ2WzIF42Bg9l803K8bzUCkJ1fDrycpjhSBOpqDNFUERc
         mVLXOkDy0i6MLaonYbF5nWcjABLacjWUqllwVsXkQidQh/LaGwuQqLqX56iXatiJLgFM
         c/hDNa35SWun7hSgAepIzbPmv1y6/U+ldixM9yXzXHUSLuQLKQcACVXS7TLEgWrDq6mn
         fK/GVKRc/LaWMqsIcx5OxyGvXsoxy7RQOCalh3BK3XVIXvF/UfJRjYDaWN2epfcpBNtC
         aOpA==
X-Gm-Message-State: AOJu0YykDUc+qKd5GXcEUtNp8xhKriHzThwAGR450d6ZecX8QvOeuD0z
	RE8DFxWVQ38z6FzJfTQ95ZwrUWpknfhcq66fYZgjuyL8BFQpwgvcGIZmUOsRcQ==
X-Gm-Gg: AY/fxX6utXXGXoXQYNId1yeUvkZB5EKSvnfA4vpWfn1JRBWWFe9ffjKSzdsfLy4HPow
	R0a7OwL+pwBjdWkbpmv6EUqGoM4UVGSRi0ONSW7MpNpcLkj2Fo22DifTN6KB8bdPtYiKSieVcKw
	g+wiczk9QBiOLvs96our0TAHONjzVBlyL6W66FFr4TbYvNYCBhVGd3OQddgg1/8xGXGHcNL63iN
	4r35bI91YoLxnRhhA1st6Qi/a5f5kvu87jzWK3OJ5kRVctquyQ5ut/IrBF1O1nzIpaahAW3Fb9v
	a5C3F1IbB+xhWyvdWR3sR0fJyhUa2kN2XU8wMWRUXLbobG48wZo0C5jw0G7IQOeRmh3vkaMdnS6
	6sxkkrPLlW1KsrhQ/5nAKSH0kPQD6JJ//hblkmNF9rEWHgnSZCHPN2X11sTmwBYaX3Z8R7KVyWt
	i2F1JsHR34
X-Received: by 2002:a05:600c:4586:b0:477:76cb:4812 with SMTP id
 5b1f17b1804b1-4801e2a50e4mr155620275e9.0.1768845306691;
        Mon, 19 Jan 2026 09:55:06 -0800 (PST)
Received: from desktop ([51.154.145.205])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-4801e8795f1sm204201785e9.6.2026.01.19.09.55.06
        for <openembedded-devel@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 19 Jan 2026 09:55:06 -0800 (PST)
From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-python][PATCH 1/4] python3-werkzeug: upgrade 3.1.4 -> 3.1.5
Date: Mon, 19 Jan 2026 18:55:02 +0100
Message-ID: <20260119175505.777598-1-skandigraun@gmail.com>
X-Mailer: git-send-email 2.52.0
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Mon, 19 Jan 2026 17:55:12 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/123644

Contains fix for CVE-2026-21860

Changelog:
- safe_join on Windows does not allow more special device names,
  regardless of extension or surrounding spaces.
- The multipart form parser handles a \r\n sequence at a chunk boundary.
  This fixes the previous attempt, which caused incorrect content lengths.
- Fix AttributeError when initializing DebuggedApplication with pin_security=False.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../{python3-werkzeug_3.1.4.bb => python3-werkzeug_3.1.5.bb}    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta-python/recipes-devtools/python/{python3-werkzeug_3.1.4.bb => python3-werkzeug_3.1.5.bb} (90%)

diff --git a/meta-python/recipes-devtools/python/python3-werkzeug_3.1.4.bb b/meta-python/recipes-devtools/python/python3-werkzeug_3.1.5.bb
similarity index 90%
rename from meta-python/recipes-devtools/python/python3-werkzeug_3.1.4.bb
rename to meta-python/recipes-devtools/python/python3-werkzeug_3.1.5.bb
index 0886dbfef1..1df88b78d0 100644
--- a/meta-python/recipes-devtools/python/python3-werkzeug_3.1.4.bb
+++ b/meta-python/recipes-devtools/python/python3-werkzeug_3.1.5.bb
@@ -10,7 +10,7 @@ HOMEPAGE = "https://werkzeug.palletsprojects.com"
 LICENSE = "BSD-3-Clause"
 LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=5dc88300786f1c214c1e9827a5229462"
 
-SRC_URI[sha256sum] = "cd3cd98b1b92dc3b7b3995038826c68097dcb16f9baa63abe35f20eafeb9fe5e"
+SRC_URI[sha256sum] = "6a548b0e88955dd07ccb25539d7d0cc97417ee9e179677d22c7041c8f078ce67"
 
 CVE_PRODUCT = "werkzeug"
 

From patchwork Mon Jan 19 17:55:03 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gyorgy Sarvari <skandigraun@gmail.com>
X-Patchwork-Id: 79092
Return-Path: <skandigraun@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 7911CD29C57
	for <webhook@archiver.kernel.org>; Mon, 19 Jan 2026 17:55:12 +0000 (UTC)
Received: from mail-wm1-f46.google.com (mail-wm1-f46.google.com
 [209.85.128.46])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.40588.1768845309023611256
 for <openembedded-devel@lists.openembedded.org>;
 Mon, 19 Jan 2026 09:55:09 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=JQSBxFfo;
 spf=pass (domain: gmail.com, ip: 209.85.128.46,
 mailfrom: skandigraun@gmail.com)
Received: by mail-wm1-f46.google.com with SMTP id
 5b1f17b1804b1-47d6a1f08bbso15467985e9.2
        for <openembedded-devel@lists.openembedded.org>;
 Mon, 19 Jan 2026 09:55:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1768845307; x=1769450107;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=tT6DxfSZ03FqHl6GnjJAgrXDfSlV9bipnsFqHVyPN3I=;
        b=JQSBxFfo08IYv+rbWdX55aOUP4Cl+je/05TgbTYYYQA6Yq8gWTEs8BRINLWGKWdgp5
         zmHEX54rEE2lVptnfjT7Q8sBW/KS1cBqJRA6FtkPeShXpVpuVmLFK3gCvgS4g6IcLa8U
         5rKgyU43IHE4Z4iejANW9v1OyzxEMnyMIcHa+1oEcEn9XPI+B0Y2JhEGyh0z2urJWiMP
         luz8qIXnFPAlQi5GZv0O7p35QJUAjWl0a61GD0/gU0cR/AuPORTxi1qtC4H3W1teVh0a
         ptqsWl831pjIFUFvndoi0i86Evz3uGOU9qqsbJTdyYKI+btRmbGbTnAo9JgqZTZdvEdc
         Qfgg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1768845307; x=1769450107;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=tT6DxfSZ03FqHl6GnjJAgrXDfSlV9bipnsFqHVyPN3I=;
        b=J9FswIuSFSWCaOn5Y4DfCvuT/+jZSzL+ej6JPFsPMAOUXSr7qxSWRsBkgBgCM9L+yW
         OnJVkC9DPTzZPO5jpFFyORAcZRglEknQyqLmcjwArofDDAS2wCJJde+iSqp0FLvxwwG2
         jJG8OCsOORsV7ASikwuT52mRjOX5e7rsd2Dptsk+/JV9kl+ilJ0jupbBWpj/wUeiXNCx
         /aHuchQkjDYMMzW/+siUK/AZgEjv86S6cETALyTHCzxTaKKi5mjDNk79SkfmsdWCEF3g
         jf6r13UMEgJk3F1/XY2+3EnIyW8QwfJllY4yJgPQWlH0/Rp4Dwwh24pn97ek25W77a+s
         3LJA==
X-Gm-Message-State: AOJu0YzAaqumD6cjU15YlqOv0SShpa19JuM5k9mRb7bmiEpkoVGG+oyJ
	Tqx6KGAX2sfHnKHuBKjBf/wqE/AZ7LuRTlGWyYaYi2xYzuFSX3lgyUZeZfKwKw==
X-Gm-Gg: AY/fxX7qHxfVdW7Gti1KMLFLaXuJVfYywyayr/moX6SVB1E6p5+wpoLho2qSyvP+ImQ
	zGGc+Rkh9ge5w7U48RKWy1x0jVWEMCKuHps2qvq8+ss/00zsmxuGJoj7viWOQBkLcCL22Xkg/LE
	Mjna62gldNQ2v1PTROWniDDYuqXoHIs2WpnO0p1r6aIkwCNIuEtlWFVwdzvu4cx6h2Mgcf+Q+SU
	CJHHGFQnYrkYuhpdr6YSQORqZrxr6RBwXJjmID2y7c8W84fkFH6m2KAdA507mhP3Bqe1AsmqSNO
	Ok723EkaTqWRLb7CudCHUaj+97q7mbEjHwOhWnLPko3vigy/MnYjkzDLZ7ryxMRaRXyp7oXB3Gp
	jq4AQyKuPtReeA4aomn9MuUSQJa3AjHifylpKk/W1lCPUjzJpK1s/OGDNKE1GGW6B4aKj0NA96g
	/ejzNvSymu
X-Received: by 2002:a05:600c:628d:b0:47e:e779:36d with SMTP id
 5b1f17b1804b1-4802827162cmr80004935e9.23.1768845307380;
        Mon, 19 Jan 2026 09:55:07 -0800 (PST)
Received: from desktop ([51.154.145.205])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-4801e8795f1sm204201785e9.6.2026.01.19.09.55.06
        for <openembedded-devel@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 19 Jan 2026 09:55:07 -0800 (PST)
From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-python][PATCH 2/4] python3-py: ignore CVE-2022-42969
Date: Mon, 19 Jan 2026 18:55:03 +0100
Message-ID: <20260119175505.777598-2-skandigraun@gmail.com>
X-Mailer: git-send-email 2.52.0
In-Reply-To: <20260119175505.777598-1-skandigraun@gmail.com>
References: <20260119175505.777598-1-skandigraun@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Mon, 19 Jan 2026 17:55:12 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/123645

Details: https://nvd.nist.gov/vuln/detail/CVE-2022-42969

Upstream could not reproduce the issue.
The vulnerability has currently the "disputed" flag in the NVD database,
and Github has revoked their related advisory[1].

Ignore this CVE due to this.

[1]: https://github.com/advisories/GHSA-w596-4wvx-j9j6

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 meta-python/recipes-devtools/python/python3-py_1.11.0.bb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta-python/recipes-devtools/python/python3-py_1.11.0.bb b/meta-python/recipes-devtools/python/python3-py_1.11.0.bb
index 143f7ec555..61f3873b4c 100644
--- a/meta-python/recipes-devtools/python/python3-py_1.11.0.bb
+++ b/meta-python/recipes-devtools/python/python3-py_1.11.0.bb
@@ -6,6 +6,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=a6bb0320b04a0a503f12f69fea479de9"
 SRC_URI[sha256sum] = "51c75c4126074b472f746a24399ad32f6053d1b34b68d2fa41e558e6f4a98719"
 
 CVE_PRODUCT = "py"
+CVE_STATUS[CVE-2022-42969] = "disputed: upstream could not reproduce it, github also revoked the advisory"
 
 DEPENDS += "python3-setuptools-scm-native"
 

From patchwork Mon Jan 19 17:55:04 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gyorgy Sarvari <skandigraun@gmail.com>
X-Patchwork-Id: 79093
Return-Path: <skandigraun@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 79198D29C58
	for <webhook@archiver.kernel.org>; Mon, 19 Jan 2026 17:55:12 +0000 (UTC)
Received: from mail-wm1-f47.google.com (mail-wm1-f47.google.com
 [209.85.128.47])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.40589.1768845309766171381
 for <openembedded-devel@lists.openembedded.org>;
 Mon, 19 Jan 2026 09:55:10 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=f6ON4ya6;
 spf=pass (domain: gmail.com, ip: 209.85.128.47,
 mailfrom: skandigraun@gmail.com)
Received: by mail-wm1-f47.google.com with SMTP id
 5b1f17b1804b1-47ee3a63300so42566665e9.2
        for <openembedded-devel@lists.openembedded.org>;
 Mon, 19 Jan 2026 09:55:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1768845308; x=1769450108;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=K8R9Ys0pdF1QTg3vd2lupIvqAYJl4YbCxs1IWmbPids=;
        b=f6ON4ya6Y24loi0emwkEVLUjQ2fwISD8FTVk+NpMpwIGkvgn4bXsjGnsapMl3Gc7jV
         WCJtklfxxXonDIFp5NRE/pgUTsXBP1CcXF/sEpUBSV9QbqQLx+x2Vg2woEIRLpdcZCIU
         P/J8JXFvzOL79kA+ODUozn97A6Nf/JsEf32ERdwDtE+pmT8stKebRm38h8O36i/isVUw
         HLgcfUcAsNLLCnLxyQFjppegBf3adeEUWSWg6BH4w9ztK25LpJJ3zVSeKuH7oueF3w+3
         y+atTBzgr4AqnvuTs1ucOxqDX5Yn5JTeI2kJUjJs/85Tlq580Ab1nQ1x0a5Qwa58INJr
         gRxg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1768845308; x=1769450108;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=K8R9Ys0pdF1QTg3vd2lupIvqAYJl4YbCxs1IWmbPids=;
        b=M7yACyodkivGY5NLAUAYUDbJP6T2pOjmi3spzB3yW7avWLcKgw8/QrAaz+zxreyiX2
         A+kBMV9OssFzJHzYIygQo0FbOomj6175Hf5ef3jFMuu3e/UV/i4I99RtsnFBpyq3RGpB
         bEkbIJJuic0u7V2pgmeq1uSaBnaoe6tPalKKPWHuk54rYyUBMzyT8GWtwqtThxamQFb9
         vA4PctQ4225Q6G7nGrJqQFHpQVeeepOydGiW51hVeOfXtwfcgZENU8Bw+KVraknbKaSm
         tTCl4IY7luAG9TBesoPkkqr4kCMlZwojz0O0NUsJZ6Z5JzsDYFB+qz4vNfBJIoTG5q3N
         yiwA==
X-Gm-Message-State: AOJu0Yz2UavNE3izrupQWHXfubO/bFPhqUnuZIOn8lBlWy8AvBJ4Dmtg
	cnuRkDxnbaCWL53raT/ybRWTg/1QXXNdnr9Cj97HP88jANbSCJlp0NMbopzWHg==
X-Gm-Gg: AY/fxX7n4EE173mQ3m5u4NrEcD/co3s1Bwee3m2Bembq/TuBfRZKh+fKtv/GeDuHNiB
	OQoIEp14BxWw4YBdxUzHM2YKnEZhY5ERe/yfZLz/PDUX5kWAecUu5SF9VEP6iz1prQ1bFyqwDqp
	oUz2Yhwbq0DBXkeLMGANmA6YM7BLDCDcjwUHNEvakTdZ6hsFh50blODpBUcndYveLOANzse9whQ
	lcr8vWMhFn/BBhuhA4bm4EjsdHhxyQrkF3iwYvK3keqUO7aAwWF6WZBts+Zu7j6D47z3Bc9+tvA
	CdGDItQ46f0I5uSdKSda+cW4SYZKn2Cr2YlcP0Z5axQCGtYyBRX+eew1sVjU9ySKQZ+sDgzd9Et
	yd2A9tb07RClga2rCFLheJIbdAxfTJ67sIdgE0cSmXj3AOB8YnSOAz5C4UeM1lsTwuXoscNo8kR
	NT9RgKENp4
X-Received: by 2002:a05:600c:1394:b0:47d:3ead:7439 with SMTP id
 5b1f17b1804b1-4801e358880mr142150035e9.37.1768845308120;
        Mon, 19 Jan 2026 09:55:08 -0800 (PST)
Received: from desktop ([51.154.145.205])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-4801e8795f1sm204201785e9.6.2026.01.19.09.55.07
        for <openembedded-devel@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 19 Jan 2026 09:55:07 -0800 (PST)
From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-python][PATCH 3/4] python3-lief: upgrade 0.17.1 -> 0.17.2
Date: Mon, 19 Jan 2026 18:55:04 +0100
Message-ID: <20260119175505.777598-3-skandigraun@gmail.com>
X-Mailer: git-send-email 2.52.0
In-Reply-To: <20260119175505.777598-1-skandigraun@gmail.com>
References: <20260119175505.777598-1-skandigraun@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Mon, 19 Jan 2026 17:55:12 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/123646

Contains fix for CVE-2025-15504

Changelog:
- Differentiate Mach-O FAT magic bytes and Java class
- Fix MinGW compilation for some configuration
- Fix alignment issue when rebuilding PE relocations
- Fix infinite loop when processing v2 dynamic relocation
- Ensure that added DYN ELF sections are properly aligned
- Fix GnuHash null dereference
- Fix strong performance issue when parsing certain Mach-O

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../python/{python3-lief_0.17.1.bb => python3-lief_0.17.2.bb}   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta-python/recipes-devtools/python/{python3-lief_0.17.1.bb => python3-lief_0.17.2.bb} (95%)

diff --git a/meta-python/recipes-devtools/python/python3-lief_0.17.1.bb b/meta-python/recipes-devtools/python/python3-lief_0.17.2.bb
similarity index 95%
rename from meta-python/recipes-devtools/python/python3-lief_0.17.1.bb
rename to meta-python/recipes-devtools/python/python3-lief_0.17.2.bb
index de6390d210..e7de6b6d3b 100644
--- a/meta-python/recipes-devtools/python/python3-lief_0.17.1.bb
+++ b/meta-python/recipes-devtools/python/python3-lief_0.17.2.bb
@@ -5,7 +5,7 @@ LICENSE = "Apache-2.0"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=9ab5db472ff936b441055522f5000547"
 SECTION = "libs"
 
-SRCREV = "fe54643fe3d7a699c68b164dae87afb1eb059342"
+SRCREV = "aa2b617f47c2f75fca9ff00b146dabbaf1b9f422"
 SRC_URI = " \
     git://github.com/lief-project/LIEF.git;protocol=https;branch=release/0.17.x;tag=${PV} \
     file://0001-build-requirements.txt-Allow-newer-versions.patch \

From patchwork Mon Jan 19 17:55:05 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gyorgy Sarvari <skandigraun@gmail.com>
X-Patchwork-Id: 79090
Return-Path: <skandigraun@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 6CF7FD29C4F
	for <webhook@archiver.kernel.org>; Mon, 19 Jan 2026 17:55:12 +0000 (UTC)
Received: from mail-wm1-f52.google.com (mail-wm1-f52.google.com
 [209.85.128.52])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.40590.1768845310479249932
 for <openembedded-devel@lists.openembedded.org>;
 Mon, 19 Jan 2026 09:55:10 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=Sx7xuDs2;
 spf=pass (domain: gmail.com, ip: 209.85.128.52,
 mailfrom: skandigraun@gmail.com)
Received: by mail-wm1-f52.google.com with SMTP id
 5b1f17b1804b1-4801c1ad878so34155925e9.1
        for <openembedded-devel@lists.openembedded.org>;
 Mon, 19 Jan 2026 09:55:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1768845309; x=1769450109;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=w7RXd8SF0HVuESCTqVhhoE6ZmOq08/RgaQLuLVfcZPg=;
        b=Sx7xuDs2YRLoGiTzE64Ofiel9GD2XXR8BB33fPU/qYdxJ8mavFe/Re/yPDdP7EPEXb
         FEL/zRzpbrz02rbTlPzplhgoszaglmTob85svR70/Muw66ty0yi8UmABtu8G6H0qDKYY
         kFqpyZ3fQ0y35e86Ab+LqEnZV/N38WMPigk0i1bAlctis8SOqeN0zuHAOmIcnwfTU64W
         h9bqh9AzHHLA6fOmwYvEZ12W3UrK/f9pTOvjrWjAy1+qsiNzvvAvH925xG6VSuJAxjsv
         7zIZfm68iKAHACEo4yUM0cuQE2ba+Cx/turBQt6P+veF6RZQ3HxH6BRSK15OjrMMebP9
         cYgQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1768845309; x=1769450109;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=w7RXd8SF0HVuESCTqVhhoE6ZmOq08/RgaQLuLVfcZPg=;
        b=N/j9SwvwTYBnyynjWHNVU/ioWlRJz/wX8+/CBGL4k4ov2bp/OIRbgFulX7HnC+YEfn
         Zur5UsealGfv0xmJa72DU7DW8ZJwQ0wfzsrDbfW+LTknLnyLr93Pc1KVAGyTTmC6WJJU
         mGCz064RSSePBRwZ4FKKQa+ZVvaYIAj1mh4ntU7ilc1VYpprf9uB4pV80PvDzLi/Bfnj
         HWtWZ/x1n3VEIqCpow6MvY5ezt6rdQ3S1zPhCnyrEcsy+28htWWylDDzuzgXQqWyxaLo
         HvC6C8PCrFIg33CpzfvoPtnC8uatnCSdDsFqYxXJt8Kls2Fcbm1SS7EGM49sYn2HRnEz
         OR3A==
X-Gm-Message-State: AOJu0YzYEwa3wbtUexTMI/4cyLYDVsU2C6k4bRcGgVjVU9XMevi8TGec
	vFImxlSgIElYzALWZqAlt4NCOeqNg27bWAWOJ2EEg76NHPJw5mm/nQF3cWCnbQ==
X-Gm-Gg: AY/fxX5HnRiecvQfMlGbxI7rF7BDK7IR5FelP7W/pIUUV1dtUr+XAdBgurDCXXuKJ9n
	GP84IpMz6rm3fMzzq50x1s0YPL8HztMvGb9xFKdzS1sjrXENWtpvr6o3eWggdcj+YRRRkBXvN/q
	6ivFfvNI22iqWpOgr3fQLMt9A/JdglEZqIWBEdQ8ggj9SjEGYB36iAx9Ej7xg5SYaUbOfKtQEfP
	fwXv7nrZ4cqTfhJFR18p8pU0QcX2kv4zVLVO3yaotgfOb4drtFusiTVkvqGZ0dYTPP0p0WGL8QA
	5Nlh9E4mCZ02KOoD34GtKETG31PxgSmtLUIiMJMpAQeWb3JgL5VSk1URGtjuXxJAFSCTaNlQv9A
	ZWnixaCQQQ7DMEStJ9Ajt5wJ1fHhX3PGOxNA/qC3q2M0Cg88pqbq2WYxkl+iAwwc7/P1bmclyCn
	QjSYyUiwo1
X-Received: by 2002:a05:600c:6215:b0:477:a246:8398 with SMTP id
 5b1f17b1804b1-4801e2fe16amr133897885e9.2.1768845308801;
        Mon, 19 Jan 2026 09:55:08 -0800 (PST)
Received: from desktop ([51.154.145.205])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-4801e8795f1sm204201785e9.6.2026.01.19.09.55.08
        for <openembedded-devel@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 19 Jan 2026 09:55:08 -0800 (PST)
From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-python][PATCH 4/4] python3-lief: mark CVE-2025-15504 patched
Date: Mon, 19 Jan 2026 18:55:05 +0100
Message-ID: <20260119175505.777598-4-skandigraun@gmail.com>
X-Mailer: git-send-email 2.52.0
In-Reply-To: <20260119175505.777598-1-skandigraun@gmail.com>
References: <20260119175505.777598-1-skandigraun@gmail.com>
MIME-Version: 1.0
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Mon, 19 Jan 2026 17:55:12 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/123647

Details: https://nvd.nist.gov/vuln/detail/CVE-2025-15504

The vulnerability is patched in v0.17.2, however NVD is currently tracking
the CVE without any version info (or more like with out any CPE info)

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 meta-python/recipes-devtools/python/python3-lief_0.17.2.bb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta-python/recipes-devtools/python/python3-lief_0.17.2.bb b/meta-python/recipes-devtools/python/python3-lief_0.17.2.bb
index e7de6b6d3b..44b4976ab1 100644
--- a/meta-python/recipes-devtools/python/python3-lief_0.17.2.bb
+++ b/meta-python/recipes-devtools/python/python3-lief_0.17.2.bb
@@ -13,6 +13,7 @@ SRC_URI = " \
 "
 
 CVE_PRODUCT = "lief"
+CVE_STATUS[CVE-2025-15504] = "fixed-version: the vulnerability is fixed since v0.17.2"
 
 PEP517_SOURCE_PATH = "${S}/api/python"