From patchwork Thu Feb 5 06:59:36 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 80480 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id AFF23E9126F for ; Thu, 5 Feb 2026 07:00:08 +0000 (UTC) Received: from mail-wm1-f43.google.com (mail-wm1-f43.google.com [209.85.128.43]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.15250.1770274798581824381 for ; Wed, 04 Feb 2026 22:59:59 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=lGxEAO0k; spf=pass (domain: gmail.com, ip: 209.85.128.43, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f43.google.com with SMTP id 5b1f17b1804b1-4801c2fae63so3805785e9.2 for ; Wed, 04 Feb 2026 22:59:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1770274797; x=1770879597; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:from:to:cc:subject:date:message-id:reply-to; bh=O2+C6zwyodrxBdy2Xl2uGBaECyGcEh3zttQeD+ZzGOU=; b=lGxEAO0kFl3pvCz2EbuPAUVoLytWNwTQzZdKHxW+tfVq2jjjC0cW/psk3xsJA18jgf TulSfBq/lGBmwqSrO9XUVRW2Vp3keLm3nCEs5+o+vK/KtpFlf4zY/xXv31bMajnlc1/s 929xI75E3irR6UXBOBr9l4XxgwVABy+aFMyuFSV9Nn8kS3agQ/ngfCap3iIPtp8kvBZB iWHPLf3FnFNgQxTXhV6cPB4EgkTF6KpnxvOYXkgEaF73F+5SATxJMCe2RhmnnjAN7ZPj MM0AoTP6jIp6wUg3zCfppvl65TAXIGdwzpyQHJ4G9GFgxngJNSvgPwj0jT/2iTigLP5E pltQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770274797; x=1770879597; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=O2+C6zwyodrxBdy2Xl2uGBaECyGcEh3zttQeD+ZzGOU=; b=kSY4xCgeKJoSdfF6zOsI4RNn1l+Gke6qJUH8/SRGaSIQiX3BWaZ93h3uoQWu9bT+vv jnye4Fg2ywOOEVcEyqTXlNva0xJTDqu39Md5rNWLSeTpY4aW6Khb8MAmISQOr8tcgLQi 5SX7F1eRj5LxV/Xws+Rm3uWUXb/c9Zx3H2t/DMZkGaH/Z/4DrbYcsLEgj/MPJZGL/0qW 8LFReIufyvIRBgD3ct5ZzFJ6CyZf1uqVELapjcYxOJCNiUEowabhSKoepiZ9Mhjy4AS2 be2p57pvxaZgkp5hUpjrZ80SW9uUqJR3H/x2cw8imngTAsEiOUe4gd4sPMmaqDy3vDZ3 OF1Q== X-Gm-Message-State: AOJu0YwL30/UC8dF5DzwUlGJgNzz/lyN+u3uvP+aXQD4GLMAUS1qNCOg s38cLV3kll7ZDAeKkvenU3CdtSlq76Sn9EAcdKr52/SzY841r+tDjhPOf4xb7w== X-Gm-Gg: AZuq6aKo5K2cLqPYN3GnufhpKVEnKLkIrUGmSpzqybaWZzd58s46BXkqmxwFwO1Edr6 Q8a2KI9QsJCGBKZXGVMf1/hY+9hfjFHvnJS+95Hh0if/TaST8BsQJNlA3NmNYLffGh+Oj4cq+b5 /L7JEbTbWMPfdSmK5eBbCuS1jsRgI/+mApMYmLgZMtErKs7UxkYDfh55W88zGq2kiTGzz8G0KoE hyix5yMmgq33guTPfBbFjDxeccNPWwq/rG2zGQ9clRCQkNgW9l3Oo95rXt0W+MfTauxdw+kj1o5 j8FRKGWb0Il1KJitahI4OBNATUoVzo6ofgGCFhOq6c+2J/1IFdgd2s1dlqK4oRe1CIpWWFtBRZB ZtJl12OEe2NWvlVxIeNitCLvnq1/31BZj43e3nSRc4+2RnYyF9rurtjR8mz7pL20CJepcCXBTmU 7PLKBh62Tw X-Received: by 2002:a05:600c:8b8a:b0:480:68ed:1e70 with SMTP id 5b1f17b1804b1-4830e99d515mr68320585e9.35.1770274796501; Wed, 04 Feb 2026 22:59:56 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4830fe86bebsm34545505e9.10.2026.02.04.22.59.55 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 Feb 2026 22:59:56 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-python][whinlatter][PATCH 01/20] python3-cbor2: patch CVE-2025-68131 Date: Thu, 5 Feb 2026 07:59:36 +0100 Message-ID: <20260205065955.1267785-1-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 05 Feb 2026 07:00:08 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/124177 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-68131 The NVD report mentions a PR as the solution, however in the discussion of that PR it turned out that this is incorrect, and another patch is the solution. That patch was picked. Ptests passed successfully. Signed-off-by: Gyorgy Sarvari --- .../python/python3-cbor2/CVE-2025-68131.patch | 515 ++++++++++++++++++ .../python/python3-cbor2_5.7.1.bb | 1 + 2 files changed, 516 insertions(+) create mode 100644 meta-python/recipes-devtools/python/python3-cbor2/CVE-2025-68131.patch diff --git a/meta-python/recipes-devtools/python/python3-cbor2/CVE-2025-68131.patch b/meta-python/recipes-devtools/python/python3-cbor2/CVE-2025-68131.patch new file mode 100644 index 0000000000..bf6819eebe --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-cbor2/CVE-2025-68131.patch @@ -0,0 +1,515 @@ +From 60b74e9842e83318efccf0f4eed6a94a07ac5677 Mon Sep 17 00:00:00 2001 +From: Andreas Eriksen +Date: Thu, 18 Dec 2025 16:48:26 +0100 +Subject: [PATCH] Merge commit from fork + +* track depth of recursive encode/decode, clear shared refs on start + +* test that shared refs are cleared on start + +* add fix-shared-state-reset to version history + +* clear shared state _after_ encode/decode + +* use PY_SSIZE_T_MAX to clear shareables list + +* use context manager for python decoder depth tracking + +* use context manager for python encoder depth tracking + +CVE: CVE-2025-68131 +Upstream-Status: Backport [https://github.com/agronholm/cbor2/commit/f1d701cd2c411ee40bb1fe383afe7f365f35abf0] +Signed-off-by: Gyorgy Sarvari +--- + cbor2/_decoder.py | 38 +++++++++++++++++----- + cbor2/_encoder.py | 44 +++++++++++++++++++++----- + source/decoder.c | 28 ++++++++++++++++- + source/decoder.h | 1 + + source/encoder.c | 23 ++++++++++++-- + source/encoder.h | 1 + + tests/test_decoder.py | 62 ++++++++++++++++++++++++++++++++++++ + tests/test_encoder.py | 70 +++++++++++++++++++++++++++++++++++++++++ + 8 files changed, 250 insertions(+), 17 deletions(-) + +diff --git a/cbor2/_decoder.py b/cbor2/_decoder.py +index 42a9740..b552492 100644 +--- a/cbor2/_decoder.py ++++ b/cbor2/_decoder.py +@@ -5,6 +5,7 @@ import struct + import sys + from codecs import getincrementaldecoder + from collections.abc import Callable, Mapping, Sequence ++from contextlib import contextmanager + from datetime import date, datetime, timedelta, timezone + from io import BytesIO + from typing import IO, TYPE_CHECKING, Any, TypeVar, cast, overload +@@ -59,6 +60,7 @@ class CBORDecoder: + "_immutable", + "_str_errors", + "_stringref_namespace", ++ "_decode_depth", + ) + + _fp: IO[bytes] +@@ -100,6 +102,7 @@ class CBORDecoder: + self._shareables: list[object] = [] + self._stringref_namespace: list[str | bytes] | None = None + self._immutable = False ++ self._decode_depth = 0 + + @property + def immutable(self) -> bool: +@@ -225,13 +228,33 @@ class CBORDecoder: + if unshared: + self._share_index = old_index + ++ @contextmanager ++ def _decoding_context(self): ++ """ ++ Context manager for tracking decode depth and clearing shared state. ++ ++ Shared state is cleared at the end of each top-level decode to prevent ++ shared references from leaking between independent decode operations. ++ Nested calls (from hooks) must preserve the state. ++ """ ++ self._decode_depth += 1 ++ try: ++ yield ++ finally: ++ self._decode_depth -= 1 ++ assert self._decode_depth >= 0 ++ if self._decode_depth == 0: ++ self._shareables.clear() ++ self._share_index = None ++ + def decode(self) -> object: + """ + Decode the next value from the stream. + + :raises CBORDecodeError: if there is any problem decoding the stream + """ +- return self._decode() ++ with self._decoding_context(): ++ return self._decode() + + def decode_from_bytes(self, buf: bytes) -> object: + """ +@@ -242,12 +265,13 @@ class CBORDecoder: + object needs to be decoded separately from the rest but while still + taking advantage of the shared value registry. + """ +- with BytesIO(buf) as fp: +- old_fp = self.fp +- self.fp = fp +- retval = self._decode() +- self.fp = old_fp +- return retval ++ with self._decoding_context(): ++ with BytesIO(buf) as fp: ++ old_fp = self.fp ++ self.fp = fp ++ retval = self._decode() ++ self.fp = old_fp ++ return retval + + @overload + def _decode_length(self, subtype: int) -> int: ... +diff --git a/cbor2/_encoder.py b/cbor2/_encoder.py +index fe65763..5b9609c 100644 +--- a/cbor2/_encoder.py ++++ b/cbor2/_encoder.py +@@ -124,6 +124,7 @@ class CBOREncoder: + "string_namespacing", + "_string_references", + "indefinite_containers", ++ "_encode_depth", + ) + + _fp: IO[bytes] +@@ -188,6 +189,7 @@ class CBOREncoder: + int, tuple[object, int | None] + ] = {} # indexes used for value sharing + self._string_references: dict[str | bytes, int] = {} # indexes used for string references ++ self._encode_depth = 0 + self._encoders = default_encoders.copy() + if canonical: + self._encoders.update(canonical_encoders) +@@ -303,6 +305,24 @@ class CBOREncoder: + """ + self._fp_write(data) + ++ @contextmanager ++ def _encoding_context(self): ++ """ ++ Context manager for tracking encode depth and clearing shared state. ++ ++ Shared state is cleared at the end of each top-level encode to prevent ++ shared references from leaking between independent encode operations. ++ Nested calls (from hooks) must preserve the state. ++ """ ++ self._encode_depth += 1 ++ try: ++ yield ++ finally: ++ self._encode_depth -= 1 ++ if self._encode_depth == 0: ++ self._shared_containers.clear() ++ self._string_references.clear() ++ + def encode(self, obj: Any) -> None: + """ + Encode the given object using CBOR. +@@ -310,6 +330,16 @@ class CBOREncoder: + :param obj: + the object to encode + """ ++ with self._encoding_context(): ++ self._encode_value(obj) ++ ++ def _encode_value(self, obj: Any) -> None: ++ """ ++ Internal fast path for encoding - used by built-in encoders. ++ ++ External code should use encode() instead, which properly manages ++ shared state between independent encode operations. ++ """ + obj_type = obj.__class__ + encoder = self._encoders.get(obj_type) or self._find_encoder(obj_type) or self._default + if not encoder: +@@ -459,7 +489,7 @@ class CBOREncoder: + def encode_array(self, value: Sequence[Any]) -> None: + self.encode_length(4, len(value) if not self.indefinite_containers else None) + for item in value: +- self.encode(item) ++ self._encode_value(item) + + if self.indefinite_containers: + self.encode_break() +@@ -468,8 +498,8 @@ class CBOREncoder: + def encode_map(self, value: Mapping[Any, Any]) -> None: + self.encode_length(5, len(value) if not self.indefinite_containers else None) + for key, val in value.items(): +- self.encode(key) +- self.encode(val) ++ self._encode_value(key) ++ self._encode_value(val) + + if self.indefinite_containers: + self.encode_break() +@@ -494,10 +524,10 @@ class CBOREncoder: + # String referencing requires that the order encoded is + # the same as the order emitted so string references are + # generated after an order is determined +- self.encode(realkey) ++ self._encode_value(realkey) + else: + self._fp_write(sortkey[1]) +- self.encode(value) ++ self._encode_value(value) + + if self.indefinite_containers: + self.encode_break() +@@ -511,7 +541,7 @@ class CBOREncoder: + self._string_references = {} + + self.encode_length(6, value.tag) +- self.encode(value.value) ++ self._encode_value(value.value) + + self.string_referencing = old_string_referencing + self._string_references = old_string_references +@@ -574,7 +604,7 @@ class CBOREncoder: + def encode_stringref(self, value: str | bytes) -> None: + # Semantic tag 25 + if not self._stringref(value): +- self.encode(value) ++ self._encode_value(value) + + def encode_rational(self, value: Fraction) -> None: + # Semantic tag 30 +diff --git a/source/decoder.c b/source/decoder.c +index 8b6b842..b0bdb9a 100644 +--- a/source/decoder.c ++++ b/source/decoder.c +@@ -143,6 +143,7 @@ CBORDecoder_new(PyTypeObject *type, PyObject *args, PyObject *kwargs) + self->str_errors = PyBytes_FromString("strict"); + self->immutable = false; + self->shared_index = -1; ++ self->decode_depth = 0; + } + return (PyObject *) self; + error: +@@ -2083,11 +2084,30 @@ decode(CBORDecoderObject *self, DecodeOptions options) + } + + ++// Reset shared state at the end of each top-level decode to prevent ++// shared references from leaking between independent decode operations. ++// Nested calls (from hooks) must preserve the state. ++static inline void ++clear_shareable_state(CBORDecoderObject *self) ++{ ++ PyList_SetSlice(self->shareables, 0, PY_SSIZE_T_MAX, NULL); ++ self->shared_index = -1; ++} ++ ++ + // CBORDecoder.decode(self) -> obj + PyObject * + CBORDecoder_decode(CBORDecoderObject *self) + { +- return decode(self, DECODE_NORMAL); ++ PyObject *ret; ++ self->decode_depth++; ++ ret = decode(self, DECODE_NORMAL); ++ self->decode_depth--; ++ assert(self->decode_depth >= 0); ++ if (self->decode_depth == 0) { ++ clear_shareable_state(self); ++ } ++ return ret; + } + + +@@ -2100,6 +2120,7 @@ CBORDecoder_decode_from_bytes(CBORDecoderObject *self, PyObject *data) + if (!_CBOR2_BytesIO && _CBOR2_init_BytesIO() == -1) + return NULL; + ++ self->decode_depth++; + save_read = self->read; + buf = PyObject_CallFunctionObjArgs(_CBOR2_BytesIO, data, NULL); + if (buf) { +@@ -2111,6 +2132,11 @@ CBORDecoder_decode_from_bytes(CBORDecoderObject *self, PyObject *data) + Py_DECREF(buf); + } + self->read = save_read; ++ self->decode_depth--; ++ assert(self->decode_depth >= 0); ++ if (self->decode_depth == 0) { ++ clear_shareable_state(self); ++ } + return ret; + } + +diff --git a/source/decoder.h b/source/decoder.h +index 6bb6d52..a2f1bcb 100644 +--- a/source/decoder.h ++++ b/source/decoder.h +@@ -13,6 +13,7 @@ typedef struct { + PyObject *str_errors; + bool immutable; + Py_ssize_t shared_index; ++ Py_ssize_t decode_depth; + } CBORDecoderObject; + + extern PyTypeObject CBORDecoderType; +diff --git a/source/encoder.c b/source/encoder.c +index 4dc3c6b..e87670d 100644 +--- a/source/encoder.c ++++ b/source/encoder.c +@@ -114,6 +114,7 @@ CBOREncoder_new(PyTypeObject *type, PyObject *args, PyObject *kwargs) + self->string_referencing = false; + self->string_namespacing = false; + self->indefinite_containers = false; ++ self->encode_depth = 0; + } + return (PyObject *) self; + } +@@ -2132,17 +2133,35 @@ encode(CBOREncoderObject *self, PyObject *value) + } + + ++// Reset shared state at the end of each top-level encode to prevent ++// shared references from leaking between independent encode operations. ++// Nested calls (from hooks or recursive encoding) must preserve the state. ++static inline void ++clear_shared_state(CBOREncoderObject *self) ++{ ++ PyDict_Clear(self->shared); ++ PyDict_Clear(self->string_references); ++} ++ ++ + // CBOREncoder.encode(self, value) + PyObject * + CBOREncoder_encode(CBOREncoderObject *self, PyObject *value) + { + PyObject *ret; + +- // TODO reset shared dict? +- if (Py_EnterRecursiveCall(" in CBOREncoder.encode")) ++ self->encode_depth++; ++ if (Py_EnterRecursiveCall(" in CBOREncoder.encode")) { ++ self->encode_depth--; + return NULL; ++ } + ret = encode(self, value); + Py_LeaveRecursiveCall(); ++ self->encode_depth--; ++ assert(self->encode_depth >= 0); ++ if (self->encode_depth == 0) { ++ clear_shared_state(self); ++ } + return ret; + } + +diff --git a/source/encoder.h b/source/encoder.h +index abc6560..915f1f2 100644 +--- a/source/encoder.h ++++ b/source/encoder.h +@@ -25,6 +25,7 @@ typedef struct { + bool string_referencing; + bool string_namespacing; + bool indefinite_containers; ++ Py_ssize_t encode_depth; + } CBOREncoderObject; + + extern PyTypeObject CBOREncoderType; +diff --git a/tests/test_decoder.py b/tests/test_decoder.py +index 0f4af4d..c8b47d5 100644 +--- a/tests/test_decoder.py ++++ b/tests/test_decoder.py +@@ -1022,3 +1022,65 @@ def test_oversized_read(impl, payload: bytes, tmp_path: Path) -> None: + dummy_path.write_bytes(payload) + with dummy_path.open("rb") as f: + impl.load(f) ++ ++ ++class TestDecoderReuse: ++ """ ++ Tests for correct behavior when reusing CBORDecoder instances. ++ """ ++ ++ def test_decoder_reuse_resets_shared_refs(self, impl): ++ """ ++ Shared references should be scoped to a single decode operation, ++ not persist across multiple decodes on the same decoder instance. ++ """ ++ # Message with shareable tag (28) ++ msg1 = impl.dumps(impl.CBORTag(28, "first_value")) ++ ++ # Message with sharedref tag (29) referencing index 0 ++ msg2 = impl.dumps(impl.CBORTag(29, 0)) ++ ++ # Reuse decoder across messages ++ decoder = impl.CBORDecoder(BytesIO(msg1)) ++ result1 = decoder.decode() ++ assert result1 == "first_value" ++ ++ # Second decode should fail - sharedref(0) doesn't exist in this context ++ decoder.fp = BytesIO(msg2) ++ with pytest.raises(impl.CBORDecodeValueError, match="shared reference"): ++ decoder.decode() ++ ++ def test_decode_from_bytes_resets_shared_refs(self, impl): ++ """ ++ decode_from_bytes should also reset shared references between calls. ++ """ ++ msg1 = impl.dumps(impl.CBORTag(28, "value")) ++ msg2 = impl.dumps(impl.CBORTag(29, 0)) ++ ++ decoder = impl.CBORDecoder(BytesIO(b"")) ++ decoder.decode_from_bytes(msg1) ++ ++ with pytest.raises(impl.CBORDecodeValueError, match="shared reference"): ++ decoder.decode_from_bytes(msg2) ++ ++ def test_shared_refs_within_single_decode(self, impl): ++ """ ++ Shared references must work correctly within a single decode operation. ++ ++ Note: This tests non-cyclic sibling references [shareable(x), sharedref(0)], ++ which is a different pattern from test_cyclic_array/test_cyclic_map that ++ test self-referencing structures like shareable([sharedref(0)]). ++ """ ++ # [shareable("hello"), sharedref(0)] -> ["hello", "hello"] ++ data = unhexlify( ++ "82" # array(2) ++ "d81c" # tag(28) shareable ++ "65" # text(5) ++ "68656c6c6f" # "hello" ++ "d81d" # tag(29) sharedref ++ "00" # unsigned(0) ++ ) ++ ++ result = impl.loads(data) ++ assert result == ["hello", "hello"] ++ assert result[0] is result[1] # Same object reference +diff --git a/tests/test_encoder.py b/tests/test_encoder.py +index cbb4295..e6adc08 100644 +--- a/tests/test_encoder.py ++++ b/tests/test_encoder.py +@@ -717,3 +717,73 @@ def test_indefinite_containers(impl): + expected = b"\xbf\xff" + assert impl.dumps({}, indefinite_containers=True) == expected + assert impl.dumps({}, indefinite_containers=True, canonical=True) == expected ++ ++ ++class TestEncoderReuse: ++ """ ++ Tests for correct behavior when reusing CBOREncoder instances. ++ """ ++ ++ def test_encoder_reuse_resets_shared_containers(self, impl): ++ """ ++ Shared container tracking should be scoped to a single encode operation, ++ not persist across multiple encodes on the same encoder instance. ++ """ ++ fp = BytesIO() ++ encoder = impl.CBOREncoder(fp, value_sharing=True) ++ shared_obj = ["hello"] ++ ++ # First encode: object is tracked in shared containers ++ encoder.encode([shared_obj, shared_obj]) ++ ++ # Second encode on new fp: should produce valid standalone CBOR ++ # (not a sharedref pointing to stale first-encode data) ++ encoder.fp = BytesIO() ++ encoder.encode(shared_obj) ++ second_output = encoder.fp.getvalue() ++ ++ # The second output must be decodable on its own ++ result = impl.loads(second_output) ++ assert result == ["hello"] ++ ++ def test_encode_to_bytes_resets_shared_containers(self, impl): ++ """ ++ encode_to_bytes should also reset shared container tracking between calls. ++ """ ++ fp = BytesIO() ++ encoder = impl.CBOREncoder(fp, value_sharing=True) ++ shared_obj = ["hello"] ++ ++ # First encode ++ encoder.encode_to_bytes([shared_obj, shared_obj]) ++ ++ # Second encode should produce valid standalone CBOR ++ result_bytes = encoder.encode_to_bytes(shared_obj) ++ result = impl.loads(result_bytes) ++ assert result == ["hello"] ++ ++ def test_encoder_hook_does_not_reset_state(self, impl): ++ """ ++ When a custom encoder hook calls encode(), the shared container ++ tracking should be preserved (not reset mid-operation). ++ """ ++ ++ class Custom: ++ def __init__(self, value): ++ self.value = value ++ ++ def custom_encoder(encoder, obj): ++ # Hook encodes the wrapped value ++ encoder.encode(obj.value) ++ ++ # Encode a Custom wrapping a list ++ data = impl.dumps(Custom(["a", "b"]), default=custom_encoder) ++ ++ # Verify the output decodes correctly ++ result = impl.loads(data) ++ assert result == ["a", "b"] ++ ++ # Test nested Custom objects - hook should work recursively ++ data2 = impl.dumps(Custom(Custom(["x"])), default=custom_encoder) ++ result2 = impl.loads(data2) ++ assert result2 == ["x"] diff --git a/meta-python/recipes-devtools/python/python3-cbor2_5.7.1.bb b/meta-python/recipes-devtools/python/python3-cbor2_5.7.1.bb index e124207cbf..5aa5ba599f 100644 --- a/meta-python/recipes-devtools/python/python3-cbor2_5.7.1.bb +++ b/meta-python/recipes-devtools/python/python3-cbor2_5.7.1.bb @@ -3,6 +3,7 @@ LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=a79e64179819c7ce293372c059f1dbd8" DEPENDS += "python3-setuptools-scm-native" +SRC_URI += "file://CVE-2025-68131.patch" SRC_URI[sha256sum] = "7a405a1d7c8230ee9acf240aad48ae947ef584e8af05f169f3c1bde8f01f8b71" inherit pypi python_setuptools_build_meta ptest-python-pytest From patchwork Thu Feb 5 06:59:37 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 80486 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0FC50E9127E for ; Thu, 5 Feb 2026 07:00:09 +0000 (UTC) Received: from mail-wm1-f48.google.com (mail-wm1-f48.google.com [209.85.128.48]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.15339.1770274798915598718 for ; Wed, 04 Feb 2026 22:59:59 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=N/uGOyPR; spf=pass (domain: gmail.com, ip: 209.85.128.48, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f48.google.com with SMTP id 5b1f17b1804b1-480706554beso5682215e9.1 for ; Wed, 04 Feb 2026 22:59:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1770274797; x=1770879597; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=RtLLX7fhCK/49FNTLzb+dsaGWxuDvrkbbpc5B+RCirM=; b=N/uGOyPRfVo06hHSi/z1y7TOGEm67HeQcp93aOZQJVqNLwKLC/8KNMFQHKGXIP2LsG fzhJHQFXjbYZLBnaKjNUuJHY72RuzpXN08N1tLZW56lF1Z4W+QFsiucpX/0m0wrMUiu+ bboYhPEvWyBtDcNl5D83M3LYowfNiVbIe1iphrPgqN3iS+w8UmVv8wQbz4584H5mwr4r gsr6aNfOYQAAEet3N6sm2v1lajL1IA9SAkpMDOh9T+fs07j07NqynE6iUJYdvkeLDa/m 2ko7loXKD8a4n8cPu7Qtn/XfqSLX4BQpbbfF6pk7KFn0kDDtHYQL+RzuHRNL/fIYsVRq rtxQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770274797; x=1770879597; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=RtLLX7fhCK/49FNTLzb+dsaGWxuDvrkbbpc5B+RCirM=; b=KuJw9t2697IGRUvKSzGgGTzgMhr7lLNwXLHpfNQQamrwR/hPuFcKHw3av/jUTLO/9C b5jhnkzuWDgjrJ5Om0YYGC2YeLfTbX1WgDo5hKS0Qa1x9ZK/M/JoWUJvBa9PQxsnsF4I y1Xe5c3qlaLxDTWh3YkSH3+r3p4VEd51W0AODV7Beu3U09zUZgtFyVssen4bcGT9DRdP oZfsMzCOvqero15QuRfH9p1EfERqC/vhdIYcwOZVyHxKgrLDCv4qyz29OQY5CFi0r/+K kC5HgN7QJBBkrx5uMxxfhuXYEN1xH9U1zQVw5fvQkWiYtDDM61cW/1cWKYLcqa/Ox//X tEjw== X-Gm-Message-State: AOJu0YwhME9XYW6CGSg2pQiFCt1zSK78JGVXQ4IdV/11VwuQS2/CjLmV dPF7LpZTDx3gQbnK1KsmsAC6B0+LoV7V895Y4scitr/+k2PeR90ZR/j3tdBBBw== X-Gm-Gg: AZuq6aL3gGDKhVdGIJtgm2nUB1sFlLSaTGt2Eh0ekNNEAlJKSgHuBuJ43FJCootQsDt eeWaYJCATsAzvTwzgqQHg0K71fDpAo358+DMSfsv3IOyh/ybuW9C/TRKsLkjN7Lbfnv+g/fsoOG HaRZiaTKmBndm43VkXIRTbrCGzw1V+1SV7XbUuvMdC5M6bRWjvzDuQ7gWqSSvuxAI4arql5O+Lt DB8dQeSJCtz/9+hinZGO6Qz7RkoRXEjC6Rp6ELhtLFUInWs1Sac1sL98ugj/pJHbHS/SXQYe5xM sGKzpNYjuBP/v5jJb26VUJ/FmliyIh+1XiGsgrzTZNKEXUGYHxbq3dyJjilWjrVFk4rR5dcnDhP ARSKUNjWGGl4rh3NvX0RNLir2SOheJEfBxuMprBrEAIOXFRFyxeYTOC5eA5HRmENxCCCbKKAynJ 7ZHLGGuH+w X-Received: by 2002:a05:600c:1c26:b0:477:b734:8c53 with SMTP id 5b1f17b1804b1-4830e933a24mr79005465e9.12.1770274797174; Wed, 04 Feb 2026 22:59:57 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4830fe86bebsm34545505e9.10.2026.02.04.22.59.56 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 Feb 2026 22:59:56 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-python][whinlatter][PATCH 02/20] python3-flask-cors: upgrade 4.0.0 -> 4.0.2 Date: Thu, 5 Feb 2026 07:59:37 +0100 Message-ID: <20260205065955.1267785-2-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260205065955.1267785-1-skandigraun@gmail.com> References: <20260205065955.1267785-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 05 Feb 2026 07:00:09 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/124178 Contains a fix for CVE-2024-6221 (related patch dropped) and CVE-2024-1681 Changelog: 4.0.1: - Fix Read the Docs builds - Update extension.py to clean request.path before logging it - Update CI to include Python 3.12 and flask 3.0.3 4.0.2: - Bump requests from 2.31.0 to 2.32.0 in /docs - Backwards Compatible Fix for CVE-2024-6221 - Add unit tests for Private-Network Signed-off-by: Gyorgy Sarvari Signed-off-by: Anuj Mittal (cherry picked from commit fbe5524dc822317c1a4b7aad566a6dae5657cb22) Signed-off-by: Gyorgy Sarvari --- .../python3-flask-cors/CVE-2024-6221.patch | 110 ------------------ ...s_4.0.0.bb => python3-flask-cors_4.0.2.bb} | 8 +- 2 files changed, 2 insertions(+), 116 deletions(-) delete mode 100644 meta-python/recipes-devtools/python/python3-flask-cors/CVE-2024-6221.patch rename meta-python/recipes-devtools/python/{python3-flask-cors_4.0.0.bb => python3-flask-cors_4.0.2.bb} (73%) diff --git a/meta-python/recipes-devtools/python/python3-flask-cors/CVE-2024-6221.patch b/meta-python/recipes-devtools/python/python3-flask-cors/CVE-2024-6221.patch deleted file mode 100644 index 9049b2ffe6..0000000000 --- a/meta-python/recipes-devtools/python/python3-flask-cors/CVE-2024-6221.patch +++ /dev/null @@ -1,110 +0,0 @@ -From 7ae310c56ac30e0b94fb42129aa377bf633256ec Mon Sep 17 00:00:00 2001 -From: Adriano Sela Aviles -Date: Fri, 30 Aug 2024 12:14:31 -0400 -Subject: [PATCH] Backwards Compatible Fix for CVE-2024-6221 (#363) - -CVE: CVE-2024-6221 - -Upstream-Status: Backport [https://github.com/corydolphin/flask-cors/commit/7ae310c56ac30e0b94fb42129aa377bf633256ec] - -Signed-off-by: Soumya Sambu ---- - docs/configuration.rst | 14 ++++++++++++++ - flask_cors/core.py | 8 +++++--- - flask_cors/extension.py | 16 ++++++++++++++++ - 3 files changed, 35 insertions(+), 3 deletions(-) - -diff --git a/docs/configuration.rst b/docs/configuration.rst -index 91282d3..c750cf4 100644 ---- a/docs/configuration.rst -+++ b/docs/configuration.rst -@@ -23,6 +23,19 @@ CORS_ALLOW_HEADERS (:py:class:`~typing.List` or :py:class:`str`) - Headers to accept from the client. - Headers in the :http:header:`Access-Control-Request-Headers` request header (usually part of the preflight OPTIONS request) matching headers in this list will be included in the :http:header:`Access-Control-Allow-Headers` response header. - -+CORS_ALLOW_PRIVATE_NETWORK (:py:class:`bool`) -+ If True, the response header :http:header:`Access-Control-Allow-Private-Network` -+ will be set with the value 'true' whenever the request header -+ :http:header:`Access-Control-Request-Private-Network` has a value 'true'. -+ -+ If False, the reponse header :http:header:`Access-Control-Allow-Private-Network` -+ will be set with the value 'false' whenever the request header -+ :http:header:`Access-Control-Request-Private-Network` has a value of 'true'. -+ -+ If the request header :http:header:`Access-Control-Request-Private-Network` is -+ not present or has a value other than 'true', the response header -+ :http:header:`Access-Control-Allow-Private-Network` will not be set. -+ - CORS_ALWAYS_SEND (:py:class:`bool`) - Usually, if a request doesn't include an :http:header:`Origin` header, the client did not request CORS. - This means we can ignore this request. -@@ -83,6 +96,7 @@ Default values - ~~~~~~~~~~~~~~ - - * CORS_ALLOW_HEADERS: "*" -+* CORS_ALLOW_PRIVATE_NETWORK: True - * CORS_ALWAYS_SEND: True - * CORS_AUTOMATIC_OPTIONS: True - * CORS_EXPOSE_HEADERS: None -diff --git a/flask_cors/core.py b/flask_cors/core.py -index 5358036..bd011f4 100644 ---- a/flask_cors/core.py -+++ b/flask_cors/core.py -@@ -36,7 +36,7 @@ CONFIG_OPTIONS = ['CORS_ORIGINS', 'CORS_METHODS', 'CORS_ALLOW_HEADERS', - 'CORS_MAX_AGE', 'CORS_SEND_WILDCARD', - 'CORS_AUTOMATIC_OPTIONS', 'CORS_VARY_HEADER', - 'CORS_RESOURCES', 'CORS_INTERCEPT_EXCEPTIONS', -- 'CORS_ALWAYS_SEND'] -+ 'CORS_ALWAYS_SEND', 'CORS_ALLOW_PRIVATE_NETWORK'] - # Attribute added to request object by decorator to indicate that CORS - # was evaluated, in case the decorator and extension are both applied - # to a view. -@@ -56,7 +56,8 @@ DEFAULT_OPTIONS = dict(origins='*', - vary_header=True, - resources=r'/*', - intercept_exceptions=True, -- always_send=True) -+ always_send=True, -+ allow_private_network=True) - - - def parse_resources(resources): -@@ -186,7 +187,8 @@ def get_cors_headers(options, request_headers, request_method): - - if ACL_REQUEST_HEADER_PRIVATE_NETWORK in request_headers \ - and request_headers.get(ACL_REQUEST_HEADER_PRIVATE_NETWORK) == 'true': -- headers[ACL_RESPONSE_PRIVATE_NETWORK] = 'true' -+ allow_private_network = 'true' if options.get('allow_private_network') else 'false' -+ headers[ACL_RESPONSE_PRIVATE_NETWORK] = allow_private_network - - # This is a preflight request - # http://www.w3.org/TR/cors/#resource-preflight-requests -diff --git a/flask_cors/extension.py b/flask_cors/extension.py -index c00cbff..694953f 100644 ---- a/flask_cors/extension.py -+++ b/flask_cors/extension.py -@@ -136,6 +136,22 @@ class CORS(object): - - Default : True - :type vary_header: bool -+ -+ :param allow_private_network: -+ If True, the response header `Access-Control-Allow-Private-Network` -+ will be set with the value 'true' whenever the request header -+ `Access-Control-Request-Private-Network` has a value 'true'. -+ -+ If False, the reponse header `Access-Control-Allow-Private-Network` -+ will be set with the value 'false' whenever the request header -+ `Access-Control-Request-Private-Network` has a value of 'true'. -+ -+ If the request header `Access-Control-Request-Private-Network` is -+ not present or has a value other than 'true', the response header -+ `Access-Control-Allow-Private-Network` will not be set. -+ -+ Default : True -+ :type allow_private_network: bool - """ - - def __init__(self, app=None, **kwargs): --- -2.40.0 diff --git a/meta-python/recipes-devtools/python/python3-flask-cors_4.0.0.bb b/meta-python/recipes-devtools/python/python3-flask-cors_4.0.2.bb similarity index 73% rename from meta-python/recipes-devtools/python/python3-flask-cors_4.0.0.bb rename to meta-python/recipes-devtools/python/python3-flask-cors_4.0.2.bb index 6606b3037a..f9f13f7c40 100644 --- a/meta-python/recipes-devtools/python/python3-flask-cors_4.0.0.bb +++ b/meta-python/recipes-devtools/python/python3-flask-cors_4.0.2.bb @@ -7,14 +7,10 @@ SECTION = "devel/python" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE;md5=118fecaa576ab51c1520f95e98db61ce" -PYPI_PACKAGE = "Flask-Cors" +PYPI_PACKAGE = "flask_cors" UPSTREAM_CHECK_PYPI_PACKAGE = "${PYPI_PACKAGE}" -SRC_URI += " \ - file://CVE-2024-6221.patch \ -" - -SRC_URI[sha256sum] = "f268522fcb2f73e2ecdde1ef45e2fd5c71cc48fe03cffb4b441c6d1b40684eb0" +SRC_URI[sha256sum] = "493b98e2d1e2f1a4720a7af25693ef2fe32fbafec09a2f72c59f3e475eda61d2" inherit pypi setuptools3 From patchwork Thu Feb 5 06:59:38 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 80484 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 36461E91285 for ; Thu, 5 Feb 2026 07:00:09 +0000 (UTC) Received: from mail-wm1-f51.google.com (mail-wm1-f51.google.com [209.85.128.51]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.15340.1770274799790235256 for ; Wed, 04 Feb 2026 23:00:00 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=gapvhgmM; spf=pass (domain: gmail.com, ip: 209.85.128.51, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f51.google.com with SMTP id 5b1f17b1804b1-4806dffc64cso4330155e9.1 for ; Wed, 04 Feb 2026 22:59:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1770274798; x=1770879598; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=evI2UGvh1ccG/fVi3PsyY7/5wJorfyGtl9dTvBhQefI=; b=gapvhgmMghQ3RLXK9IpfnHh/YU+qcsgd7M+7Hb6dZfBj25ph2/Jym1dnzetv3AwL2A FdsvaL0rgwCIw4ykI7+1VALRPzSc48yyrw5xiBTqdTNU++3R9hPyuidkRnwHRg5a3I4V IEU173cyxTqjP0hwQ4hDLIR3hK979U2m4F8d5c6qxxMDNKyN2dtkvzf4sABcK09GBSjT HA98GsXPGWOqsAuXIKPu2G51UM53Rsvv0FqsceOJ/eg8FadrzkTa2lM2aMXvyHZNGp59 prcv0NSkciT4EhXVXYUSOfJ8eUHpficGpa/qqSO4zaqYdwcj3iEgBAbhzHChMtSJDJsG CD6w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770274798; x=1770879598; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=evI2UGvh1ccG/fVi3PsyY7/5wJorfyGtl9dTvBhQefI=; b=l9pI5GAuzOt0VOBcDs91pu+wcOwplnbVlj5oC+f7igSW+3rCOtdO8AY7wmXRuGwHZ1 VNZ7GgGOW7LRleC6+I3fTMKeQJEfEiIpHCQQXJtn42aDLVsp2AIKnlX+mIBHV/WVux2D L2iWOFdtp4kJW8sXNz2WEGSrz6I+/ccSWwbYP1it/PhnjUgrxcXzvWZR8c35XlcwlNOs KWWd4RF4TiymLKjGAxKK1ou7hFKKtBIQ1JUoBYRWlKdTpg209LG8aJzI2SSCSTlR7Tyn jw3g+dMc/0rnGvar/N8RdkEjIzt+SMRcweWzai0oFs2aTzkfxr9/pUwASeYpOE21zhHb ArcQ== X-Gm-Message-State: AOJu0YxkQ/6f5hL2HVr+lRtATRkmfu6eFyMXQJaphvBv2oiTsUNs3Y1M 0IdhgpvlqVpqTICV2QxcemRVfUYwozzWAB34Ig98WeHAmFfWziS32+IHwe6UmA== X-Gm-Gg: AZuq6aL8Qr7oCCyyPwKWcdcvE3GmLv8t4udxhZFF5uls7L3E29RM0NdlcPuJc5ry7Sy jXEbQ2o6UZ7lzGgPuX/pjPBE3q2UWEtHlGz1MrGzE5MwEUtLNEKPhA18C6mpdA8HA8RT3AM2jwq VM3/2LFP6eQPRWwFDj1nk3mj+3Xj1+MWa2CmXLMumDvSQoEN8upgakxpsWx0OYB+00/PxoxDGo5 AqEGHfUfH9ElGfzpM2cucz++8x1OMrx+5Esp5gT6VysdZZoPfzEGhDmOaOaFfS8kV3padkb72mQ U7COeJglNVl0xomiZS8sB1cMgV90itPkfYt3r5SFlezA4xsY8UvZHWve+TsMtJ7/H8H/vgiDqfE 6HiP3bnk+8qz0ARd5c4ckZkmSSB4Xyc4VTLxGk4KWwD/vcteF06MRh8uhk9n8HxAQ5/dknMCdvK oedTDWrtvA X-Received: by 2002:a05:600c:4513:b0:479:3a89:121d with SMTP id 5b1f17b1804b1-4830e987c39mr73468705e9.36.1770274797796; Wed, 04 Feb 2026 22:59:57 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4830fe86bebsm34545505e9.10.2026.02.04.22.59.57 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 Feb 2026 22:59:57 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-python][whinlatter][PATCH 03/20] python3-ldap: upgrade 3.4.4 -> 3.4.5 Date: Thu, 5 Feb 2026 07:59:38 +0100 Message-ID: <20260205065955.1267785-3-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260205065955.1267785-1-skandigraun@gmail.com> References: <20260205065955.1267785-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 05 Feb 2026 07:00:09 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/124179 Contains fixes for CVE-2025-61911 and CVE-2025-61912 Changelog: Security fixes: - CVE-2025-61911 (GHSA-r7r6-cc7p-4v5m): Enforce str input in ldap.filter.escape_filter_chars with escape_mode=1; ensure proper escaping. - CVE-2025-61912 (GHSA-p34h-wq7j-h5v6): Correct NUL escaping in ldap.dn.escape_dn_chars to \00 per RFC 4514. Fixes: - ReconnectLDAPObject now properly reconnects on UNAVAILABLE, CONNECT_ERROR and TIMEOUT exceptions (previously only SERVER_DOWN), fixing reconnection issues especially during server restarts - Fixed syncrepl.py to use named constants instead of raw decimal values for result types - Fixed error handling in SearchNoOpMixIn to prevent a undefined variable error Tests: - Added comprehensive reconnection test cases including concurrent operation handling and server restart scenarios Doc: - Updated installation docs and fixed various documentation typos - Added ReadTheDocs configuration file Infrastructure: - Add testing and document support for Python 3.13 Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj (cherry picked from commit 9eabbca90565e4ae790bedeef9a91df1878c6f93) Signed-off-by: Gyorgy Sarvari --- .../{python3-ldap_3.4.4.bb => python3-ldap_3.4.5.bb} | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) rename meta-python/recipes-networking/python/{python3-ldap_3.4.4.bb => python3-ldap_3.4.5.bb} (76%) diff --git a/meta-python/recipes-networking/python/python3-ldap_3.4.4.bb b/meta-python/recipes-networking/python/python3-ldap_3.4.5.bb similarity index 76% rename from meta-python/recipes-networking/python/python3-ldap_3.4.4.bb rename to meta-python/recipes-networking/python/python3-ldap_3.4.5.bb index aecffa9d7e..2ec49b58ec 100644 --- a/meta-python/recipes-networking/python/python3-ldap_3.4.4.bb +++ b/meta-python/recipes-networking/python/python3-ldap_3.4.5.bb @@ -7,13 +7,13 @@ HOMEPAGE = "https://www.python-ldap.org/" LICENSE = "PSF-2.0" LIC_FILES_CHKSUM = "file://LICENCE;md5=36ce9d726d0321b73c1521704d07db1b" -DEPENDS = "python3 openldap cyrus-sasl" +DEPENDS = "python3 openldap cyrus-sasl python3-setuptools-scm-native" -PYPI_PACKAGE = "python-ldap" +PYPI_PACKAGE = "python_ldap" -inherit pypi setuptools3 +inherit pypi python_setuptools_build_meta -SRC_URI[sha256sum] = "7edb0accec4e037797705f3a05cbf36a9fde50d08c8f67f2aef99a2628fab828" +SRC_URI[sha256sum] = "b2f6ef1c37fe2c6a5a85212efe71311ee21847766a7d45fcb711f3b270a5f79a" do_configure:prepend() { sed -i -e 's:^library_dirs =.*::' \ From patchwork Thu Feb 5 06:59:39 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 80487 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 397B1E91286 for ; Thu, 5 Feb 2026 07:00:09 +0000 (UTC) Received: from mail-wm1-f41.google.com (mail-wm1-f41.google.com [209.85.128.41]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.15341.1770274801095477391 for ; Wed, 04 Feb 2026 23:00:01 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=dlEqSFnQ; spf=pass (domain: gmail.com, ip: 209.85.128.41, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f41.google.com with SMTP id 5b1f17b1804b1-47ff94b46afso5740575e9.1 for ; Wed, 04 Feb 2026 23:00:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1770274799; x=1770879599; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=ubf1g0s1shXON5Zc/9m0PRLJ+QurfFGUztZuSy9lDhU=; b=dlEqSFnQezqW6YMSOva8sh9lJMIT+ZGr7ZkBH/JKZe929+m6662x1C8FgEBaVUQZBo Qc5bW02cSHI+XqGtdB7oezsA4L/NGFuCTur7d4tk7zoCZI4LRNqeqru/Uxq9sU8N9Dd2 r8z+98wgjOSEGVdvgKubb9AFkaiRmKahOl8sRG/w6u28f79eSlrY4ncjkXmuFE0+6ZTI QXMnSKVEl4dA8l82lkRsCBylxT9Q/BaYfPdt3V9l7nwCu4DOwWDfBOl3p8hT5Bb4iIDu ssLEJuecMfac4JcHbGc+YlZNdctOTiQR4dqACFWo0r4kAVONCgbYmw6QznWG3FTjqVSE LLZQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770274799; x=1770879599; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=ubf1g0s1shXON5Zc/9m0PRLJ+QurfFGUztZuSy9lDhU=; b=fdzzjYpS+bpvXQJeHeWrYqXXlIQNrmpBXxiC8+gu92FCvr06vObcqhD01DJ7hdEEtL 7Ga3sXVzCRT91mr2pDp5oscqqVpnS4gwALbp4BvBQp+j1qhIcsugomiYgmNsa8RoJu8n tEyWIdSz7d772YC1FEesQBDsbeVuLkhMrkx2i7f1W0EtJSHyeius7tEPX2/jHAcuJ84N UNxwS1lD6zUD0DzyY93oy/QAxcZl1SZBIFsAO4uE2fTKK9uE0/oi14Z7C0oBCvy/HhYL bKaIH0aQ+t5vftiyuU3TfoOihAOMr8qFmJF/u2Y631VNwleYrHwXRIXY8ff5jJvt0/oY Sl7Q== X-Gm-Message-State: AOJu0YxRbdeL2NBc5D5qniNcuMo/QZck+not8wrOPAXFndQkvoo003oS aTo92rPJUK7QFbTPnLgk2wZMP+ya4XjEuKzyCLSj+C4PX6sUZzRQqyoYWDw0yQ== X-Gm-Gg: AZuq6aJmP1iS9wJuKXO7yymMh1eBQLB8xz4HIiNg2IcyD4VBDhjbH1q4GwTv1ssNLa2 jT0lURnSQpBDRPvN0FSirckyoLdKpOJqupJJ+Ae8N3rZddoZMpEspD93CBM7NrmOaQyAHc3DarY pWkUxVVkEHw3zZ/1o1ooUSP8tmVTjAKky06RkJ7epCz3iqilxIH+Mz6reYxFETXCK7JqHv/obNA esFBc2JgtxSPEIV2SqOzA0hKAbXVfgJu+e5H8nPxkn6TErzsiEeD0EYBrudmBg3OFz3vGcmcM/s f6qVQxqAIk/Nh//iKSQtdAwt8K4XzkOXYWhFq169F47l/D9+9hDTFH0rtpN3UjNOyS8nnwCE4L2 1ePtEQCx34BSKs9ctQv57mXbxYE9tjDIvw7F/JEubqS+xl37owc6xaGdFgJ0fVlO4PQdSyK1FiL YZmqgkQYTr X-Received: by 2002:a05:600c:348b:b0:480:1c1c:47d6 with SMTP id 5b1f17b1804b1-483179a223fmr22473445e9.6.1770274799424; Wed, 04 Feb 2026 22:59:59 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4830fe86bebsm34545505e9.10.2026.02.04.22.59.57 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 Feb 2026 22:59:58 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-python][whinlatter][PATCH 04/20] python3-lief: upgrade 0.17.1 -> 0.17.2 Date: Thu, 5 Feb 2026 07:59:39 +0100 Message-ID: <20260205065955.1267785-4-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260205065955.1267785-1-skandigraun@gmail.com> References: <20260205065955.1267785-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 05 Feb 2026 07:00:09 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/124180 Contains fix for CVE-2025-15504 Changelog: - Differentiate Mach-O FAT magic bytes and Java class - Fix MinGW compilation for some configuration - Fix alignment issue when rebuilding PE relocations - Fix infinite loop when processing v2 dynamic relocation - Ensure that added DYN ELF sections are properly aligned - Fix GnuHash null dereference - Fix strong performance issue when parsing certain Mach-O Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj (cherry picked from commit cc4aa9b9d0263de0ea172db4d97ea9f98ae022b3) Signed-off-by: Gyorgy Sarvari --- .../python/{python3-lief_0.17.1.bb => python3-lief_0.17.2.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta-python/recipes-devtools/python/{python3-lief_0.17.1.bb => python3-lief_0.17.2.bb} (95%) diff --git a/meta-python/recipes-devtools/python/python3-lief_0.17.1.bb b/meta-python/recipes-devtools/python/python3-lief_0.17.2.bb similarity index 95% rename from meta-python/recipes-devtools/python/python3-lief_0.17.1.bb rename to meta-python/recipes-devtools/python/python3-lief_0.17.2.bb index de54d45ef2..208e81c39e 100644 --- a/meta-python/recipes-devtools/python/python3-lief_0.17.1.bb +++ b/meta-python/recipes-devtools/python/python3-lief_0.17.2.bb @@ -5,7 +5,7 @@ LICENSE = "Apache-2.0" LIC_FILES_CHKSUM = "file://LICENSE;md5=9ab5db472ff936b441055522f5000547" SECTION = "libs" -SRCREV = "fe54643fe3d7a699c68b164dae87afb1eb059342" +SRCREV = "aa2b617f47c2f75fca9ff00b146dabbaf1b9f422" SRC_URI = " \ git://github.com/lief-project/LIEF.git;protocol=https;branch=release/0.17.x;tag=${PV} \ file://0001-build-requirements.txt-Allow-newer-versions.patch \ From patchwork Thu Feb 5 06:59:40 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 80475 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B190EE91264 for ; Thu, 5 Feb 2026 07:00:08 +0000 (UTC) Received: from mail-wm1-f46.google.com (mail-wm1-f46.google.com [209.85.128.46]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.15253.1770274801761369010 for ; Wed, 04 Feb 2026 23:00:02 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=CYvIMSRx; spf=pass (domain: gmail.com, ip: 209.85.128.46, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f46.google.com with SMTP id 5b1f17b1804b1-480706554beso5682615e9.1 for ; Wed, 04 Feb 2026 23:00:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1770274800; x=1770879600; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=uXTiWNw2pjY9lKP6w5IP4MchTQthCFmptOjdxLH1cXY=; b=CYvIMSRx0+pIvIfLYo6NyREuWx6h0JOGziIdDnFUl086pXWEUI05KzRANupFhIYU0L phuNrzOqBRmnhBCdrIWKuazbfPFpBsH1v4DYzgq1Iu8712se5d57yODADAYHFtGAH4LJ NM/aADPm7jf5Vlnj+SMxCTZas0GvIFzss7BFTUMORwuOiW4BUHljUYRjf59heDx9AUcN QJVFNEruOvMHwWUHWzM/h6vv557AH/P39o9KFn+hKr426uPDLJqMgh/5t9xP6vx7C6Tq a7ipy8DaCHtVKY8kwiuVgH8cULRkyP5t4HRShjyKkE6q8sKhcO/5VsAaph2fNn+M99jK 8+GA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770274800; x=1770879600; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=uXTiWNw2pjY9lKP6w5IP4MchTQthCFmptOjdxLH1cXY=; b=e3OmRkRLutfYyxxYO3Wxol3W4W9qIb8+k1Ge+n8Fk2zcvpDR7YO0TY/1dUR0si+Kok PKOUje75zOSFLscEIE+ygR38Ep50qF3Z/eKBvt2IcLPbeBu8u33X3LgnUaIR2cstbKmT gbfUtQjagiI/mg+nsnSqA+cVB1XJj6r7Dfw2PXtc1UxWsqQt5T2cQSGbXGU0TNOW4/w0 A1Dv8rAmS73mI3haqGBOzpdufsVWFklGlF+x2OobpLVp2NXdAq47eejtRpTG0JKl65CZ WFqbFarMEpppy8jGyeJSciEApsIg41ER16P++4lJiKx1wy3s93RP4TJkcoEYM+jxpGdd L3pQ== X-Gm-Message-State: AOJu0YxX3iglqYrBVWbGdzf0fmTOlR9ctbDa9X5/pBEsmx4/vFIOMzVi XikUzFlZdfsV8X39k7L8nwlm7SsaRyJulSKa4dmgEW498HDZLEPVeQM7iUWX+A== X-Gm-Gg: AZuq6aJiiQuYrSJdLWmGqTkk0sY98bp/AooZOe0Nd6wxz8Anqpn/Jf9XXCF/iwdIR2g O/qEhz3Sgv54HdBDhE7OFydI4GxPAlJ3yyQTrmBPyhe9QuA6+og07udxRjr/ZG2eX+BlZ8IF0L2 C0GUvJyUkibJH1pHtn3CTRCf97bYokbnZmuwrB1FZGbXx6v9KhtGTwS6ezpZ+0sIXsPHz12q2Jc BV3SBvH7AmiHW6XD+E1RFwP4EF5HX6Qk2aVsQ4RTxlBdiMMv82T6WUJbzSN9ujXOgCoDShe639w DdIXfH+p1vhJ9ybOlH/jNC3RdM46RVimd6LdJ2uskf38yqEUSlRuok50ZILbEwiVblPlM1Gxqzu afe6QHhnOvTKKlerKuOMggmZzwMVDoL/GWrOcUbcPpdSiYfFjHOHcNaB4QggU8j7iyOfPkHC/Tz s3lxqA+vRrPJQgAYI3luU= X-Received: by 2002:a05:600c:34c4:b0:47a:975b:e3e6 with SMTP id 5b1f17b1804b1-4830e96fa56mr70061945e9.18.1770274800054; Wed, 04 Feb 2026 23:00:00 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4830fe86bebsm34545505e9.10.2026.02.04.22.59.59 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 Feb 2026 22:59:59 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-python][whinlatter][PATCH 05/20] python3-m2crypto: ignore CVE-2009-0127 Date: Thu, 5 Feb 2026 07:59:40 +0100 Message-ID: <20260205065955.1267785-5-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260205065955.1267785-1-skandigraun@gmail.com> References: <20260205065955.1267785-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 05 Feb 2026 07:00:08 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/124181 Details: https://nvd.nist.gov/vuln/detail/CVE-2009-0127 The vulnerability is disputed[1] by upstream: "There is no vulnerability in M2Crypto. Nowhere in the functions are the return values of OpenSSL functions interpreted incorrectly. The functions provide an interface to their users that may be considered confusing, but is not incorrect, nor it is a vulnerability." [1]: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-0127 Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj (cherry picked from commit b46a5452a1c1a417f2971e494e151fa1f4022e36) Signed-off-by: Gyorgy Sarvari --- meta-python/recipes-devtools/python/python3-m2crypto_0.46.2.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta-python/recipes-devtools/python/python3-m2crypto_0.46.2.bb b/meta-python/recipes-devtools/python/python3-m2crypto_0.46.2.bb index 9aac7b344f..efb6c79fa7 100644 --- a/meta-python/recipes-devtools/python/python3-m2crypto_0.46.2.bb +++ b/meta-python/recipes-devtools/python/python3-m2crypto_0.46.2.bb @@ -12,6 +12,8 @@ SRC_URI += " \ file://0002-fix-correct-struct-packing-on-32-bit-with-_TIME_BITS.patch \ " +CVE_STATUS[CVE-2009-0127] = "disputed: upstream claims there is no bug" + inherit pypi siteinfo python_setuptools_build_meta DEPENDS += "openssl swig-native" From patchwork Thu Feb 5 06:59:41 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 80474 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id AE10BE9126E for ; Thu, 5 Feb 2026 07:00:08 +0000 (UTC) Received: from mail-wm1-f47.google.com (mail-wm1-f47.google.com [209.85.128.47]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.15254.1770274802465659569 for ; Wed, 04 Feb 2026 23:00:02 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=aaWZIO+0; spf=pass (domain: gmail.com, ip: 209.85.128.47, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f47.google.com with SMTP id 5b1f17b1804b1-482f2599980so6284915e9.0 for ; Wed, 04 Feb 2026 23:00:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1770274801; x=1770879601; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=IAMPhTyEzWHx55EtZ3j/R2ULytfRA7O/P18rCJWXZPQ=; b=aaWZIO+0K1kdQAw79lg5cTTHNXaM/KJq7o0og+u96FhJ6SMsdNYgsbPSZeRCQ7S9lC zEHwXzOcXXWg6qKvjB6njzDKCat+U4vFySQK2bZ4849ghWAlR44gq34ilWSvbh0Av1SW LtN4DQ+CiW6gQZdInqvTbLZsoGprcGkuzdeb/Rao0lIE+dcs0iTG3NSD5TMP/FFarjR0 +LHv/QrksxH0BmmYD9z1xdtey9rbdxQ+aifkCtdoupAs9SrIvC4Y4gaAnRFg6J5htJT4 lAeRi01ZA2GvtpSI7N0/JSgaDWP6V1BGmidMf/PSHKOls+ePPVIOx2pL99/fh/nyQfm4 HPUw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770274801; x=1770879601; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=IAMPhTyEzWHx55EtZ3j/R2ULytfRA7O/P18rCJWXZPQ=; b=UfU6V+SX6c+uhi04W1iM/mU0uREBFVXGMoLw1BI53YjgvPjYIiMKvCkMjj3Sm67fEe KvSH9ZDCwyfCdDfngsQ99G1uAg0uC8JlUbYGuJR1SlF7VOHEpvq0URpEhuIeSHfuG6ZB Y2S3AW6d41dMAG++BJ156A17pY69y8h25rXpeOMHCdZf2CxACnfr99muK9T3TY+FPIrS jniEFWMVpbTdPn/Cdf+hP2dNqPlZhEUj4Ve0FbgM1OS8vrIS9TGtwKiNLNuh0TophQPN M4ycDGIdHeicc5YKTNIBqSpqInQ9irjX5+ey3WNWzlZPf5JlO+pEu1BaJT82qGUJ73yp wpKQ== X-Gm-Message-State: AOJu0YyoIR5DV8W550tM0bvn1CQkBXmwVpjCZNSLYLbC1aI36dafoJai 3oZPxkChfkHZvWifJGprW1npUwvqDdVbhhzWuUw72n2+wMeeCLAYR4rU6j1mmQ== X-Gm-Gg: AZuq6aKXrmBxtc/vE4pus0IODCWdpPJJ2ywZzo3HA2lpsbv56UCdv6ml0wMhXCNl9Rd SJo2MTOixPVUuYqROy3Z+iypkwRtrqLu8X5r93j/k+mY0vxDKdEdHc1IC1MFR8wmKPmKlTt1UK8 2KBTXGcGyebOYTveLzjM71+bF+LsCEf7j7Ly7fu5fJ5XWz5MCE8GxMl7oniY5U77ELj3l59T/qM msqM5Xa2Qu7z1VXQHZJUR2yRBnVr4aN0MqLxScpi+o6R4k/+AibynHhPvDAS+3zeheP18LR5GZm H3YLZtHYTZzMRnCuyqr7YznvK0I0HzPEgofFsgy2SViEh5KxriALZKboJZtIhpj2Age0WD44cMj 5SSCpy97kMLiWzCHl1KaB2DRx1fUAa07BBOP59MEeL6RsX6rEweNHmxkY/OSWX66N0KB69XO2az cGvGIdQXuf X-Received: by 2002:a05:600c:1c1a:b0:477:a246:8398 with SMTP id 5b1f17b1804b1-4830e93ea4emr70201455e9.2.1770274800697; Wed, 04 Feb 2026 23:00:00 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4830fe86bebsm34545505e9.10.2026.02.04.23.00.00 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 Feb 2026 23:00:00 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-python][whinlatter][PATCH 06/20] python3-m2crypto: mark CVE-2020-25657 as patched Date: Thu, 5 Feb 2026 07:59:41 +0100 Message-ID: <20260205065955.1267785-6-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260205065955.1267785-1-skandigraun@gmail.com> References: <20260205065955.1267785-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 05 Feb 2026 07:00:08 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/124182 Details: https://nvd.nist.gov/vuln/detail/CVE-2020-25657 The commit[1] that fixes the vulnerability has been part of the package since version 0.39.0 [1]: https://git.sr.ht/~mcepl/m2crypto/commit/84c53958def0f510e92119fca14d74f94215827a Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj (cherry picked from commit ba6468f7a09bf8e268ea5ac7939925c362ead876) Signed-off-by: Gyorgy Sarvari --- meta-python/recipes-devtools/python/python3-m2crypto_0.46.2.bb | 1 + 1 file changed, 1 insertion(+) diff --git a/meta-python/recipes-devtools/python/python3-m2crypto_0.46.2.bb b/meta-python/recipes-devtools/python/python3-m2crypto_0.46.2.bb index efb6c79fa7..e534d32028 100644 --- a/meta-python/recipes-devtools/python/python3-m2crypto_0.46.2.bb +++ b/meta-python/recipes-devtools/python/python3-m2crypto_0.46.2.bb @@ -13,6 +13,7 @@ SRC_URI += " \ " CVE_STATUS[CVE-2009-0127] = "disputed: upstream claims there is no bug" +CVE_STATUS[CVE-2020-25657] = "fixed-version: the used version (0.46.2) contains the fix already" inherit pypi siteinfo python_setuptools_build_meta From patchwork Thu Feb 5 06:59:42 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 80476 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C4395E91272 for ; Thu, 5 Feb 2026 07:00:08 +0000 (UTC) Received: from mail-wm1-f49.google.com (mail-wm1-f49.google.com [209.85.128.49]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.15342.1770274803191418158 for ; Wed, 04 Feb 2026 23:00:03 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=DI2PDNcr; spf=pass (domain: gmail.com, ip: 209.85.128.49, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f49.google.com with SMTP id 5b1f17b1804b1-4805ef35864so4531185e9.0 for ; Wed, 04 Feb 2026 23:00:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1770274801; x=1770879601; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=fEPHaSmoxb+H3cjYkqBWmCzNfnzI89xNZI7DQinqlF4=; b=DI2PDNcrfhQ8XR14z06NoO1YyCTmmOjQZ88ZkfvpT6p96M4PZ0/DuvTKwj+jHeZILK MFZY1Mf16Z82e/1ALeKTnAAXV752X7ULjVkNyZ/JoqsazLzjBwtmU41ykuKLZ9w4eu1q U1P4IrWQknBZc3LLM+EjCeUqO/JuxQspN4Mnt7oNd7ENpM8ffAPOjDYrh7TEoKN4suvR ZY0QBbaDH67EYm4bYy39RHSkry7i0YrYCARN1pMuMaYBWKUyeP82U2q34RnQWcMFophO 1rXORbxi7R/02h6wnQ5avUFzzg2LMorXFRTobun/pGkM8WWEOOIlsCIi8VZgiAt5AiRM A0EA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770274801; x=1770879601; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=fEPHaSmoxb+H3cjYkqBWmCzNfnzI89xNZI7DQinqlF4=; b=fLCzjGES30KWk7GxrByOWwkQfIH/m0+QI7h6rwpezpaD/7Ako9f8xIWmzfxJJTWXOo UR9ohwJBw4vnGNJ8sjG35UjOTUkh4cPYe32eGgKzljv8rvz3VevWLK8tA0B9NYCKqvGm vlPYkZAYdC9G/9k8oyUQ7R8lgJB0hHt6sHu637mo7rNS8bb29B28uvPvVZy4SaJWwL6d e6pWM1rigIkPh1jUfqGIwDQBe0gWYS5ScgCZja2tLE9Pkc9pmZmWKE+JyHCb2GvkY0m3 af2/UNpeKHc3cEnhHnGzQSv8spF86doY9BqYQqQuUB2nn57J94zeDOZn9pXTbnTzxyGa lVSQ== X-Gm-Message-State: AOJu0YzS/NZVikw/sxGFcLdYwdocCNrRt8eE4LTYMh/VmGJ1soKMKca8 nUD7sjP2swkLSADxCrr1rlKlM6l67jwQmvH7PH4HBU5I+W759Usg+gRTLR9OWw== X-Gm-Gg: AZuq6aJVyle45Y+0MV/PKM7DINslD47YzxqMjwLxSTMHLbCU1ztuxjW3rp3UhLMmeJ0 fr3UJHlbEjbSaNTb3Eu3oiylIWr2p+6INe3d62ydOZpjZV1Lkbo7yUkKYQJsX7ZW+c5YQ+0koMN ZS3yB5nVt7Y+rsO1x4/VgKmE1DbDf32+GrkzotNpNl4/hu/QpfRtk1nVu92GhMk/Yjzgl/e9E5s errMqASnIiJ9mycQd7g5kpfR2W6gAXsTKC/G3Sw9v9ox9Mj0i/FE4dceTIgX5GHu/wTNyFnHKMh 6AQGtglhpgOOvFXkRzoyrHCtZ7ydneFK3SA8TlEBysBFlNtNpcg6pPHiVmpIYizpUAu/eI9qbvn /xaQRGjMZHjBZUtw1XXdF9WzJiiYhwoJGx2Qb+vZE/W1GVHdtzn7Bt7qKK+72guN+fSbMi3dz// hdGCse/ecf X-Received: by 2002:a05:600c:19cf:b0:480:1e8f:d15f with SMTP id 5b1f17b1804b1-4830e93eab1mr58067515e9.2.1770274801372; Wed, 04 Feb 2026 23:00:01 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4830fe86bebsm34545505e9.10.2026.02.04.23.00.00 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 Feb 2026 23:00:01 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-python][whinlatter][PATCH 07/20] python3-marshmallow: upgrade 4.1.0 -> 4.1.1 Date: Thu, 5 Feb 2026 07:59:42 +0100 Message-ID: <20260205065955.1267785-7-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260205065955.1267785-1-skandigraun@gmail.com> References: <20260205065955.1267785-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 05 Feb 2026 07:00:08 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/124183 From: Wang Mingyu Bug fix: Ensure URL validator is case-insensitive when using custom schemes Signed-off-by: Wang Mingyu Signed-off-by: Khem Raj (cherry picked from commit 39335015913a8bcc1b40fb7318334f626a9b8285) Signed-off-by: Gyorgy Sarvari --- ...ython3-marshmallow_4.1.0.bb => python3-marshmallow_4.1.1.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta-python/recipes-devtools/python/{python3-marshmallow_4.1.0.bb => python3-marshmallow_4.1.1.bb} (91%) diff --git a/meta-python/recipes-devtools/python/python3-marshmallow_4.1.0.bb b/meta-python/recipes-devtools/python/python3-marshmallow_4.1.1.bb similarity index 91% rename from meta-python/recipes-devtools/python/python3-marshmallow_4.1.0.bb rename to meta-python/recipes-devtools/python/python3-marshmallow_4.1.1.bb index d1cd21d52c..2919897dc3 100644 --- a/meta-python/recipes-devtools/python/python3-marshmallow_4.1.0.bb +++ b/meta-python/recipes-devtools/python/python3-marshmallow_4.1.1.bb @@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "\ file://LICENSE;md5=27586b20700d7544c06933afe56f7df4 \ file://docs/license.rst;md5=13da439ad060419fb7cf364523017cfb" -SRC_URI[sha256sum] = "daa9862f74e2f7864980d25c29b4ea72944cde48aa17537e3bd5797a4ae62d71" +SRC_URI[sha256sum] = "550aa14b619072f0a8d8184911b3f1021c5c32587fb27318ddf81ce0d0029c9d" inherit python_flit_core pypi ptest-python-pytest From patchwork Thu Feb 5 06:59:43 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 80477 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D859EE91274 for ; Thu, 5 Feb 2026 07:00:08 +0000 (UTC) Received: from mail-wm1-f50.google.com (mail-wm1-f50.google.com [209.85.128.50]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.15255.1770274804253137403 for ; Wed, 04 Feb 2026 23:00:04 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=XNPYjjD4; spf=pass (domain: gmail.com, ip: 209.85.128.50, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f50.google.com with SMTP id 5b1f17b1804b1-4806d23e9f1so5823495e9.2 for ; Wed, 04 Feb 2026 23:00:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1770274803; x=1770879603; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=xzwTi3mZMjMHE440nZCJfFvigTxW9L+9yR4YDwrtmDw=; b=XNPYjjD4FjNbUel5U4FDWDs4U6vIzAc7BmKiqWOVBb72dAF0zbhGVdUK4M0Ha4k4xK R+2wGGKi6cZWIpgkKUuJ4a4RKpwhJfg5n+gANZe4xmZ7pNuzn3QTu1Yos5NHAqdjQVsO ISIzQ6NqofzwgQPSZ4erytpAgia1LvspCDix9/h6nQzK32oV6KHfVSPFChxT6n/RWae1 JUKP99zzP9kOYGW76K0jgxBL3WtcRk6cOAQr/Z5+2pAEgOBpkX8WSzfEoh1CwGq1rUWO 4nDzcrTWraT7Ntzr8ZVTrcoFhXVO1EBwkFFhBfqj8fk9i2UMk9MrGhVl0G+mudTmb/5K JxPw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770274803; x=1770879603; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=xzwTi3mZMjMHE440nZCJfFvigTxW9L+9yR4YDwrtmDw=; b=GFaMElVR1tXNJQDfoNIXrObaPDUhcAAo3ukj2Lu2+ZseMdvuYZd5hICzqujj9LKE/m SpnNHxUE9bVO4G0hdL8WIWu1yc1btNfdPpYN/NGXZwMoQKBgqNzt0ciQaZxaBCBIGHYa PRdiQQic0mK3tfnU915YZkj+4b4DnUWPo6ukBeJDj3A7aPZnejBkB6FHMZ0kBfaCgOoc 287oD0VAN6la6U9mWdEUrx5oPkKMVFY56/os1gWzeN4h1zCUfbx+3O5KCTL/2wvl7+Sd tcyLRHQe6D+VN8LUSAVm4ztXsrxaKfS99TcaA+lU3vI2j4Sx3ogkvz8nbVtMF+m7FYrX W7IQ== X-Gm-Message-State: AOJu0YyE2EKTZ2vNq2RAMtcA1zQ0KcM/9ipoAJUa53+y+HeLfhmVKz1l tJNA8FDWljRK4UcDYmLkRnMDqddwqUwTEkkChIvXqq/x/eXQhoLa7xe/8IFGxQ== X-Gm-Gg: AZuq6aKXJkOLuerx0SNer3sYCWJeWyZt9Hnu4YqxFX/on/Trr+Nvmx/MQsAKEu1hZx9 SZxBPEA2IeTb+DRDgYBef6+jhHTHGnA/gmTaunI9CTrBCscOVlhQyo92zsQ4yrBW76mvYLyorXT /8EGmyfe6CN9Pw7oQEDTab7XnsZgLFl3o1V86qMGY+fpzujVJe0FVTOsjFQK582QqKrr6YkfIm4 lpfdqTXxZ4uHG8ia9w/uNDrficUCaFVEdmwFg8Ri76vrjU2lhq3UTO/H/ay+nkbFfIF6rQgJgDr KGYMBKovHeLuYwWE29ylRnKWs0Siwl6q7LP16CDEB0zorFsP7DT98q6RncQ/9chuGp3+csfRPCQ IfK0dzUpgsOmN7elnkqfPfLZ3CKe1RuSNzpSTXmIwgcqR14AwgmWEWgH289469+YDEyl+w2s2QG lN+MCCGfFF X-Received: by 2002:a05:600c:19cd:b0:477:76bf:e1fb with SMTP id 5b1f17b1804b1-4830e950d34mr78036245e9.16.1770274802088; Wed, 04 Feb 2026 23:00:02 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4830fe86bebsm34545505e9.10.2026.02.04.23.00.01 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 Feb 2026 23:00:01 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-python][whinlatter][PATCH 08/20] python3-marshmallow: upgrade 4.1.1 -> 4.1.2 Date: Thu, 5 Feb 2026 07:59:43 +0100 Message-ID: <20260205065955.1267785-8-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260205065955.1267785-1-skandigraun@gmail.com> References: <20260205065955.1267785-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 05 Feb 2026 07:00:08 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/124184 From: Wang Mingyu Changelog: Merge error store messages without rebuilding collections. Signed-off-by: Wang Mingyu Signed-off-by: Khem Raj (cherry picked from commit 54691ea40a98cc617d374d8368c665d103ceaf07) Contains fix for CVE-2025-68480 Signed-off-by: Gyorgy Sarvari --- ...ython3-marshmallow_4.1.1.bb => python3-marshmallow_4.1.2.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta-python/recipes-devtools/python/{python3-marshmallow_4.1.1.bb => python3-marshmallow_4.1.2.bb} (91%) diff --git a/meta-python/recipes-devtools/python/python3-marshmallow_4.1.1.bb b/meta-python/recipes-devtools/python/python3-marshmallow_4.1.2.bb similarity index 91% rename from meta-python/recipes-devtools/python/python3-marshmallow_4.1.1.bb rename to meta-python/recipes-devtools/python/python3-marshmallow_4.1.2.bb index 2919897dc3..f3a905a36c 100644 --- a/meta-python/recipes-devtools/python/python3-marshmallow_4.1.1.bb +++ b/meta-python/recipes-devtools/python/python3-marshmallow_4.1.2.bb @@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "\ file://LICENSE;md5=27586b20700d7544c06933afe56f7df4 \ file://docs/license.rst;md5=13da439ad060419fb7cf364523017cfb" -SRC_URI[sha256sum] = "550aa14b619072f0a8d8184911b3f1021c5c32587fb27318ddf81ce0d0029c9d" +SRC_URI[sha256sum] = "083f250643d2e75fd363f256aeb6b1af369a7513ad37647ce4a601f6966e3ba5" inherit python_flit_core pypi ptest-python-pytest From patchwork Thu Feb 5 06:59:44 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 80479 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E151BE91276 for ; Thu, 5 Feb 2026 07:00:08 +0000 (UTC) Received: from mail-wm1-f44.google.com (mail-wm1-f44.google.com [209.85.128.44]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.15257.1770274804552842138 for ; Wed, 04 Feb 2026 23:00:04 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=O6WnwW0J; spf=pass (domain: gmail.com, ip: 209.85.128.44, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f44.google.com with SMTP id 5b1f17b1804b1-47ee07570deso4458265e9.1 for ; Wed, 04 Feb 2026 23:00:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1770274803; x=1770879603; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=EjE5kP7zbWCqrsHcF9D4zhC8/PTxNlo2MhAhyZzt6gE=; b=O6WnwW0Jtt+Ze6LuF+VosZZKl4B9pMa0L3bNygb1RowT1JVnJahRorfYCTsEqt8KOX /gD/5i/tX1gT5yT0ur+AWElMI6DTHa0sBqTb/uc4cPjvWmDn6BadLJGEMJwGMN1hhSR7 hfiAZGrT4S3qMwIFB4AfU+DDqlQI6pTOn6yAzwIV2uP6CDLpM3/n0s+/p9gb3sW8832Y exzDKugXCNk+gQmoqPvvkJQKFq8qQRezDMtTg/DQGMI46+efTypVIQ35If19LWYcCkuX ui351MgDGTJ6iXVECTSFXv03Z/+8hbnHEAzUwYlJtTCRDFLysDdZK1n8LbttqcgO9F/G CrqQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770274803; x=1770879603; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=EjE5kP7zbWCqrsHcF9D4zhC8/PTxNlo2MhAhyZzt6gE=; b=u/nVA3DikympHfqizV/fcrH7jr6WIM3GMTBn7/3ylUMFvIVtB5WK9BTgXRZGH5aC3Q 3P/vU/Q2kxwE+kARLqZ2FZG62GyhFWR6OtDg3jeG1l+6KRTggOxWRmlSaR3jLaKXvxqu 5a55bxNi4TrmSNnjiOTcdxA3WseQRKO93rVNjipCWzxZ6fSWKzyulfbRzaclcfO8e7u7 iWqbM4WUJ1DuqNq7gmCh/XWxekX7WT6WnEVAvontGJ4zRtJlXpWKU/RFYA2O2Fjqq19M +MVacHKwjGPfLjO5itVPU1odIuEldBCpSeCzzRYiPyMupJfPIZMnMjAGSWI9emSn11EJ d2Cg== X-Gm-Message-State: AOJu0YxXSgN4/GVlBmejVnKgH6cZg7M90oKMQ8BkwVoEHdCAhG7WqW7K b/vvMyQVscbE87J7WKO9QYVRRH2n1gmC4hNwQVa1wUvoDGbrduPqdaY1CbUSvQ== X-Gm-Gg: AZuq6aKSu8MMdQ+UVCaDcF0C7IPsAHhH0mnJxsVx56z5G2V3AMqyvUsmTnNOfpGUghK AvCDJaqna//UG0qI5KvONyvTs+ad7RRg4esUZ4JA666YfzRXPz2nJ/zpw4K+2yvv6cDG9IZWsqt ghhbsU2jvql6bGLy4DMPCfV67CzePsgnWHDgCZeXTMLzoOvb1bWyQafYLTn243KWzM6nRtZM4zx CMBtadOJDcPwteWshVVFo3evcZCPITY7KUYVzVwfEheMcMVqJu6+KBuaUbjGYbgX4/O0onx2NUT 7yECOZSby4VGms+LTA0s+OYMW3UT7+D3Q+ynVX+Gb4g4anuvAPvYPs5WK5zqId0RNm4bQjl+KD6 YUPUQ9zmH63oIJltvxnGa6GFjwjh4jWVgQDbzLLe08c8eRsiDSYfOWLVU80BqQ6pL7D+q+gOwUk rZ7h6oBT1S X-Received: by 2002:a05:600c:c3cd:10b0:47e:e946:3a57 with SMTP id 5b1f17b1804b1-4830e9a3c64mr56234545e9.36.1770274802828; Wed, 04 Feb 2026 23:00:02 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4830fe86bebsm34545505e9.10.2026.02.04.23.00.02 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 Feb 2026 23:00:02 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-python][whinlatter][PATCH 09/20] python3-orjson: upgrade 3.10.17 -> 3.10.18 Date: Thu, 5 Feb 2026 07:59:44 +0100 Message-ID: <20260205065955.1267785-9-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260205065955.1267785-1-skandigraun@gmail.com> References: <20260205065955.1267785-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 05 Feb 2026 07:00:08 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/124185 Changelog: Fix incorrect escaping of the vertical tabulation character. This was introduced in 3.10.17. Signed-off-by: Gyorgy Sarvari --- .../{python3-orjson_3.10.17.bb => python3-orjson_3.10.18.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta-python/recipes-devtools/python/{python3-orjson_3.10.17.bb => python3-orjson_3.10.18.bb} (84%) diff --git a/meta-python/recipes-devtools/python/python3-orjson_3.10.17.bb b/meta-python/recipes-devtools/python/python3-orjson_3.10.18.bb similarity index 84% rename from meta-python/recipes-devtools/python/python3-orjson_3.10.17.bb rename to meta-python/recipes-devtools/python/python3-orjson_3.10.18.bb index 7db76c9415..1a8c369879 100644 --- a/meta-python/recipes-devtools/python/python3-orjson_3.10.17.bb +++ b/meta-python/recipes-devtools/python/python3-orjson_3.10.18.bb @@ -3,7 +3,7 @@ HOMEPAGE = "https://pypi.org/project/orjson/" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE-MIT;md5=b377b220f43d747efdec40d69fcaa69d" -SRC_URI[sha256sum] = "28eeae6a15243966962b658dfcf7bae9e7bb1f3260dfcf0370dbd41f5ff6058b" +SRC_URI[sha256sum] = "e8da3947d92123eda795b68228cafe2724815621fe35e8e320a9e9593a4bcd53" require ${BPN}-crates.inc From patchwork Thu Feb 5 06:59:45 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 80482 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id F3CE2E91277 for ; Thu, 5 Feb 2026 07:00:08 +0000 (UTC) Received: from mail-wm1-f42.google.com (mail-wm1-f42.google.com [209.85.128.42]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.15258.1770274805388728139 for ; Wed, 04 Feb 2026 23:00:05 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=FowvGti3; spf=pass (domain: gmail.com, ip: 209.85.128.42, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f42.google.com with SMTP id 5b1f17b1804b1-4807068eacbso4596375e9.2 for ; Wed, 04 Feb 2026 23:00:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1770274804; x=1770879604; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=dv4S1W2lyrtVPtQ7mUq5Db8PAaS9WMqldaxu9U/T0ac=; b=FowvGti3aCbuQ8FCn/Rm9GFi4lbqxDaHpKj2fEIKjaOLSLsM5Yg/thIW5l96jk9EDg lEvoP6VB/OwRS1J7RWzb7y8CFEC4bF5BVh9+OIXrkG/1L/MnWa8/K60iJbSrYrcQCDeh za+z/A8vilu969C6PHKWjMLGPzDD/RoqVMHKQrylqdjCdyKgIrmTbdufuG+ESOesdFMc NStGGF+i95IsytH77bde8N0tELpMiNuNzuG0lHFeTCJhOLpz5DR+qXorgymwt+/7s8Wz FFtpHu1AXpQj8S7LNuGJInnLrr/W38LPqhlyKB6PJ8eZ2TMDmELm/j8IMwG/iOdGOayz NCjg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770274804; x=1770879604; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=dv4S1W2lyrtVPtQ7mUq5Db8PAaS9WMqldaxu9U/T0ac=; b=Lqhob0EL2an0rGRrXoSzcKb7IyiFST6Fv8vMXaoPbnc86h6dvBQI7A/+fRCz/VdsHf PvTUUSaQbjWhgHtGQxA2ztcQbiONlv/bp7h8QTgpcloa1A5wHq3aTPl/f30oNWSo0gPs ZhIgXoA4123dZTccMnwigRrg9RPyt5GJvp/KA6bQBqrzroHtBHADCpBZijJ54Hcx0jQM CtrASIqmNp+GuQEmCp8w+wRRoFuvEGVrjv4iRO4gCXLGYpICct1mPrygtMmNrf7QN+zM IhnZZTpfeZlEw6HgDJupbH7y984iLr+w/P6Cy2fYkN3Rb4sA8ha8xWNB+HRCKtSSYh32 mzhA== X-Gm-Message-State: AOJu0YyvpFxLhmOYBnwpPKvmz3+dcZu4UILwB7qEt2iHM6sXUwAeMQuu +5Ca1RjxPedD0rOf5XVJTI1B5WwK4bb+47YVQbcSia8I+qg5JenuSI7bjzY04w== X-Gm-Gg: AZuq6aLj8JS91U+58EmBqG6m5TZ4ZarSfy/SKNbcFu7J2atMzAYPRrjQka7h8NRnFht WWb7SXCJma1JPmfexkn7NlkLJmQWy0K9Y0EM1xM/ylguHwX6qLV66sy7gCF6vKy/xvviSbf8NlF QP3R1bNYnJGWvADcpC6B3sLftfP12KwIT+auG9G62Q8wMImiCa+LpPkuXBTMG2nCQeqLNuFVxk1 5W6rTQu3THqto8iY3PosWL21TKlDJPRrqUQNB+5ALMCgxWWX8DIj3svgpmnbB7fqWVq85ax4+2l n46zZxGSClqFH423svPzjcBIYpKi3ri/L7CKCEKcZcUojyR/rjnfFaJtylZYDZOSL9gIxY8Wwt9 6phMKz8eycherLnvUf5aUwGo+eBgbnJMfct3J0OOtmdPoChKJeojTtT4zKPXQxa+MR8l9kIJAeZ iUsYYTvCxX X-Received: by 2002:a05:600c:c16b:b0:45d:d97c:236c with SMTP id 5b1f17b1804b1-4830e96cf91mr62933675e9.21.1770274803489; Wed, 04 Feb 2026 23:00:03 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4830fe86bebsm34545505e9.10.2026.02.04.23.00.02 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 Feb 2026 23:00:03 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-python][whinlatter][PATCH 10/20] python3-py: ignore CVE-2022-42969 Date: Thu, 5 Feb 2026 07:59:45 +0100 Message-ID: <20260205065955.1267785-10-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260205065955.1267785-1-skandigraun@gmail.com> References: <20260205065955.1267785-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 05 Feb 2026 07:00:08 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/124186 Details: https://nvd.nist.gov/vuln/detail/CVE-2022-42969 Upstream could not reproduce the issue. The vulnerability has currently the "disputed" flag in the NVD database, and Github has revoked their related advisory[1]. Ignore this CVE due to this. [1]: https://github.com/advisories/GHSA-w596-4wvx-j9j6 Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj (cherry picked from commit 91f6b85b36316d5940ee194b1d195caf3ac040b1) Signed-off-by: Gyorgy Sarvari --- meta-python/recipes-devtools/python/python3-py_1.11.0.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta-python/recipes-devtools/python/python3-py_1.11.0.bb b/meta-python/recipes-devtools/python/python3-py_1.11.0.bb index e0ef71df83..6397114637 100644 --- a/meta-python/recipes-devtools/python/python3-py_1.11.0.bb +++ b/meta-python/recipes-devtools/python/python3-py_1.11.0.bb @@ -5,6 +5,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=a6bb0320b04a0a503f12f69fea479de9" SRC_URI[sha256sum] = "51c75c4126074b472f746a24399ad32f6053d1b34b68d2fa41e558e6f4a98719" +CVE_STATUS[CVE-2022-42969] = "disputed: upstream could not reproduce it, github also revoked the advisory" + DEPENDS += "python3-setuptools-scm-native" inherit pypi python_setuptools_build_meta From patchwork Thu Feb 5 06:59:46 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 80478 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id F0E98E91279 for ; Thu, 5 Feb 2026 07:00:08 +0000 (UTC) Received: from mail-wm1-f46.google.com (mail-wm1-f46.google.com [209.85.128.46]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.15259.1770274805902625638 for ; Wed, 04 Feb 2026 23:00:06 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=alMfSPGS; spf=pass (domain: gmail.com, ip: 209.85.128.46, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f46.google.com with SMTP id 5b1f17b1804b1-48068127f00so5078165e9.3 for ; Wed, 04 Feb 2026 23:00:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1770274804; x=1770879604; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=BQA4u+dvwiqOkkhiCnp2dcfLcLwiXx6cJF/W1pbEeWc=; b=alMfSPGSZfTmL9iuYYI8TW3U7Z8YSLgGVg8fl2n8V3Xd/88Bdv5ciocz1hse6nTDgx DfI9lSEYzB29NoB5tYs+zLEKohlm5WCmLq3fqVy/fdEyvpQv4NuDz+4a3FbtfGbwY2vD sFkJYK2qD0miSEVVlt5FSMajg5n5UMVoBWMrXzhXd9mwcIBPmEgfK28b4WuxLHefHt5j Cx8xV+QwY0+pBJIz3XWAxMOJhaSFUbafet8rN7hM29oZnj8lZpLYVl4DkIYJDMwLOLWt PJZobpQYaa04OxRCdmmm0l8gymxYHWYJIXC+9EuWh6VME5FNYKvlnmfbsBq8g/nQN+uo vydQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770274804; x=1770879604; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=BQA4u+dvwiqOkkhiCnp2dcfLcLwiXx6cJF/W1pbEeWc=; b=N+8iFks3dCqJjq7uGyfyK38bnWJIEkRSJKisEOyEyYNTQmZoheJpeRqgOEu+tx9FAy kLBmpZ0BwWLhvONZaiB4cxyUG2Hxzuz5XT6V5Xgh4/nSfMA9c04dAVp5lpKGERUY4CKS FdRTuoRBRMysndfVpQQrPJPw11DxP4mFfEdwC68qWoGknYU4moH96fe9LFI/XJLtK3ib dXxbsVHGvxaq5RQ3p0erWTt/4OopVVENvtakqstjH5wJAXtrj5Y8JZYjfy8caqjt50qk bg5sNWisaXSEac92LDAHYv/p7kxUbKP1sdRHe63suZI0ay8OpxA66flCUb9J23rU+Txc 142Q== X-Gm-Message-State: AOJu0YzjLs677xZ0ZaBBRkR68yBJW6MoOQDLMqdUXN0XowIDGia74KIs 8fdAHz498ZwXVGXVFrFD/XNHBBfH/PkBbjNpzLgeEGLoUDWPBSV3VVoK3p6Wvg== X-Gm-Gg: AZuq6aK0St/FYDcGvu0RJfkq6Ev3QH1JxcS2CVUi48LwLJJ+FZFQ+VEjvazGU/MANik N9A0a5hPiJLZM0B3t+QNL58/QbTbZ0T8GGwU295h1SAal3J2eJz9C8Bg/31po+qUG+5fPUd6OYz TARsjmXyVFO29cYpJhNHij3VhqGiOiX8baNhw+WchYWqcVHMcR0UVa+lYuzExMDyyg+8SIj0o3c ASBaPWyxk1EfUYtjDDo3C36wrkz33WYs0eNDCgzZqgWkrzQ0B61+C4g25uHLVbsH6/DbCP/+NV4 aoNkaeuDUzqYhfzS0hFzo0IXTg8eMC9r+mq7PkJ2vz+L7LJ+4c5KgKGvoENiFIYH9VO+qnRDGuk m+7scWiZXsDuZXrWei2YN4sNLfHI4aJpl2sh5INtxi/P9HXDTlUTOhwTi6O+lbEV6W78VnVN6lm qRo3lmzQ+e X-Received: by 2002:a05:600c:6383:b0:477:54cd:200e with SMTP id 5b1f17b1804b1-4830e92293dmr67842965e9.1.1770274804153; Wed, 04 Feb 2026 23:00:04 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4830fe86bebsm34545505e9.10.2026.02.04.23.00.03 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 Feb 2026 23:00:03 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-python][whinlatter][PATCH 11/20] python3-pyjwt: ignore CVE-2025-45768 Date: Thu, 5 Feb 2026 07:59:46 +0100 Message-ID: <20260205065955.1267785-11-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260205065955.1267785-1-skandigraun@gmail.com> References: <20260205065955.1267785-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 05 Feb 2026 07:00:08 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/124187 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-45768 The CVE is disputed: though the vulnerability is there, but it comes from incorrect configuration of the library by the main application. Due to this, ignore this CVE. Signed-off-by: Gyorgy Sarvari --- meta-python/recipes-devtools/python/python3-pyjwt_2.10.1.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta-python/recipes-devtools/python/python3-pyjwt_2.10.1.bb b/meta-python/recipes-devtools/python/python3-pyjwt_2.10.1.bb index d23347878e..3954c526f5 100644 --- a/meta-python/recipes-devtools/python/python3-pyjwt_2.10.1.bb +++ b/meta-python/recipes-devtools/python/python3-pyjwt_2.10.1.bb @@ -8,6 +8,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=e4b56d2c9973d8cf54655555be06e551" SRC_URI[sha256sum] = "3cc5772eb20009233caf06e9d8a0577824723b44e6648ee0a2aedb6cf9381953" PYPI_PACKAGE = "pyjwt" +CVE_STATUS[CVE-2025-45768] = "disputed: vulnerability can be avoided if the library is used correctly" + inherit pypi python_setuptools_build_meta RDEPENDS:${PN} = "\ From patchwork Thu Feb 5 06:59:47 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 80481 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0D35DE9127D for ; Thu, 5 Feb 2026 07:00:09 +0000 (UTC) Received: from mail-wm1-f54.google.com (mail-wm1-f54.google.com [209.85.128.54]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.15344.1770274807212606650 for ; Wed, 04 Feb 2026 23:00:07 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=Tps+FI40; spf=pass (domain: gmail.com, ip: 209.85.128.54, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f54.google.com with SMTP id 5b1f17b1804b1-482f2599980so6286305e9.0 for ; Wed, 04 Feb 2026 23:00:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1770274805; x=1770879605; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=T3y0NuSZqzH0vvj4XtJpZi8GiCq6BPP24adBeJlooZY=; b=Tps+FI40p4zRy/fQnHijfasXLq4O3BDuigZ06aeL+d8QflJRD3MuBk/3J+Zbge6wyU sufBZxwqeNjAYJ+AWp9N8nFxxTfVuW5HmWX2D7QIbdWGUfh2BPX31eaZ2Yi52J2lHDpo tl0gQniQ9DZdHB0pUZXjPEPCmBpgWwWRQkpGLJNBUDXOkUmO6ICEjAvbgt5GDqjOBlot 0Ke0sPMmvDtJoLRmt8OtESLJPn5uF0o57FrHS9Cm51y5wj7TM6fIGiunQfVSy1UcE28I p5PezZ91HzHruOFbBEquenzTYtzcE8AFTeszxbsjJkYUUlaiCSxXJsCoI2RiIJDzjM8q kpVw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770274805; x=1770879605; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=T3y0NuSZqzH0vvj4XtJpZi8GiCq6BPP24adBeJlooZY=; b=MnfA3BXWOpoFr1Wt2r5jeo99hEs3SCqhudEp0OqHr5NGQrEvCBKR9REqJy6EK/Ll3/ 2xsALk4tEHDXBCwKkBDUpo93q/a91zjOfg0qCLaZDaezrNqPMZo7ARSVOBoK+KBj4FJJ n9q+356Bg96Q7jQX1KM63aWdaALtQoEbz9DeaE1umLIGRgEoRNPtAeFV34hfV+/7vLx9 RZiq8evW86fSM8Txld4hRMdT7xLInq1h7dJczQVm35WFsTPlv2rC4LYJlaSoVk7wtnKm Df54OD+0fIJ60GuylgtumzLgslZPfYhsQR+5rBTX6gh9QiAaVRiCbC40gF+f2InvnfD7 0GTg== X-Gm-Message-State: AOJu0Yw970tvwiKsrXXkOD7QdWMZGrxoAVgyqzNkSI3ZeZ2niGKuuex4 r4Fa9HwViqGPH7vtb+j0301DliqVPnTOMXUnlvMgaxd7N/LfhuPRdvjEPD/P9A== X-Gm-Gg: AZuq6aIfAHljTHEdcsgIeHfPkCKJEH5nmuEwdsX6qltf4CGvPfg8icnLHxCg6jlX5eB XVzWXuxARcY7Yz8hsldxdnE/2YIjb078B+jn2aodSiyvqRs+L5bCwKgTYG76kB/2U43wJ4LgrRa Lwz0G425XhsvNESoUpQQ58Ead3gLmen2uiSJV5EMTXPOKbvEcZAMdtJnGiDyPg+FI/xkZNkP3vl Leh325S0NrX56enMhCySvE8kOADuA1GWLofIQjZh8Yg5zcQ6T4Kvkg8tlb0PeTTOYEl6GGymcO/ rjH4JNUF9H9Wfsg1R9CGsSWZ884yXE/nOOLYK0S0sQGfNsEbr+thvpiMmq8gBO/NkNSrY5DBddk cmK/HZkQeAmp/oA1tqjqGibnKt/Q/Mce7dGZKx6n/3+yYQNrARapxf7s54fYcx9ZDROnyeqshXM I+wdOqLoPQ X-Received: by 2002:a05:600c:8183:b0:480:3230:6c9b with SMTP id 5b1f17b1804b1-4830e93ea30mr82938845e9.7.1770274804854; Wed, 04 Feb 2026 23:00:04 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4830fe86bebsm34545505e9.10.2026.02.04.23.00.04 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 Feb 2026 23:00:04 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-python][whinlatter][PATCH 12/20] python3-tornado: upgrade 6.5.2 -> 6.5.3 Date: Thu, 5 Feb 2026 07:59:47 +0100 Message-ID: <20260205065955.1267785-12-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260205065955.1267785-1-skandigraun@gmail.com> References: <20260205065955.1267785-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 05 Feb 2026 07:00:09 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/124188 From: Wang Mingyu Signed-off-by: Wang Mingyu Signed-off-by: Khem Raj (cherry picked from commit 8ba97b66461e6dc9c8b073e43286932394d53ed0) Changelog: https://github.com/tornadoweb/tornado/blob/master/docs/releases/v6.5.3.rst - Fix CVE-2025-67724, CVE-2025-67725 and CVE-2025-67726 - Fix open redirect vulnerabilities in demos - Fix path traversal vulnerabilites in demos Signed-off-by: Gyorgy Sarvari --- .../{python3-tornado_6.5.2.bb => python3-tornado_6.5.3.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta-python/recipes-devtools/python/{python3-tornado_6.5.2.bb => python3-tornado_6.5.3.bb} (93%) diff --git a/meta-python/recipes-devtools/python/python3-tornado_6.5.2.bb b/meta-python/recipes-devtools/python/python3-tornado_6.5.3.bb similarity index 93% rename from meta-python/recipes-devtools/python/python3-tornado_6.5.2.bb rename to meta-python/recipes-devtools/python/python3-tornado_6.5.3.bb index f915dd5658..fedd2700a7 100644 --- a/meta-python/recipes-devtools/python/python3-tornado_6.5.2.bb +++ b/meta-python/recipes-devtools/python/python3-tornado_6.5.3.bb @@ -6,7 +6,7 @@ HOMEPAGE = "https://www.tornadoweb.org/en/stable/" LICENSE = "Apache-2.0" LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" -SRC_URI[sha256sum] = "ab53c8f9a0fa351e2c0741284e06c7a45da86afb544133201c5cc8578eb076a0" +SRC_URI[sha256sum] = "16abdeb0211796ffc73765bc0a20119712d68afeeaf93d1a3f2edf6b3aee8d5a" inherit pypi python_setuptools_build_meta From patchwork Thu Feb 5 06:59:48 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 80483 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 20765E91280 for ; Thu, 5 Feb 2026 07:00:09 +0000 (UTC) Received: from mail-wm1-f42.google.com (mail-wm1-f42.google.com [209.85.128.42]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.15260.1770274807294480049 for ; Wed, 04 Feb 2026 23:00:07 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=afufIK2y; spf=pass (domain: gmail.com, ip: 209.85.128.42, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f42.google.com with SMTP id 5b1f17b1804b1-47fedb7c68dso4876245e9.2 for ; Wed, 04 Feb 2026 23:00:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1770274806; x=1770879606; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=+fpJrWFvuNeMvt8MrL9VUaEnOQAUvNfSI/tAHhXlrV8=; b=afufIK2y8p7FMtoauzELZIM7ZAmSLcBA0ff8Aksm9KW04ZAq2RBqQxpy6tsZsIpEhY r6rygA0FXSEAiOv8lkSqkBKwRsLseKok0yTYaq8f8QozRHanXcwqFoUhfgioEknxUNX3 6shrhrsO1ljsnw7bOLu8CijHcwkrlOfGKmVuysuhuH5nhRhN6X37FaKuVy7ZlC3yRKm/ 3/W2ktsPwSpYzpiqtpVWX1JTEHHvONJYY5HJ6Az29FuSYtoEeBRUoMGrUMQSTq8s8Kvm NSaKGwlqHMCEwahH2+wmkXsxq4uDZz/p8l8Jotr0+7R5puMicqyLI88nb3yegpyiluqe XJoA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770274806; x=1770879606; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=+fpJrWFvuNeMvt8MrL9VUaEnOQAUvNfSI/tAHhXlrV8=; b=SMw0edJ8rrnLq5nCkEES8Ek4qgRzI1VdbO8PkQAfyXOrxTIGo6WmHnbgTEEfizBmY4 YGiEY6W4ii/juDVeV/4OUdlXymqDL1U+rwfALKNcoFgjK1QRxTip2kPOzG2pQ/729c1m 2beoZYXPyWh8TytMxMEVFn6t6cELt9FcYLSRbC4arVJLWvU0B/KdzpFBfF33j97t1tDt XZ2Hm0YqhIUpKomYuMjtoaCKI+5PDBTtUZa0Rj7MPUO6zYrj2i3rClC6k47xD22gEvcR AJ9QAe8hiWg2yZbayMnP09Rk7HUiTI3sVzujeuUxjWJfG686StwXGSBbQLmxUoyI5hQw Cv3Q== X-Gm-Message-State: AOJu0YwNiMVH0o443yAoPRoiHKA04uKrOOmUuh79abNNDjWePzsX6Hq9 dW10tluRGU3SDIowNxpisTS0RVSMbRzRJz1CbvepWbbq+q8i9wHIqRBjfeW96A== X-Gm-Gg: AZuq6aKCTkJPWdVQiCsTEaYzJgN2ekUFs468rUeqpnOyU0b95NJK/waaAXQL8X+/Emi mV0JVVwlIySsq4fwWv012wtuxVQUy9IeVT2nhjegM78i9V5FTqfSfHVK7V3c3tHVpYWLJD1d5Sg sR77BsSlkly6/oAWGyLwfXtG3JSPaslehlWP3DRs99uaO8BPPSSqXFLQNJlAGSiQe31uH5AOMbs lzRMizE3SCugtoGiOKUgKnmmXvxs2ymJB6xOARqDlugVitFfeI6qVT/UjqhCnBq7V+5hQu2oKXp ceWzpNSBEZ+IUZ/8iVRouIK/JYvfiopTSJPmpZeFHkYRX8x0GGwneTNcJ3upTOES1VDPPnAAgnS UuGALJrB2SZC6jPOUDCEjVZQuTGBhBfk5JiWlkz4NMA55lLhHR6G0twRH1j87ZcTOYXBjmZLGqJ Z09qvFac+d X-Received: by 2002:a05:600c:8b5c:b0:480:1b1a:5526 with SMTP id 5b1f17b1804b1-4830e93c021mr73576765e9.16.1770274805523; Wed, 04 Feb 2026 23:00:05 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4830fe86bebsm34545505e9.10.2026.02.04.23.00.04 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 Feb 2026 23:00:05 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-python][whinlatter][PATCH 13/20] python3-tornado: upgrade 6.5.3 -> 6.5.4 Date: Thu, 5 Feb 2026 07:59:48 +0100 Message-ID: <20260205065955.1267785-13-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260205065955.1267785-1-skandigraun@gmail.com> References: <20260205065955.1267785-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 05 Feb 2026 07:00:09 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/124189 From: Wang Mingyu Bug fixes ~~~~~~~~~ - The "in" operator for "HTTPHeaders" was incorrectly case-sensitive, causing lookups to fail for headers with different casing than the original header name. This was a regression in version 6.5.3 and has been fixed to restore the intended case-insensitive behavior from version 6.5.2 and earlier. Signed-off-by: Wang Mingyu Signed-off-by: Khem Raj (cherry picked from commit ebca0ae79d15c5d5f1489a8b5de18c810891e7e4) Signed-off-by: Gyorgy Sarvari --- .../{python3-tornado_6.5.3.bb => python3-tornado_6.5.4.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta-python/recipes-devtools/python/{python3-tornado_6.5.3.bb => python3-tornado_6.5.4.bb} (93%) diff --git a/meta-python/recipes-devtools/python/python3-tornado_6.5.3.bb b/meta-python/recipes-devtools/python/python3-tornado_6.5.4.bb similarity index 93% rename from meta-python/recipes-devtools/python/python3-tornado_6.5.3.bb rename to meta-python/recipes-devtools/python/python3-tornado_6.5.4.bb index fedd2700a7..9b43d98e1c 100644 --- a/meta-python/recipes-devtools/python/python3-tornado_6.5.3.bb +++ b/meta-python/recipes-devtools/python/python3-tornado_6.5.4.bb @@ -6,7 +6,7 @@ HOMEPAGE = "https://www.tornadoweb.org/en/stable/" LICENSE = "Apache-2.0" LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" -SRC_URI[sha256sum] = "16abdeb0211796ffc73765bc0a20119712d68afeeaf93d1a3f2edf6b3aee8d5a" +SRC_URI[sha256sum] = "a22fa9047405d03260b483980635f0b041989d8bcc9a313f8fe18b411d84b1d7" inherit pypi python_setuptools_build_meta From patchwork Thu Feb 5 06:59:49 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 80485 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 28395E9127F for ; Thu, 5 Feb 2026 07:00:09 +0000 (UTC) Received: from mail-wm1-f44.google.com (mail-wm1-f44.google.com [209.85.128.44]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.15261.1770274808031252590 for ; Wed, 04 Feb 2026 23:00:08 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=IHy+VyiR; spf=pass (domain: gmail.com, ip: 209.85.128.44, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f44.google.com with SMTP id 5b1f17b1804b1-4805ef35864so4532385e9.0 for ; Wed, 04 Feb 2026 23:00:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1770274806; x=1770879606; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=FLtYMa/0mFLZQzN3dEAOklD5R3nsx/ab7SlECvngNWk=; b=IHy+VyiR8UfvrLXnETiFMiwJVI6RDaqlV8ij5Ci2bnLCJy6jJ0F8jZ3oqBRzd1S+Kt QyWjk+ZZFfZH0pO2lyznMH1yTAlkbkQ9Ess/guCjZNkF4ylvlLqhr7ukur4WWJxVQO2c kBi4u7f6pzVyyR9V/zsEmT7U1Rj3EqeWPHFo72Rf8jZ/hccadOplO63Kofv7W4HkW0Uh la+d2+8Y4XKnNCvCv1clDrL6TNYwZX+43I8QEdBjz4RdedN6zEN2zpgsIrBnseWt6JT8 PfhdF9+z1vjGTgj1kP7BUrZWYCpNX4EgNFVrfx4tSeUze/5lmgSapqvx3y2Wor4W3Id/ +Thg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770274806; x=1770879606; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=FLtYMa/0mFLZQzN3dEAOklD5R3nsx/ab7SlECvngNWk=; b=ecJyKt/IQOHJD+/sI2qQDArqwskZFDfL0ENWSKXfWXnfiXi76Pf1Dp/LfXFGSQVR2W 5Ok+9VSkMlf+eONF8pAES2vZyEsy6sO9l1Qgm6PMOeD9wLpg/4XxwTeCf8Im16TeFvzA aHFpY6RmtUqNrngNWsR3ReLU2XLPhUvaC8uxmIEced8NEmX8dy+NpUNh5sfuyhgOVYy8 543ifg/iTY3/ajPzMFbA6mrHD3cAzkDi6usmp2z+no8JZEZgDyxMmuu7oIxbcmpZd4B0 RRu0I5wAb93BXIaFoMpu+gsP2Bn2jMpawgR/907lQoxaS5UaCMQvLD/UNp3KNW5OKL5D O3Ew== X-Gm-Message-State: AOJu0YwTWggRHQTp9FTeMuxOptiamuJ5onqp/P+HyugSlKAY/5yZkavY 6aIuhE5/PcTE9QO0k2Uak/C2WfB1WIeKuJuPNlb+pfSItkJAsgG1K6eJ7CwRxw== X-Gm-Gg: AZuq6aKFHH+4Et61s+HX/lfjzwQ9DEfJU1I1EYMSzliniDnA/RSkegcwuunhLon8Kt0 4TzWKr8kJuHwqJVw3CWL5e95sgwPs+r7XWGAlS3htbFgr5+as05fwKKZwbJgtbXweq5V+Lq2jk9 //PstHv0XQMUdFUkgalHr3RH9ntmtox5oC0ePoY+hdcjOsUsAUmgt+qUDM8ZWBeVa+DhJXTfP82 WSqoLqKLx6qDVHRIocAKkkKF3gvOyuIXFru8Ykb9EiaVj8+k6tTyvvGbBZQoxAbKSyYVn8NJ7QT mHHR1m64MtnHviIC4Hk9K50kKDPwB/O92ghRWY3poqRKS7Oimt7N28LWXlRIgxDHfrtItHUXfP3 otGrbv/eSGaaRj9/NKPc0KMCOcOcg/kTPOJ0Mw2tlXsbBpJQAm1oYQ+ZbDSCYCwWWsHPSUW/QYO UJ5YiyHiRYLKreOWsPYbA= X-Received: by 2002:a05:600c:1394:b0:480:53ce:45d3 with SMTP id 5b1f17b1804b1-4830e987c69mr72305265e9.18.1770274806230; Wed, 04 Feb 2026 23:00:06 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4830fe86bebsm34545505e9.10.2026.02.04.23.00.05 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 Feb 2026 23:00:05 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-python][whinlatter][PATCH 14/20] python3-twitter: mark CVE-2012-5825 patched Date: Thu, 5 Feb 2026 07:59:49 +0100 Message-ID: <20260205065955.1267785-14-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260205065955.1267785-1-skandigraun@gmail.com> References: <20260205065955.1267785-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 05 Feb 2026 07:00:09 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/124190 Details: https://nvd.nist.gov/vuln/detail/CVE-2012-5825 The Debian bugtracker[1] indicated that the issue is tracked by upstream in github[2] (with a difference CVE ID, but same issue), where the vulnerability was confirmed. Later in the same github issue the solution is confirmed: the project switched to use the requests library, which doesn't suffer from this vulnerability. Due to this mark the CVE as patched. [1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692444 [2]: https://github.com/tweepy/tweepy/issues/279 Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj (cherry picked from commit 3ee544e7591b36a49550a263a0ec4d64b5e490e8) Signed-off-by: Gyorgy Sarvari --- meta-python/recipes-devtools/python/python3-twitter_4.16.0.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta-python/recipes-devtools/python/python3-twitter_4.16.0.bb b/meta-python/recipes-devtools/python/python3-twitter_4.16.0.bb index 54379673c0..78a2b70ab3 100644 --- a/meta-python/recipes-devtools/python/python3-twitter_4.16.0.bb +++ b/meta-python/recipes-devtools/python/python3-twitter_4.16.0.bb @@ -17,3 +17,5 @@ RDEPENDS:${PN} += "\ python3-requests-oauthlib \ python3-six \ " + +CVE_STATUS[CVE-2012-5825] = "fixed-version: The vulnerability has been fixed since v3.1.0" From patchwork Thu Feb 5 06:59:50 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 80488 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3B656E91272 for ; Thu, 5 Feb 2026 07:00:19 +0000 (UTC) Received: from mail-wm1-f41.google.com (mail-wm1-f41.google.com [209.85.128.41]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.15262.1770274808912226019 for ; Wed, 04 Feb 2026 23:00:09 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=SFPWzAVB; spf=pass (domain: gmail.com, ip: 209.85.128.41, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f41.google.com with SMTP id 5b1f17b1804b1-4807068eacbso4597385e9.2 for ; Wed, 04 Feb 2026 23:00:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1770274807; x=1770879607; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=SVu3UkV/ukG+hvs97x2l4hvdQ8IS0cJvMCg6dDWoIrw=; b=SFPWzAVBIwmPLBhIbfz0fvoNqb2sT39vJH2HR372TX2JOBFIXVSSz+SwoO2AoR6Aeg FKdtq9PVjKL0bDFdDUiQjihumNJVF/M+g8tfG/KIUSUMwslB0ILsLh5XuFvFNKrBo0h+ ZfsZmYXBZSIq0v+SHkVeVslieq3RZm4znCK5Y8bqZZwvnHCFPUcMw7PDHgUty0ojLO7m r5Ce7wQvCS6KYFkBUPbeklIb4FFZ9hQZpXa4j55A5Fan+KbXbVKrnqDz4IfxUZp6UsdZ lvOiex7LWhYES3jlut1WNBvCQa7yBoPYVGmhzIF62luI0/IUtq+uNMcBew2htSlnBiM7 OIbA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770274807; x=1770879607; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=SVu3UkV/ukG+hvs97x2l4hvdQ8IS0cJvMCg6dDWoIrw=; b=NF0J+t7aGRxe3PtTE8/Q3UL8a37WgGwaZC7tU19gw1p0RUSrWWS/NRWbYh357VkJ4o 1I4m+LLE4u058v1M6yC/KWCCCRdqVQ3BwFX1u4SaFOm2HZmq9kVy85t2kPTzJvIFuWuz jn+733Frj3MNOAH6x6XOcHKGcoX+vAsEeFDUV6zwG6LLlIVmiwb6zvgfKbpO83iPOH72 bqTdHLpyggTyeWksxXl43qlKbhmmHbP8yAK9x8uLyrgGalF58GH5nYYv69nSU+Is3F+7 7JhsNkLkGl0jQSQbZaak+x5ozOKAAWCv/FPaOT87ILcPrc1c8pRmK57VqDzXv7xVrsYD sH2A== X-Gm-Message-State: AOJu0YxBzrZRj9nyfhGH5jnVO5clT+qB1KC6bFoQ01zbumZsMai28rBA ZPz0/nt4pFWwhhCVyEgy1Onh3vdzlEO9QjhRxUkiT2yTmmod8+HKNMyksPDj7A== X-Gm-Gg: AZuq6aJI+Y3FNwHap7u1tQPzAenRsz+3ZyNFOWjAqjw/dZu/TD+InRDGHtP2tQ/ASl4 tcm1xaRth3eJ4enAGhqwGSFPEVhFtvXhCVV6kjzhnjSKJf+3PflLX1YH02aWCvUGHwiPOqtIkYX H2fh8p9wFfyexgj60rCw0DXQoKU+PEzFbtMHhA3Q3KipIb7o0lbD/ldBIOzATBr26WWZFhrCJIo sIzU73mMDFZmXAzKF5PqCasSMBCY0dwxRI2z6jxypU2ismZH3r3BIxSzzHBBoXjMg3HiobEMpKn hsg8a3ph4YswzqulsfzTXNt5XBxjqYLUmhAMNvTNks/jpUw3CAUh29DbtApUlJUZk5NQ0MNWP3y 3liiiaVk4hiMr6R15CH50DqIDZwL6JPOLqKax3raBSiqhj/043I4chdg//qYjSGSC368hEduKuc /A0Iuk6Du2 X-Received: by 2002:a05:600c:820a:b0:480:3338:292d with SMTP id 5b1f17b1804b1-4830e987bb9mr84482955e9.31.1770274807005; Wed, 04 Feb 2026 23:00:07 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4830fe86bebsm34545505e9.10.2026.02.04.23.00.06 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 Feb 2026 23:00:06 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-python][whinlatter][PATCH 15/20] python3-uvicorn: mark CVE-2020-7694 patched Date: Thu, 5 Feb 2026 07:59:50 +0100 Message-ID: <20260205065955.1267785-15-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260205065955.1267785-1-skandigraun@gmail.com> References: <20260205065955.1267785-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 05 Feb 2026 07:00:19 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/124191 Details: https://nvd.nist.gov/vuln/detail/CVE-2020-7694 The vulnerability was reported to the project[1], and the commit[2] that resolved the issue has been part of the project since version 0.11.7. Mark the CVE as patched due to this. [1]: https://github.com/Kludex/uvicorn/issues/723 [2]: https://github.com/Kludex/uvicorn/commit/895807f94ea9a8e588605c12076b7d7517cda503 Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj (cherry picked from commit a5ee234b8cf06b6385a9bf1eb5b60d6171a993c9) Signed-off-by: Gyorgy Sarvari --- meta-python/recipes-devtools/python/python3-uvicorn_0.38.0.bb | 1 + 1 file changed, 1 insertion(+) diff --git a/meta-python/recipes-devtools/python/python3-uvicorn_0.38.0.bb b/meta-python/recipes-devtools/python/python3-uvicorn_0.38.0.bb index b0ce49be97..ee295abf5d 100644 --- a/meta-python/recipes-devtools/python/python3-uvicorn_0.38.0.bb +++ b/meta-python/recipes-devtools/python/python3-uvicorn_0.38.0.bb @@ -11,6 +11,7 @@ SRC_URI += "file://0001-ptest-disable-failing-tests.patch" inherit pypi python_hatchling ptest-python-pytest PYPI_PACKAGE = "uvicorn" +CVE_STATUS[CVE-2020-7694] = "fixed-version: The vulnerability has been fixed since 0.11.7" RDEPENDS:${PN} = "\ python3-click \ From patchwork Thu Feb 5 06:59:51 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 80492 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 57FACE9127E for ; Thu, 5 Feb 2026 07:00:19 +0000 (UTC) Received: from mail-wm1-f53.google.com (mail-wm1-f53.google.com [209.85.128.53]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.15263.1770274809507136825 for ; Wed, 04 Feb 2026 23:00:09 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=Jz21umpf; spf=pass (domain: gmail.com, ip: 209.85.128.53, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f53.google.com with SMTP id 5b1f17b1804b1-4801c2fae63so3807985e9.2 for ; Wed, 04 Feb 2026 23:00:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1770274808; x=1770879608; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=ir7/Bfg6OOfWehc2UOeRfJB13oWTMflU1j6U8JLXECQ=; b=Jz21umpfydJgpAxAjbvHu0PP3iey7bw5nTyCC+sxWFiNH5+CIH0wt1UE0J/I4dBMLM Ck58wFjphO6pZlsAKW6J6GqhUGruRi1sqoWbTrs2MPYWw+cBxon0TziZPkQxlQ5V4GMw NHqxV1AcKUaYsEenwBOynSt+K0n/O8BXRdWrR/0iQAgXdQzqUOaghDwj5abfTTl8hF3U CzzyepPuVWnnqZ+U6jUIEBWHOdlgfR2Iy8KHhJzVCne0voJILOLMnVo40zB+aJ3N/EbA y9H7Q8CyGag8OUSxoKiZqpFBK17BpXRst9zI3MPPqP8Qte17YWj8YfXb5gXKyA3bfjnd IiFg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770274808; x=1770879608; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=ir7/Bfg6OOfWehc2UOeRfJB13oWTMflU1j6U8JLXECQ=; b=PA4v82SjQ2IWVg6jpDW7sWOnf3QKbhfZLpBlYQc4XP3D3Vnmuq1e3EXELWWSxC1HmP gnwUHxNHrDo3sol6s2mUncoXQFAvA4jwe99FdY5j8k43T5bCkuDx0wk9g29+VweKsVv/ YU1fI92Kv+iwIKBqxebby5s4aDQAEDYfT2Pnk6tvmvawX2aHWaYqCQJ6oMY0PAecQssP wDqAq+UObMJClQ232i5S1HyNlJFJcnz7RDc21DrtrvaD9S7dIryRVwq9IGKO02yIJUO/ k9xHcttPmTaYWQOfoU497GrLBMQOPzosWRpmvkwFYGmAnOUg7hVCTHLDgrJzvNln0s7P sl+Q== X-Gm-Message-State: AOJu0Yx19kD4Vbqfi63YSIub2xGVz2BgG1Frh3eBgeAU8Gc3j+aR1Jwt q0xIw0oTTYMCTl3zyTju0F6ZApkvCgOvr93k2ZVkYiE/ZVaCXC2n2dtAoIlqmA== X-Gm-Gg: AZuq6aKEMhsrPf3E5kReoIVCtt0x1OPe1E5uy+hNUCLe6Usna+6OW8jWLtx2hgVeVwR wG9C8IznKkxgzdIoT962PmQhe+efY5DCX3yoD7PKwB/T+J9TPRq5lrIQOdikLB3vRNiLo505tdE mZbeXTbdmnYIuIP0kFM/g+DlqXUgPVNT35JcS7SmWyEeQN0jkN62qjnhFHWqdJY9n652eyFPWEV 4rnWg1+eiCdnLB0rFxIXQfBB4e+uQhSVhGeNqDM9plz/z27oMBGuwvaM0HZf5kIvFAf3xMqLFsY ZvF2Rz6WYmLIMc8gDC7SJx47CWp7/fMgFB4VFcRVGXb9wVPLWewMC034c9bgxTAbabKZdG5ueIB lxsWvsHiROo1zBVSQntpNS8duqDAaMPhy/8363hAB/5muhEVPd4MZ0vHPICnV8ccMgpvkmhr2cZ 6KuAP7t1OE X-Received: by 2002:a05:600c:8712:b0:480:4be7:4f53 with SMTP id 5b1f17b1804b1-4830e99333amr91236755e9.31.1770274807714; Wed, 04 Feb 2026 23:00:07 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4830fe86bebsm34545505e9.10.2026.02.04.23.00.07 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 Feb 2026 23:00:07 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-python][whinlatter][PATCH 16/20] python3-virtualenv: patch CVE-2026-22702 Date: Thu, 5 Feb 2026 07:59:51 +0100 Message-ID: <20260205065955.1267785-16-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260205065955.1267785-1-skandigraun@gmail.com> References: <20260205065955.1267785-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 05 Feb 2026 07:00:19 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/124192 Details: https://nvd.nist.gov/vuln/detail/CVE-2026-22702 Backport the patch that is referenced by the NVD advisory. Signed-off-by: Gyorgy Sarvari --- .../python3-virtualenv/CVE-2026-22702.patch | 60 +++++++++++++++++++ .../python/python3-virtualenv_20.35.4.bb | 1 + 2 files changed, 61 insertions(+) create mode 100644 meta-python/recipes-devtools/python/python3-virtualenv/CVE-2026-22702.patch diff --git a/meta-python/recipes-devtools/python/python3-virtualenv/CVE-2026-22702.patch b/meta-python/recipes-devtools/python/python3-virtualenv/CVE-2026-22702.patch new file mode 100644 index 0000000000..a0b6d80a42 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-virtualenv/CVE-2026-22702.patch @@ -0,0 +1,60 @@ +From 2e9f44a74a8adbaf641475c58f1cfa1bb7ab15e1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Bern=C3=A1t=20G=C3=A1bor?= +Date: Fri, 9 Jan 2026 10:19:39 -0800 +Subject: [PATCH] Merge pull request #3013 from gaborbernat/fix-sec + +CVE: CVE-2026-22702 +Upstream-Status: Backport [https://github.com/pypa/virtualenv/commit/dec4cec5d16edaf83a00a658f32d1e032661cebc] +Signed-off-by: Gyorgy Sarvari +--- + src/virtualenv/app_data/__init__.py | 11 +++++------ + src/virtualenv/util/lock.py | 7 +++---- + 2 files changed, 8 insertions(+), 10 deletions(-) + +diff --git a/src/virtualenv/app_data/__init__.py b/src/virtualenv/app_data/__init__.py +index d7f1480..7a9d38e 100644 +--- a/src/virtualenv/app_data/__init__.py ++++ b/src/virtualenv/app_data/__init__.py +@@ -36,12 +36,11 @@ def make_app_data(folder, **kwargs): + if is_read_only: + return ReadOnlyAppData(folder) + +- if not os.path.isdir(folder): +- try: +- os.makedirs(folder) +- LOGGER.debug("created app data folder %s", folder) +- except OSError as exception: +- LOGGER.info("could not create app data folder %s due to %r", folder, exception) ++ try: ++ os.makedirs(folder, exist_ok=True) ++ LOGGER.debug("created app data folder %s", folder) ++ except OSError as exception: ++ LOGGER.info("could not create app data folder %s due to %r", folder, exception) + + if os.access(folder, os.W_OK): + return AppDataDiskFolder(folder) +diff --git a/src/virtualenv/util/lock.py b/src/virtualenv/util/lock.py +index b250e03..82c8eed 100644 +--- a/src/virtualenv/util/lock.py ++++ b/src/virtualenv/util/lock.py +@@ -17,9 +17,8 @@ LOGGER = logging.getLogger(__name__) + class _CountedFileLock(FileLock): + def __init__(self, lock_file) -> None: + parent = os.path.dirname(lock_file) +- if not os.path.isdir(parent): +- with suppress(OSError): +- os.makedirs(parent) ++ with suppress(OSError): ++ os.makedirs(parent, exist_ok=True) + + super().__init__(lock_file) + self.count = 0 +@@ -117,7 +116,7 @@ class ReentrantFileLock(PathLockBase): + # a lock, but that lock might then become expensive, and it's not clear where that lock should live. + # Instead here we just ignore if we fail to create the directory. + with suppress(OSError): +- os.makedirs(str(self.path)) ++ os.makedirs(str(self.path), exist_ok=True) + + try: + lock.acquire(0.0001) diff --git a/meta-python/recipes-devtools/python/python3-virtualenv_20.35.4.bb b/meta-python/recipes-devtools/python/python3-virtualenv_20.35.4.bb index 28444f12c4..e40aa98863 100644 --- a/meta-python/recipes-devtools/python/python3-virtualenv_20.35.4.bb +++ b/meta-python/recipes-devtools/python/python3-virtualenv_20.35.4.bb @@ -6,6 +6,7 @@ HOMEPAGE = "https://github.com/pypa/virtualenv" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE;md5=0ce089158cf60a8ab6abb452b6405538" +SRC_URI += "file://CVE-2026-22702.patch" SRC_URI[sha256sum] = "643d3914d73d3eeb0c552cbb12d7e82adf0e504dbf86a3182f8771a153a1971c" BBCLASSEXTEND = "native nativesdk" From patchwork Thu Feb 5 06:59:52 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 80490 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 59015E9127F for ; Thu, 5 Feb 2026 07:00:19 +0000 (UTC) Received: from mail-wm1-f43.google.com (mail-wm1-f43.google.com [209.85.128.43]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.15266.1770274810140901738 for ; Wed, 04 Feb 2026 23:00:10 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=QeOZ+h5m; spf=pass (domain: gmail.com, ip: 209.85.128.43, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f43.google.com with SMTP id 5b1f17b1804b1-47ee76e8656so8019665e9.0 for ; Wed, 04 Feb 2026 23:00:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1770274808; x=1770879608; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=Sm3PBhbPMMtRbL5Lyrfz8MaQDj6hgYct+1lLARk/vVI=; b=QeOZ+h5mdyvMQycW9KDc7eX5XrF1/g6kH7ZtgHKtH2ec5k2OK3k47dzIM+rRZb8+Cm Db/ACRltwXWjnEVh1dqNYeJPQx69ZDKQyV5GFPQU5Cqvk5A6NfenJbcNre6MR7wr25rr xJTJUO+osSspGwkhZiGm76AYdp88Ag5Q2SIHZIM9RKrxT5n5qdFy0fjqXEKs7Gk8YY9p DtmrxKVoftVdvaf4r/iZ2WDl1rIz1QtjbmzwPJ1nUCKOeChgEqKo7Iw51zhgBPcr3mNI C+3lGGId3TBF1ddub3IAsIzuLSTSHV4mV+DF29RTEjxuBZrLXsOdvqYHex3xb3cVuvyi Uzkg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770274808; x=1770879608; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=Sm3PBhbPMMtRbL5Lyrfz8MaQDj6hgYct+1lLARk/vVI=; b=w9DSQkDQGpUJM4+QYSUPzN0rz/Zuyqo32bt/3GOMNr+7AiNOtUzO7AGiTS33jXmu/O dK9207Eumn2hPlzO2TyQpi8V1dALKo90QcwnlTdxDuo6yBbgFzQ9PyKVuHg56OZfKcCm 0uEycZhOqum4rPda8ZO1psCD2hHGRf6JUxmBNm6nuPmssmVtTJMFSBAB6iQNpxzF5vXo PRQ6NoLHgEsdKrbIeUbG+NatuvnCToECulB2Bv1ZBX56Mczr/PvWpgZbVApALwO9X/25 eUVphLX4aHePRUNx0Z9BwMMvBTKHtUwa3A19MIFuTVrPT5E09SXwemVFIGF8G5Fb5opR 9guQ== X-Gm-Message-State: AOJu0YymNbLy7DpSa14QLfudP90WrPjWKQCiSGlWfGd7Ooo0CKlPlPGk DYVHr41i6FYOvDEQE9TLST10I6537SW6IBQK5qNfac9+fzi01DV+HXOLYFA7wA== X-Gm-Gg: AZuq6aLEx90icQeFyBK22+Y/ftYHFhx/Z9XqTqYtFi5OMMFFYTNojYS6cTOGIDGZU1z OndiPczJWvYE099pm0av8c9jpn10bTWtIb0fSDfGk3iXl9K1LcFvPXd0Mk05iSWdZiV47d57CbO 0MVn7ar8xmQnVPfMhMVxHHvxeGNdxZPYS0z2/buPkWqmBTVVW0lv7R5DINnRso1MVn2PDwfp6xw qGNFIal9eVtqqqP2gYAE+AmTj5CG8uWESNDHdDKA3PZRTxYbJA3nQGf6b2w4nem+drphOOackco iC/jFem4iC7QG7+EAgitID1mw6kN77KSYl4qowL4Q2GOP4WeMHfUrTc10AcTth0HPP47CFwx0WQ Sfm55TfdHCD7PRO8TdPfHRkkn3TofZf12D5nQVNWJW2i3ROI1qrccOuJx6EvWu1393UPRoCxZdd 9dttwEK5wg X-Received: by 2002:a05:600c:1e1d:b0:480:6910:abd1 with SMTP id 5b1f17b1804b1-4830e966cedmr76890495e9.18.1770274808369; Wed, 04 Feb 2026 23:00:08 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4830fe86bebsm34545505e9.10.2026.02.04.23.00.07 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 Feb 2026 23:00:08 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-python][whinlatter][PATCH 17/20] python3-werkzeug: upgrade 3.1.3 -> 3.1.4 Date: Thu, 5 Feb 2026 07:59:52 +0100 Message-ID: <20260205065955.1267785-17-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260205065955.1267785-1-skandigraun@gmail.com> References: <20260205065955.1267785-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 05 Feb 2026 07:00:19 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/124193 From: Wang Mingyu Changelog: ============== - safe_join on Windows does not allow special device names. This prevents reading from these when using send_from_directory. secure_filename already prevented writing to these. - The debugger pin fails after 10 attempts instead of 11. - The multipart form parser handles a \r\n sequence at a chunk boundary. - Improve CPU usage during Watchdog reloader. - Request.json annotation is more accurate. - Traceback rendering handles when the line number is beyond the available source lines. - HTTPException.get_response annotation and doc better conveys the distinction between WSGI and sans-IO responses. Signed-off-by: Wang Mingyu Signed-off-by: Khem Raj (cherry picked from commit 74aa2bdac6d658791af34881f291d91aa4dc57ba) Contains fix for CVE-2025-66221. From the release notes: This is the Werkzeug 3.1.4 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release. Signed-off-by: Gyorgy Sarvari --- .../{python3-werkzeug_3.1.3.bb => python3-werkzeug_3.1.4.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta-python/recipes-devtools/python/{python3-werkzeug_3.1.3.bb => python3-werkzeug_3.1.4.bb} (90%) diff --git a/meta-python/recipes-devtools/python/python3-werkzeug_3.1.3.bb b/meta-python/recipes-devtools/python/python3-werkzeug_3.1.4.bb similarity index 90% rename from meta-python/recipes-devtools/python/python3-werkzeug_3.1.3.bb rename to meta-python/recipes-devtools/python/python3-werkzeug_3.1.4.bb index 73029eccc7..2cfb5864b1 100644 --- a/meta-python/recipes-devtools/python/python3-werkzeug_3.1.3.bb +++ b/meta-python/recipes-devtools/python/python3-werkzeug_3.1.4.bb @@ -10,7 +10,7 @@ HOMEPAGE = "https://werkzeug.palletsprojects.com" LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=5dc88300786f1c214c1e9827a5229462" -SRC_URI[sha256sum] = "60723ce945c19328679790e3282cc758aa4a6040e4bb330f53d30fa546d44746" +SRC_URI[sha256sum] = "cd3cd98b1b92dc3b7b3995038826c68097dcb16f9baa63abe35f20eafeb9fe5e" inherit pypi python_flit_core From patchwork Thu Feb 5 06:59:53 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 80493 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6FB67E91283 for ; Thu, 5 Feb 2026 07:00:19 +0000 (UTC) Received: from mail-wm1-f50.google.com (mail-wm1-f50.google.com [209.85.128.50]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.15346.1770274811338904882 for ; Wed, 04 Feb 2026 23:00:11 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=OS74S9C1; spf=pass (domain: gmail.com, ip: 209.85.128.50, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f50.google.com with SMTP id 5b1f17b1804b1-4806f80cac9so3031815e9.1 for ; Wed, 04 Feb 2026 23:00:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1770274810; x=1770879610; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=5sehdoiJ7P5jimvkRprYKayZzeo1gLX5SewNfZpH6w0=; b=OS74S9C15J9hn2i8oDfpC9yoc2crzdfNUsDBMQY1d3kqeKFFsnjPrDmBmqtg/DlE8+ vGq+udwD5cELnQWV5luIGUjhRRAsfN3SISKr7XvesvdDA1qjybTWj0yGK79bnwFvIMw4 1TuTwsRZWDa3QagO+cBT1jcHzCcwNhfdCEmtCdhI3EIUTgG4ftiOYHizOkk04YDs/fy2 npagC2Z8v6pBg7QZTAxdXbOm+kwy+QD7MbPOG7JuTyckeFNHYGehfILAaGpD6wFDIvHa bbTLZpR8+4MvMT+HMd/6iH9Wmj4PZn+GOraxsTzqAwcr7ELhy1zlDUWOOFaF4yrcUoc2 OLyA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770274810; x=1770879610; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=5sehdoiJ7P5jimvkRprYKayZzeo1gLX5SewNfZpH6w0=; b=XfPb2OyMFw/jLrLPBJW+ggySPQAjLSKRA8PcpbF0oTIH1hMKTgj0kT2ml3GAB+rY7Y p/HzoKJirpuuOBDZ/u1MCnVr3iPr56Y6vkXughF0X8tuORITCYOQ+BzK79lcpPX04Sk/ ikACq+sPTsT5SAmYOqNdTrqZJhNwi00zkmKqE0l3vmP/f4+SY//jXt1uPJiiNCVbOf/w wQLUQHVypl3iA8UevztMCakXdpQpnVV5+7WAo3GERuabA6fc9LEOP2MGl21AbUDuH0p3 LlN6G5FWugnFMrjB2pJ2imMlLKObwaBLwgQaA3Zpv4/3w2fJbPpg5s4hivHFoBbmLGpt +iOA== X-Gm-Message-State: AOJu0YwFSCVBSkQigRA9CC4dYIztI/84GMdIJMxrrVwXgkMF3NgVWWgy jcbqLPF8hITBhsL6P9sYB5yRpVyau8RWTHADgx2j3Mad9O4mCXB2x5vAC7R6FQ== X-Gm-Gg: AZuq6aLzy0YOtfFku5J/zNWK4FUKfBFdlEf1skbrevZj4gcgbsh0pQvTpEoVyKEjGlo LnzhJr5aIxO9PExgKTX+UrgR6RnQqjk+nwAg3gRqbVqMOGEgOnVZK3BQPFmGfVj5rChamoi5qI5 5/L0Stktz9ABNZ1fbvxaIZQWROT6K72Zm2CAvBhBhNPT5HX/+uRM61Jp37kbqIk62NA2fgiceU/ vxPuwgtetbaBU00BVc7i59NVIkV2augbwT9MXK4QJlLWIDFiYr1T5YWEGZGB2ovRVS8ZSBEVGTx ggZHKquVCENho2DQAV8JLITaBTDG741/trQNFRPkMkeu8tviVrP7Aqs8ETAjtyxw4t00AgpSeTc +FwjtNU/EkOWOHpTJOTxpI7/txt8wGEuhDPVXmRuTzdoGv3ToLcE5W3he4Drk0s/PKsoDAfGYiY 3aLFzB3d+D X-Received: by 2002:a05:600c:6290:b0:47e:e78a:c834 with SMTP id 5b1f17b1804b1-4830e98f6camr67427685e9.34.1770274809069; Wed, 04 Feb 2026 23:00:09 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4830fe86bebsm34545505e9.10.2026.02.04.23.00.08 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 Feb 2026 23:00:08 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-python][whinlatter][PATCH 18/20] python3-werkzeug: upgrade 3.1.4 -> 3.1.5 Date: Thu, 5 Feb 2026 07:59:53 +0100 Message-ID: <20260205065955.1267785-18-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260205065955.1267785-1-skandigraun@gmail.com> References: <20260205065955.1267785-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 05 Feb 2026 07:00:19 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/124194 Contains fix for CVE-2026-21860 Changelog: - safe_join on Windows does not allow more special device names, regardless of extension or surrounding spaces. - The multipart form parser handles a \r\n sequence at a chunk boundary. This fixes the previous attempt, which caused incorrect content lengths. - Fix AttributeError when initializing DebuggedApplication with pin_security=False. Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj (cherry picked from commit ecf359d2562795ca8de18f12f117cd654c30965e) From the release notes: This is the Werkzeug 3.1.5 security fix release, which fixes security issues and bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release. Signed-off-by: Gyorgy Sarvari --- .../{python3-werkzeug_3.1.4.bb => python3-werkzeug_3.1.5.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta-python/recipes-devtools/python/{python3-werkzeug_3.1.4.bb => python3-werkzeug_3.1.5.bb} (90%) diff --git a/meta-python/recipes-devtools/python/python3-werkzeug_3.1.4.bb b/meta-python/recipes-devtools/python/python3-werkzeug_3.1.5.bb similarity index 90% rename from meta-python/recipes-devtools/python/python3-werkzeug_3.1.4.bb rename to meta-python/recipes-devtools/python/python3-werkzeug_3.1.5.bb index 2cfb5864b1..b92711ea04 100644 --- a/meta-python/recipes-devtools/python/python3-werkzeug_3.1.4.bb +++ b/meta-python/recipes-devtools/python/python3-werkzeug_3.1.5.bb @@ -10,7 +10,7 @@ HOMEPAGE = "https://werkzeug.palletsprojects.com" LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=5dc88300786f1c214c1e9827a5229462" -SRC_URI[sha256sum] = "cd3cd98b1b92dc3b7b3995038826c68097dcb16f9baa63abe35f20eafeb9fe5e" +SRC_URI[sha256sum] = "6a548b0e88955dd07ccb25539d7d0cc97417ee9e179677d22c7041c8f078ce67" inherit pypi python_flit_core From patchwork Thu Feb 5 06:59:54 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 80491 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4D133E91277 for ; Thu, 5 Feb 2026 07:00:19 +0000 (UTC) Received: from mail-wm1-f41.google.com (mail-wm1-f41.google.com [209.85.128.41]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.15269.1770274816094810811 for ; Wed, 04 Feb 2026 23:00:16 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=FQOoNdtn; spf=pass (domain: gmail.com, ip: 209.85.128.41, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f41.google.com with SMTP id 5b1f17b1804b1-4806dffc64cso4333455e9.1 for ; Wed, 04 Feb 2026 23:00:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1770274814; x=1770879614; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=T5e3Q0nXyj3MmjTgNd1NzbFHDyqsQJZnm7lgZEM8Jx0=; b=FQOoNdtn3I5V06iqDfXC+PNqiYAox00zOd7HbzsCbd5tSInOYY/9CYGgQcSKYGbCcv KDs5S0rYklSbpOWYDEEw7S/TaAplDWy7X1GroJdGo495CjOR1jAdBu+Q0b9dGft4EgvP LOht1JsoQJMzetgFArWAKyRVEgBWafJOd3Z+TjPPEW3diDMh8LjR6gG8nZSIOWbaxyZf ucpasotgQ+4Mz58BQT2Wi8cirfXdB3vuypjO1izAiNMlBUZobZTwQCBH3FlIQZRyggok ZpiVwsFWHX128JHBAsDQ03OWwzLAuLWXlCEdXY+04rOaT0WCFXZJ8LTdzMBSQp4973dN jr+w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770274814; x=1770879614; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=T5e3Q0nXyj3MmjTgNd1NzbFHDyqsQJZnm7lgZEM8Jx0=; b=INdBW87MQBut7mi+Gi1mIpRnrDLMn05E07Zen7siqJQ0JiCgVwy5Qscn8CHeUgEi9r LGHzMWMFX4iCf83Y8MZstSr+mdf76dD86VAHqjT6OWRXcqdceLdWWX+9yz0EXFXjN/eY QezBcIaco9hr7A8DB7rvnd5EeVGkUnnTvqHFzv5aqRDSJ0Z5NwIhRUTnFSDHOf4jlrn5 zKLK+y9Bwg98oQ8UYVPVXT8gObzRse58vGvpQihKdGcv0vJ9Y2g3/5BC6Z5hxOnUkIzS LmNnie3BPUrUKPShcXcUIaGukATPaYYNIg1N0U7x1/SbzCpI/GhJT8KzUlUQZfhzU3j0 Rmxw== X-Gm-Message-State: AOJu0YxyCCA2UiV8bryYPjfFAZGrZoZY6hLxt1XbMw0HicSkWGBZLDd4 gGn1S5OwarLaPzWblRkiCMkhkjiehfavU9nsn4WGJPafkSDC2C0j6Fa/6HHdZg== X-Gm-Gg: AZuq6aKRN16HyLL/43dI5SKvD5tyyVe2q4IA9i1wVU55lIcbxO3CUImRCkGTcb/vlKK MO2T0yBmT/FSbY4WvjtCoqgxMxsUTpYw+5YpoCUFm/8vtKZP3vURcWe3vdarKOPaf7VPlEsaC/5 mm1AE5JV0X3EuYzthCmhVxRxWhHoIuL3zSir6MIOHdFsOkYB1Cfml9qI4lZuHJrStCTLUAsS9dp HNhW2kpJG0VGtlLpKuGSVCI0FeeHYFL6H7V9c+XERMf+ZWb0IoR0pLpLRv/Bc5hnqVOt2BXbOQc CDS9WJYOMnclDf8O/Ke0o0wcuESOANt4iqdvrizegs29+3raF7M8IRs+MBULD3oaBFO60DUoDfB mspN6tMBYaowDBPMdCRNpCsJDIFy1LXHmsusvrd4Qs/dtVrtc/RCG+cAonx73y8q4Unc8giWyRs XZKqw9mKv8 X-Received: by 2002:a05:600c:8b5c:b0:480:1b1a:5526 with SMTP id 5b1f17b1804b1-4830e93c021mr73580425e9.16.1770274809740; Wed, 04 Feb 2026 23:00:09 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4830fe86bebsm34545505e9.10.2026.02.04.23.00.09 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 Feb 2026 23:00:09 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][whinlatter][PATCH 19/20] raptor2: patch CVE-2024-57822 and CVE-2024-57823 Date: Thu, 5 Feb 2026 07:59:54 +0100 Message-ID: <20260205065955.1267785-19-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260205065955.1267785-1-skandigraun@gmail.com> References: <20260205065955.1267785-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 05 Feb 2026 07:00:19 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/124196 Details: https://nvd.nist.gov/vuln/detail/CVE-2024-57822 https://nvd.nist.gov/vuln/detail/CVE-2024-57823 Pick the patches mentioned in the github issue[1] mentioned in the NVD advisories (both of them are covered by the same issue) [1]: https://github.com/dajobe/raptor/issues/70 Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj (cherry picked from commit dc2c6a514e7744da4165effefa61ad59c27cf507) Signed-off-by: Gyorgy Sarvari --- .../raptor2/raptor2/CVE-2024-57822.patch | 44 +++++++++++++++++++ .../raptor2/raptor2/CVE-2024-57823.patch | 31 +++++++++++++ .../recipes-support/raptor2/raptor2_2.0.16.bb | 2 + 3 files changed, 77 insertions(+) create mode 100644 meta-oe/recipes-support/raptor2/raptor2/CVE-2024-57822.patch create mode 100644 meta-oe/recipes-support/raptor2/raptor2/CVE-2024-57823.patch diff --git a/meta-oe/recipes-support/raptor2/raptor2/CVE-2024-57822.patch b/meta-oe/recipes-support/raptor2/raptor2/CVE-2024-57822.patch new file mode 100644 index 0000000000..cb98f4250c --- /dev/null +++ b/meta-oe/recipes-support/raptor2/raptor2/CVE-2024-57822.patch @@ -0,0 +1,44 @@ +From 3b0ded4ae8110b6291d030af927ecd08197e668f Mon Sep 17 00:00:00 2001 +From: Gyorgy Sarvari +Date: Thu, 6 Feb 2025 21:12:37 -0800 +Subject: [PATCH] Fix Github issue 70 A) Integer Underflow in + raptor_uri_normalize_path() + +From: Dave Beckett + +(raptor_uri_normalize_path): Return empty buffer if path gets to 0 +length + +CVE: CVE-2024-57822 +Upstream-Status: Backport [github.com/dajobe/raptor/commit/da7a79976bd0314c23cce55d22495e7d29301c44] +Signed-off-by: Gyorgy Sarvari +--- + src/raptor_rfc2396.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/src/raptor_rfc2396.c b/src/raptor_rfc2396.c +index 89183d9..2f0195f 100644 +--- a/src/raptor_rfc2396.c ++++ b/src/raptor_rfc2396.c +@@ -351,6 +351,10 @@ raptor_uri_normalize_path(unsigned char* path_buffer, size_t path_len) + *dest++ = *s++; + *dest = '\0'; + path_len -= len; ++ if(path_len <= 0) { ++ *path_buffer = '\0'; ++ return 0; ++ } + + if(p && p < prev) { + /* We know the previous prev path component and we didn't do +@@ -390,6 +394,10 @@ raptor_uri_normalize_path(unsigned char* path_buffer, size_t path_len) + /* Remove /.. at the end of the path */ + *prev = '\0'; + path_len -= (s-prev); ++ if(path_len <= 0) { ++ *path_buffer = '\0'; ++ return 0; ++ } + } + + diff --git a/meta-oe/recipes-support/raptor2/raptor2/CVE-2024-57823.patch b/meta-oe/recipes-support/raptor2/raptor2/CVE-2024-57823.patch new file mode 100644 index 0000000000..79833a55cb --- /dev/null +++ b/meta-oe/recipes-support/raptor2/raptor2/CVE-2024-57823.patch @@ -0,0 +1,31 @@ +From 0b028dd16eb504d3d4dcfa9c72ceb29a9e1f3915 Mon Sep 17 00:00:00 2001 +From: Gyorgy Sarvari +Date: Fri, 7 Feb 2025 11:38:34 -0800 +Subject: [PATCH] Fix Github issue 70 B) Heap read buffer overflow in ntriples + bnode + +From: Dave Beckett + +(raptor_ntriples_parse_term_internal): Only allow looking at the last +character of a bnode ID only if bnode length >0 + +CVE: CVE-2024-57823 +Upstream-Status: Backport [https://github.com/dajobe/raptor/commit/ece2c79df43091686a538b8231cf387d84bfa60e] +Signed-off-by: Gyorgy Sarvari +--- + src/raptor_ntriples.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/raptor_ntriples.c b/src/raptor_ntriples.c +index 3276e79..ecc4247 100644 +--- a/src/raptor_ntriples.c ++++ b/src/raptor_ntriples.c +@@ -212,7 +212,7 @@ raptor_ntriples_parse_term_internal(raptor_world* world, + locator->column--; + locator->byte--; + } +- if(term_class == RAPTOR_TERM_CLASS_BNODEID && dest[-1] == '.') { ++ if(term_class == RAPTOR_TERM_CLASS_BNODEID && position > 0 && dest[-1] == '.') { + /* If bnode id ended on '.' move back one */ + dest--; + diff --git a/meta-oe/recipes-support/raptor2/raptor2_2.0.16.bb b/meta-oe/recipes-support/raptor2/raptor2_2.0.16.bb index 03e57ce86f..1b77103a8d 100644 --- a/meta-oe/recipes-support/raptor2/raptor2_2.0.16.bb +++ b/meta-oe/recipes-support/raptor2/raptor2_2.0.16.bb @@ -13,6 +13,8 @@ SRC_URI = " \ http://download.librdf.org/source/${BPN}-${PV}.tar.gz \ file://0001-Remove-the-access-to-entities-checked-private-symbol.patch \ file://raptor-2.0.16-dont_use_curl-config.patch \ + file://CVE-2024-57822.patch \ + file://CVE-2024-57823.patch \ " SRC_URI[sha256sum] = "089db78d7ac982354bdbf39d973baf09581e6904ac4c92a98c5caadb3de44680" From patchwork Thu Feb 5 06:59:55 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 80489 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3B687E91274 for ; Thu, 5 Feb 2026 07:00:19 +0000 (UTC) Received: from mail-wm1-f43.google.com (mail-wm1-f43.google.com [209.85.128.43]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.15347.1770274812087209162 for ; Wed, 04 Feb 2026 23:00:12 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=aCSL6Zub; spf=pass (domain: gmail.com, ip: 209.85.128.43, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f43.google.com with SMTP id 5b1f17b1804b1-47f5c2283b6so4363105e9.1 for ; Wed, 04 Feb 2026 23:00:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1770274810; x=1770879610; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=e8xFs1sNqW3ASvgOq8j3AC1x7UvvkiKDQnCbRZsrV24=; b=aCSL6Zub78cVOXtMnYeCwnuNj0E0BCDW2yxoF4QH3dc6VIDaLfVynKwSWOU1wxLHrY QRlhjHcjDtuBIqeocce/yauxDIfKVCw+KXcmNTMQ0bd4Xofp84Bw6qNHMaXvYf5QYFCk ckQyzshMFfeY6cWkZZRP07xRAV5E9o2DXbkHDyii5fN8Y1VCooxrZ07YskOLRpuHyJUf ayH8QLkgM4WiadJkpWFFSuWJBph8OBxNFbTzOa/AF+782wbjEex5xYYsR5FIwQ6YZR1f iwRi6AmU4sPfLLw7hv5+xju6mqmHfKtGmhs+sUBrRZiDOhbx1NmC0KRFnH8vt2NmWoX8 /jbA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770274810; x=1770879610; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=e8xFs1sNqW3ASvgOq8j3AC1x7UvvkiKDQnCbRZsrV24=; b=AfTQWKB0Yi02UYWib42Ds30EldGwh9dP2wfx7bFr7QmaCAYTP5xRIKDA+7BcmbilLb 8yHxe3dqdj1l8tF7dnZfo0hebqYeTJi2704aCoBIFa1oRB6XSUQ4qlWey2udd9uLzsXP 0sLDK4T74ZGEvTfXlsrVL9KSMfZciYaxytZgq/MIIHoOgYeu6KgYOlgXAUWUOtw18wPx TkjG291p9Au8SaEwW5/q+bHdGJfH3+RZ9W+25WKI6qWz6QOKzy4A4/ZIiwKXspB9YXr1 7WpGfkTzSRzgkag3am06LC2TV2aI3v2nVJHP0L6yXVY8EshqVCjIB6iQP+3BcvwA9LRH 9Beg== X-Gm-Message-State: AOJu0YzlsawJKUGNLsXd0FW2EVBFAdP9GI17k0w/+MNrwpxIN4yVWGn9 uQWDvX4YqP3Izt98pZ9mjdpxM91xJnfRKMGCW54CbSp8WRbcXX+RA4hdPXUvwg== X-Gm-Gg: AZuq6aJrJCPFuXuaR5AA/XiBcHMvhYhsFTDAWzD8AHEI4AHok7idSu5TXEBqKMimCV0 bL6MWJkjc8tAg5x7gS7GOHW3GZceANdXEzT3/AytcePDQ2iC2+hIT+5tYOYRU0iM/DukV+8HfrH ACejcBuPxINwkutQWk4jT2UeReagaiGcVLvD3+baay7XY6Ji5tbaRYgZhIw5Cd03c6XlMFfZKsv b8MRBRy6TXloul7dyCWf5h95Q8sjYodWkPCi7/fbTXu3IDAI2Zfy+n3eR1+mPxP/wWKe1D2ZNIp z9WAK/O5oOFWFzfnD4ig+/MsuoajTg2baTHT9BiTpi3gM63F+NgZeDqS7G3CqcBstqbzUa3JwgQ 0zmhjMWXAFz/MxtGCwvyPpE/2WTnFIZciVeEDvUNHwpFahYfZs8xLP+w+YolLQmsWPgmH2qrUDd O+rcyzND+k X-Received: by 2002:a05:600c:848a:b0:46e:6d5f:f68 with SMTP id 5b1f17b1804b1-4830e930426mr72578425e9.12.1770274810365; Wed, 04 Feb 2026 23:00:10 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4830fe86bebsm34545505e9.10.2026.02.04.23.00.09 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 Feb 2026 23:00:10 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][whinlatter][PATCH 20/20] redis: ignore CVE-2025-46686 Date: Thu, 5 Feb 2026 07:59:55 +0100 Message-ID: <20260205065955.1267785-20-skandigraun@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260205065955.1267785-1-skandigraun@gmail.com> References: <20260205065955.1267785-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 05 Feb 2026 07:00:19 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/124195 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-46686 Upstream disputes that it is a security violation, and says that implementing a mitigation for this would negatively affect the rest of the application, so they elected to ignore it. See Github advisory about the same vulnerability: https://github.com/redis/redis/security/advisories/GHSA-2r7g-8hpc-rpq9 Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj (cherry picked from commit 868b4b2959c1f6be13693e31eae5b27a1fa697e6) Signed-off-by: Gyorgy Sarvari --- meta-oe/recipes-extended/redis/redis_6.2.21.bb | 1 + meta-oe/recipes-extended/redis/redis_7.2.12.bb | 1 + 2 files changed, 2 insertions(+) diff --git a/meta-oe/recipes-extended/redis/redis_6.2.21.bb b/meta-oe/recipes-extended/redis/redis_6.2.21.bb index 6166769ffa..69f7a73f5d 100644 --- a/meta-oe/recipes-extended/redis/redis_6.2.21.bb +++ b/meta-oe/recipes-extended/redis/redis_6.2.21.bb @@ -23,6 +23,7 @@ SRC_URI[sha256sum] = "6383b32ba8d246f41bbbb83663381f5a5f4c4713235433cec22fc4a47e CVE_STATUS[CVE-2025-21605] = "cpe-incorrect: the used version already contains the fix" CVE_STATUS[CVE-2022-0543] = "not-applicable-config: the vulnerability is not present in upstream, only in Debian-packaged version" CVE_STATUS[CVE-2022-3734] = "not-applicable-config: only affects Windows" +CVE_STATUS[CVE-2025-46686] = "disputed: upstream rejected because mitigating it would affect other functionality" inherit update-rc.d systemd useradd diff --git a/meta-oe/recipes-extended/redis/redis_7.2.12.bb b/meta-oe/recipes-extended/redis/redis_7.2.12.bb index 6527fb6996..997c962a96 100644 --- a/meta-oe/recipes-extended/redis/redis_7.2.12.bb +++ b/meta-oe/recipes-extended/redis/redis_7.2.12.bb @@ -23,6 +23,7 @@ RPROVIDES:${PN} = "virtual-redis" CVE_STATUS[CVE-2025-21605] = "cpe-incorrect: the used version already contains the fix" CVE_STATUS[CVE-2025-27151] = "cpe-incorrect: the used version already contains the fix" +CVE_STATUS[CVE-2025-46686] = "disputed: upstream rejected because mitigating it would affect other functionality" CVE_STATUS[CVE-2025-46817] = "cpe-incorrect: the used version already contains the fix" CVE_STATUS[CVE-2025-46818] = "cpe-incorrect: the used version already contains the fix" CVE_STATUS[CVE-2025-46819] = "cpe-incorrect: the used version already contains the fix"