From patchwork Sat Apr 11 11:14:45 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 85867 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 37CD9F3ED47 for ; Sat, 11 Apr 2026 11:15:03 +0000 (UTC) Received: from mail-pl1-f177.google.com (mail-pl1-f177.google.com [209.85.214.177]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.191320.1775906101064157989 for ; Sat, 11 Apr 2026 04:15:01 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20251104 header.b=gVLbPb0Q; spf=pass (domain: gmail.com, ip: 209.85.214.177, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pl1-f177.google.com with SMTP id d9443c01a7336-2b258576d8cso17182465ad.0 for ; Sat, 11 Apr 2026 04:15:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775906100; x=1776510900; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=5iO1WDza3/HXp2IsSfZvOJOmE9sQrYRd0s3bLTsi9iw=; b=gVLbPb0QZuq4Wo1N2LhkghgOQ7iWrJnFfaAYhOrIYePFH5mhzxEJwvDpkAyfBm4Qcd Ft7nslLvW2HGSQgXkuWnr8wIwIN+Q2+Vig29CzXq93KftplZa6i70zTkAnyYR1YlF4qI T/oHGRT92N/oY+eC7im1JHH6aTIrLhZfpKcOYaxeVFpnk4VVGWBy+zNFRZXe5jYFKCLP 1ePVtqszAlz+JYWmHbM/wKxrJR8OElPgvqnoUk8ACzSrMdvhvpzZm9SSwTuNyVei6FmJ xFuEuEg3qrmFomlf5v7s4sjYeTdoPu1cooK1mPBcse+3aa9iuBDgF+dkwDiPADQl8W10 P2rQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775906100; x=1776510900; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=5iO1WDza3/HXp2IsSfZvOJOmE9sQrYRd0s3bLTsi9iw=; b=WQqN6RExG67F2biX1uyju/ptW+qz91n0iPAsqJ4Aem/hfyBryonAjcVcKrzBt8NaJH tSR8Xo4yTbyOsbHGItxsfk8giB6eiaCdWAR1pmzPOVC8f9PACI+aqjk5Lh1BEqgxmkGJ ltbw54fDDVgt0pyVX6Hx+D/Zuu4v6xpZpndW+dq2jVNyzLQWVV+Nv3YIIxiD1i1ETZI2 Lu6skEVu/csrpbJOY+nFWnS/hvhbgmMgc8Lsexrd4nPwkJw7o2d+M0QhK8vZkdL4wSJ1 Srfq0z7aGn1UdBzFI/WZLBYAhQrQhZrMgT7JuhyzXB7Pqjg3yBNE3E1DG3wlD7W2oI5J Cz4A== X-Gm-Message-State: AOJu0YydxQB7Phy81GwYHqt41STRFXz+YZYVVVIuLkaI+oykwh8wCpIg XzdUcL/DduWWgW50MhIAUEv7bV+MLEsX1SUYqPyAAVBI5DuGgtwFChIIUHYzrg== X-Gm-Gg: AeBDiev/tlfLgiv1BOmVmXI4+7AEE08Zk9InpC35T1LPre9bVmuhuSQXnzpiLBKFqv6 LFgtyY4sCINKqHcrOVpbWY2NHNKm56uNvNYgIe5YSRBv1La+KH3jCE9GUE2uFPo60ZLOmvJX9VB Gkviq5p7C/GXdeKWxDY/CTSO9PGPzKcYuxJQaOmX0rc58ExtwRL3OuVCjA/O5hOMneBH0NRXT88 mY2hE4M/iWkpf/lIkx9FySCfxImLRPkDZvEBA7T1C5d01Vv6OCP6HY2LWLW98yJrTM0iJRfGisC pjzBbUUKuPaZujNaWLYXIoF6HdeaL4DSJ65DV3oeM0S/qXUivPySqTvsGUkCqXUxIfbbfYizg2S /d/LvilMl4wk/VdjO9mdziToEO1Zq5Wo37jjaT6ik/E1cf8g4SMpWlOHXK9qKlkjwl9f1hLNCbH oc2uRzxWyhtpimKZHgH5KGLN3Zx6JpSvKq+UM9 X-Received: by 2002:a05:6a20:2451:b0:398:71e4:6282 with SMTP id adf61e73a8af0-39fe3c1a50amr7932316637.4.1775906099904; Sat, 11 Apr 2026 04:14:59 -0700 (PDT) Received: from NVAPF55DW0D-IPD.. ([203.211.108.128]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-c793488d824sm130447a12.16.2026.04.11.04.14.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 11 Apr 2026 04:14:59 -0700 (PDT) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Ankur Tyagi Subject: [oe][meta-python][scarthgap][PATCH 1/5] python3-django: upgrade 4.2.29 -> 4.2.30 Date: Sat, 11 Apr 2026 23:14:45 +1200 Message-ID: <20260411111451.2739610-1-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 11 Apr 2026 11:15:03 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/126253 From: Ankur Tyagi Release Notes: https://docs.djangoproject.com/en/dev/releases/4.2.30/ Signed-off-by: Ankur Tyagi --- .../0001-lower-setuptools-requirements.patch | 0 .../{python3-django_4.2.29.bb => python3-django_4.2.30.bb} | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) rename meta-python/recipes-devtools/python/{python3-django-4.2.29 => python3-django-4.2.30}/0001-lower-setuptools-requirements.patch (100%) rename meta-python/recipes-devtools/python/{python3-django_4.2.29.bb => python3-django_4.2.30.bb} (82%) diff --git a/meta-python/recipes-devtools/python/python3-django-4.2.29/0001-lower-setuptools-requirements.patch b/meta-python/recipes-devtools/python/python3-django-4.2.30/0001-lower-setuptools-requirements.patch similarity index 100% rename from meta-python/recipes-devtools/python/python3-django-4.2.29/0001-lower-setuptools-requirements.patch rename to meta-python/recipes-devtools/python/python3-django-4.2.30/0001-lower-setuptools-requirements.patch diff --git a/meta-python/recipes-devtools/python/python3-django_4.2.29.bb b/meta-python/recipes-devtools/python/python3-django_4.2.30.bb similarity index 82% rename from meta-python/recipes-devtools/python/python3-django_4.2.29.bb rename to meta-python/recipes-devtools/python/python3-django_4.2.30.bb index c8d2c17589..146cd1eb90 100644 --- a/meta-python/recipes-devtools/python/python3-django_4.2.29.bb +++ b/meta-python/recipes-devtools/python/python3-django_4.2.30.bb @@ -2,7 +2,7 @@ require python-django.inc inherit python_setuptools_build_meta SRC_URI += "file://0001-lower-setuptools-requirements.patch" -SRC_URI[sha256sum] = "86d91bc8086569c8d08f9c55888b583a921ac1f95ed3bdc7d5659d4709542014" +SRC_URI[sha256sum] = "4ebc7a434e3819db6cf4b399fb5b3f536310a30e8486f08b66886840be84b37c" RDEPENDS:${PN} += "\ python3-sqlparse \ From patchwork Sat Apr 11 11:14:46 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 85869 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 56443F3ED4C for ; Sat, 11 Apr 2026 11:15:13 +0000 (UTC) Received: from mail-pg1-f171.google.com (mail-pg1-f171.google.com [209.85.215.171]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.191322.1775906103459302718 for ; Sat, 11 Apr 2026 04:15:03 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20251104 header.b=lHUtib0+; spf=pass (domain: gmail.com, ip: 209.85.215.171, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pg1-f171.google.com with SMTP id 41be03b00d2f7-c76eea1672aso1018574a12.1 for ; Sat, 11 Apr 2026 04:15:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775906102; x=1776510902; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=28nDrUh8GQsdYxCC/N3MD7V+mOnJOB22tYHPJqGPv8c=; b=lHUtib0+jnBk4Ki5Gt9PoEqNoZ6Q0+zPagHnCbCaoOWj+PqDIBeJEfiVUufPgAk9a7 kd4QXj3b3AqdwDMjWYwGPunqXkfWVZ0My0R2V6CXygPoCFsPm38uQc2amH7ArZ78/BnN ojGRBN0uXmbfwklErevcG8N9rqfcQPY7GE+A4rvke6huDW32sSyByJprtRs4gWuHAIye 95qj3K9yXCob6wQ5sfa9K1IO9MIyehxJ41lgCgq4g5iMXrBDRpJT1idxPVBjsq2vI0uu 5rQZc9gQTAAbLVk/Pk9Qva3KigI9EQQdODdFF8X9ZVMBnHP+1KDCFVEDgZESo2uGSAY2 aBag== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775906102; x=1776510902; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=28nDrUh8GQsdYxCC/N3MD7V+mOnJOB22tYHPJqGPv8c=; b=P5jgXFlnKqrR62l2hVHFfpXPBMIrlUUPxBd02H7qFtDW7hU4078Z7OCweKylGtNAaB kPfHmQXCPFdyzS/NtT5XsQI7kvbTdROuyqqyqOpSlemeKgAg56uIx12uHJlefr23Oxy7 keDrBIFS15/rb0zJdoD7pxPuD6gc8ppGIK6pKOqg3GpniZP075WvmIBjeTm/Rf7FDezd rUuDHw7u8k6Pl+N8gO+Dzj3vqLuvfpv1t5d2Lbe1N4iPhx4btldNV5Aeoc8s2B6ukdGt DJhbGeYEXuSH94yEC3mpOd14AbeXEqWnO255YTaQ7VMH9HTY8LBAE+zhSel9fFym8igs wVzQ== X-Gm-Message-State: AOJu0YyPVA1w8MVhdO+CucQAkZ+CpZTyCswh5EtoqnYyhuKz9yZpyhKM ePW3UWxV/6YaEGMBmi0olmJ8l1c+OT+t/xaTvIQTDSePx/jC6E9eG1nKxQtxhw== X-Gm-Gg: AeBDiet0UB3ZjiIeCjjVR1+WJxOgfSWI4DV1HGw2DXgbEHnl9091RVqNRhnvAa0RBnQ CdCGOmcE9jbAxOlU92jBM4xZw0tTVv4H3Gy43ACYPW7Hlqa8YRPuq0rpDwx2nzjbN+1h7AkP+kw zak3VJVMMmd0zKvhXW2MVBmnY3aJmqhbS8Smj8bGyFfdq5LaLI6NSuUFcSZ4LV9J06hTMKMWO/g sjujVuSQGn7u1fnOsuPo3D0axB/xGhEqIyd5LNXvRSLh3DC5nVOz7BbzlYFxqiAzhNpcR9cqtZt EdouwjK+dwlSPM1IpNPbBJLW6LaEchEjTe/YZUcSCw62lUaPLT5PagUIAoENzAEnwYtd2VNZ14C KxI/GKOjohl1xTkrC2l4+2pl8g7TlieJHgJno43f2CdfqyxgQFXgTBL0X8KwoKMh+9v8Oi9Rpb/ cVrb/PF5ogHFJ2w5xNY1JcXQ84BfRC7IIfeQbi X-Received: by 2002:a05:6a20:1588:b0:39b:989e:6d34 with SMTP id adf61e73a8af0-39fe3c1c2d6mr7715570637.4.1775906102551; Sat, 11 Apr 2026 04:15:02 -0700 (PDT) Received: from NVAPF55DW0D-IPD.. ([203.211.108.128]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-c793488d824sm130447a12.16.2026.04.11.04.15.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 11 Apr 2026 04:15:02 -0700 (PDT) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Ankur Tyagi Subject: [oe][meta-python][scarthgap][PATCH 2/5] python3-ecdsa: fix CVE-2026-33936 Date: Sat, 11 Apr 2026 23:14:46 +1200 Message-ID: <20260411111451.2739610-2-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260411111451.2739610-1-ankur.tyagi85@gmail.com> References: <20260411111451.2739610-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 11 Apr 2026 11:15:13 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/126254 From: Ankur Tyagi Details: https://nvd.nist.gov/vuln/detail/CVE-2026-33936 Ptests passed: root@qemux86:~# ptest-runner python3-ecdsa START: ptest-runner 2026-04-11T08:04 BEGIN: /usr/lib/python3-ecdsa/ptest ... ... Testsuite summary # TOTAL: 1978 # PASS: 1974 # SKIP: 4 # XFAIL: 0 # FAIL: 0 # XPASS: 0 # ERROR: 0 DURATION: 386 END: /usr/lib/python3-ecdsa/ptest 2026-04-11T08:10 STOP: ptest-runner TOTAL: 1 FAIL: 0 Signed-off-by: Ankur Tyagi --- .../python/python3-ecdsa/CVE-2026-33936.patch | 56 +++++++++++++++++++ .../python/python3-ecdsa_0.19.0.bb | 1 + 2 files changed, 57 insertions(+) create mode 100644 meta-python/recipes-devtools/python/python3-ecdsa/CVE-2026-33936.patch diff --git a/meta-python/recipes-devtools/python/python3-ecdsa/CVE-2026-33936.patch b/meta-python/recipes-devtools/python/python3-ecdsa/CVE-2026-33936.patch new file mode 100644 index 0000000000..f2d3743825 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-ecdsa/CVE-2026-33936.patch @@ -0,0 +1,56 @@ +From 41e6b7be293284ef8b1f102587f0da6eae1b753f Mon Sep 17 00:00:00 2001 +From: 0xmrma +Date: Sun, 1 Mar 2026 09:18:21 +0200 +Subject: [PATCH] der: reject truncated lengths in octet/implicit/constructed + +CVE: CVE-2026-33936 +Upstream-Status: Backport [https://github.com/tlsfuzzer/python-ecdsa/commit/bd66899550d7185939bf27b75713a2ac9325a9d3] +Signed-off-by: Ankur Tyagi +--- + src/ecdsa/der.py | 4 ++++ + src/ecdsa/test_der.py | 13 +++++++++++++ + 2 files changed, 17 insertions(+) + +diff --git a/src/ecdsa/der.py b/src/ecdsa/der.py +index b291485..5bbfaa3 100644 +--- a/src/ecdsa/der.py ++++ b/src/ecdsa/der.py +@@ -137,6 +137,8 @@ def remove_constructed(string): + ) + tag = s0 & 0x1F + length, llen = read_length(string[1:]) ++ if length > len(string) - 1 - llen: ++ raise UnexpectedDER("Length longer than the provided buffer") + body = string[1 + llen : 1 + llen + length] + rest = string[1 + llen + length :] + return tag, body, rest +@@ -160,6 +162,8 @@ def remove_octet_string(string): + n = str_idx_as_int(string, 0) + raise UnexpectedDER("wanted type 'octetstring' (0x04), got 0x%02x" % n) + length, llen = read_length(string[1:]) ++ if length > len(string) - 1 - llen: ++ raise UnexpectedDER("Length longer than the provided buffer") + body = string[1 + llen : 1 + llen + length] + rest = string[1 + llen + length :] + return body, rest +diff --git a/src/ecdsa/test_der.py b/src/ecdsa/test_der.py +index 0c2dc4d..28d231e 100644 +--- a/src/ecdsa/test_der.py ++++ b/src/ecdsa/test_der.py +@@ -476,3 +476,16 @@ def test_oids(ids): + decoded_oid, rest = remove_object(encoded_oid) + assert rest == b"" + assert decoded_oid == ids ++ ++def test_remove_octet_string_rejects_truncated_length(): ++ # OCTET STRING: declared length 4096, but only 3 bytes present ++ bad = b"\x04\x82\x10\x00" + b"ABC" ++ with pytest.raises(UnexpectedDER, match="Length longer than the provided buffer"): ++ remove_octet_string(bad) ++ ++def test_remove_constructed_rejects_truncated_length(): ++ # Constructed tag: 0xA0 (context-specific constructed, tag=0) ++ # declared length 4096, but only 3 bytes present ++ bad = b"\xA0\x82\x10\x00" + b"ABC" ++ with pytest.raises(UnexpectedDER, match="Length longer than the provided buffer"): ++ remove_constructed(bad) diff --git a/meta-python/recipes-devtools/python/python3-ecdsa_0.19.0.bb b/meta-python/recipes-devtools/python/python3-ecdsa_0.19.0.bb index 8e967f9259..0ae93fe3d9 100644 --- a/meta-python/recipes-devtools/python/python3-ecdsa_0.19.0.bb +++ b/meta-python/recipes-devtools/python/python3-ecdsa_0.19.0.bb @@ -10,6 +10,7 @@ inherit pypi setuptools3 python3native ptest SRC_URI += " \ file://run-ptest \ + file://CVE-2026-33936.patch \ " RDEPENDS:${PN}-ptest += " \ From patchwork Sat Apr 11 11:14:47 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 85870 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 10A75F3ED46 for ; Sat, 11 Apr 2026 11:15:13 +0000 (UTC) Received: from mail-pg1-f182.google.com (mail-pg1-f182.google.com [209.85.215.182]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.191326.1775906105860007201 for ; Sat, 11 Apr 2026 04:15:05 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20251104 header.b=gW+fX8OW; spf=pass (domain: gmail.com, ip: 209.85.215.182, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pg1-f182.google.com with SMTP id 41be03b00d2f7-c6e2355739dso1321778a12.2 for ; Sat, 11 Apr 2026 04:15:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775906105; x=1776510905; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=9m4ZWR/wDPPDnaFi5M7FEGUSp12J+9rEpUQAdL3kNKI=; b=gW+fX8OWwDjSuCP6aNqzEb+3fVnArx/BL93smkhljMtY5bEFJsI6DljZeUITlL7rJt rHsH77NBgzWIOqhOnnBNkjPNgV++s+Jc9EOBadKatfzMeTQx9yKf1czKPIDBgmQN4dTV +RUTkYs4UDUApChA/JkOtCufX1npX3gmPmsdRF2AIvzWDdujc+/ab+oaXrQVNH5zrKhH 8k4Lm0qBdQEFgFp1bGrEoP6xH8Wlow+No59zkvvLLfIkrbnHNNvB4BWAFbdkQVNkpr7j 7Dv73x1WmSYTfwoc7ENPZ4ZLfCD2BT+QfDjQBCjpAAHRn9np68w93R2MFK/txHIo4L4X qYew== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775906105; x=1776510905; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=9m4ZWR/wDPPDnaFi5M7FEGUSp12J+9rEpUQAdL3kNKI=; b=o5qglceTd7U4wXVc/1pFBvtO1/woReSr5vy2/eTMBi9X2ucoWkj5YXOuTr4iC5C+3C Rgn3Tje9b0SfVCAMeuNwLWLXwokqLS+2u/fG31tEZ0Yj6CMVqDQZx50g9EXPtBxuPhz9 06uyskIL5Ckin4lUW91C8wR7osIoBuWGcp0JtBIhlKKFVv9e/LlSUY9chDNjkULLTBpx K3cy++Brmoqltx0lTo+7vJsF50HnxZX4Z98fkSUWD+mWcrATxasKgMsNx/ngxlc/3JAn Ep9DcbAkA7sLxbJIY+UbmU7vhJ/88x7C36Y3pgpQv8CRNsy1MDEu53b+MFbC8EcU/PZd xKxQ== X-Gm-Message-State: AOJu0YzImWmN6phnzUtpRHOTfSoTVN6CCbvEv0aWzZ82i4J+07GXu7oK gfSedkwlS9bNTToCzkVn/wJ1/He/ZnSolUOrIDMBoVyc/cR4aHsvRIH7MZpsoA== X-Gm-Gg: AeBDievtkG7LnVuayxkRky3XROMa3qG8PZVt2iPRFshqytZukg2Bhso0BiisMYLjEoJ QGyFfoEeXVP81jwuwhTOcciKg72Fkk/womsdc1bZn6Zpeso3ybn7E2uQMSLE8K0e9aK3vThe775 UYSHBXVRcwmsg13WuKbyHykeZUMjv55BJuQ89MgEBM/XlEaRcPReJ2nm15SQdPwlwke5bt3Cu+N lOsDkuFHoH2yfcHNZLcZhf3+RQqlvdcvaGJaI+Tt19T/ZPXc0gO3Cex0PKZ/+gBV0fgGIujaX9D NeR4wncrYjlRPlvLUR+fpU+LDWkUfGYnl8krpVg3KU3LyDOC/xkxeUVBNESWpQhJhGNlglqcm0a 9BvOUb9LWRxivduhkGxg9Mobgdw4fd1efjD5FqspAJAWBheW7knx3IpMS3R8LhUtR5k22XwCrsR jFrqkQ8IlozGYKwIMe24Oei5ngtSN91Assn7ft X-Received: by 2002:a05:6a21:33a0:b0:398:7796:ddb8 with SMTP id adf61e73a8af0-39fe40dbb56mr7788269637.60.1775906104975; Sat, 11 Apr 2026 04:15:04 -0700 (PDT) Received: from NVAPF55DW0D-IPD.. ([203.211.108.128]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-c793488d824sm130447a12.16.2026.04.11.04.15.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 11 Apr 2026 04:15:04 -0700 (PDT) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Ankur Tyagi Subject: [oe][meta-python][scarthgap][PATCH 3/5] python3-flask: upgrade 3.0.2 -> 3.0.3 Date: Sat, 11 Apr 2026 23:14:47 +1200 Message-ID: <20260411111451.2739610-3-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260411111451.2739610-1-ankur.tyagi85@gmail.com> References: <20260411111451.2739610-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 11 Apr 2026 11:15:13 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/126255 From: Ankur Tyagi License Update: File renamed as txt[1] Release Notes: https://github.com/pallets/flask/releases/tag/3.0.3 [1] https://github.com/pallets/flask/commit/87d5f5b9a9697434e6d972b021201105eabb54e6 Signed-off-by: Ankur Tyagi --- .../python/{python3-flask_3.0.2.bb => python3-flask_3.0.3.bb} | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) rename meta-python/recipes-devtools/python/{python3-flask_3.0.2.bb => python3-flask_3.0.3.bb} (80%) diff --git a/meta-python/recipes-devtools/python/python3-flask_3.0.2.bb b/meta-python/recipes-devtools/python/python3-flask_3.0.3.bb similarity index 80% rename from meta-python/recipes-devtools/python/python3-flask_3.0.2.bb rename to meta-python/recipes-devtools/python/python3-flask_3.0.3.bb index 300ca99ddc..b68946ba0c 100644 --- a/meta-python/recipes-devtools/python/python3-flask_3.0.2.bb +++ b/meta-python/recipes-devtools/python/python3-flask_3.0.3.bb @@ -4,9 +4,9 @@ Flask is a microframework for Python based on Werkzeug, Jinja 2 and good \ intentions. And before you ask: It’s BSD licensed!" HOMEPAGE = "https://github.com/mitsuhiko/flask/" LICENSE = "BSD-3-Clause" -LIC_FILES_CHKSUM = "file://LICENSE.rst;md5=ffeffa59c90c9c4a033c7574f8f3fb75" +LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=ffeffa59c90c9c4a033c7574f8f3fb75" -SRC_URI[sha256sum] = "822c03f4b799204250a7ee84b1eddc40665395333973dfb9deebfe425fefcb7d" +SRC_URI[sha256sum] = "ceb27b0af3823ea2737928a4d99d125a06175b8512c445cbd9a9ce200ef76842" UPSTREAM_CHECK_URI = "https://pypi.python.org/pypi/Flask" UPSTREAM_CHECK_REGEX = "/Flask/(?P(\d+[\.\-_]*)+)" From patchwork Sat Apr 11 11:14:48 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 85868 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3B57AF3ED4A for ; Sat, 11 Apr 2026 11:15:13 +0000 (UTC) Received: from mail-pg1-f177.google.com (mail-pg1-f177.google.com [209.85.215.177]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.191327.1775906109186136657 for ; Sat, 11 Apr 2026 04:15:09 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20251104 header.b=BsZ9meux; spf=pass (domain: gmail.com, ip: 209.85.215.177, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pg1-f177.google.com with SMTP id 41be03b00d2f7-c70fb6aa323so1128883a12.3 for ; Sat, 11 Apr 2026 04:15:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775906108; x=1776510908; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=gY9WxmluAPBKsjxydi+8qg0euDOAeUA2vp6I4D0XgG4=; b=BsZ9meux8zHK5T+3KhBrImnYlip4TqGFTXwHK6x7wsQ5MKNbWrEl3uNw3q4kUtlnwY ifef30mjmybfbyG+78qtXjik92RrJNT5P0VtAn5qnQX9n3YlzR2uqi9aIwxCRXat1ziT 6hNYRc4ORUNlWdfae7d1hLzNg1JZCiEU6UJ2QZEVkd0032BpIcCbLD5hmk27nj7yXObM qby0VQkZhzIY+hZXvYO4U1kz3ZLsgCZWBtq5rYN1EhkDj3I45uGOWGduBdgK6kuy91lR 0W4aQuGpjCUNig8SBqrNd8QHQH2iD0njIaE4g0btKwy4NTFehk+or5Xq0d4GYFLu4yvu Dc8g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775906108; x=1776510908; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=gY9WxmluAPBKsjxydi+8qg0euDOAeUA2vp6I4D0XgG4=; b=V72Yg27O2MykYzTFlkosQSxDDfADF6RlS4sQOgbND+CpR/+W0CQEejpptla5aLv3Eq wLOtHCG1UGWVOKKYRpemUAP1iL9kp47V3Fjea1noGIKI1oWR2nnsMlVyWt6Xn76jW4sc w8Trdcq3JViRPK+HkVBjlFP3O6cLLS1dmG1KhkX5VD3l1pvLGvyhpUwPnodn0O+/LW1J QoyjWuvMgIiUN2Bl+VTXV7OFvCxNHxp+cGRmvoWYxRU7dgINkLqZjYDduc4kdSR35600 8mqLibg+VvMHY+/RFBFewqm0bL+Pw5TKFcOkgZsWkwBfPkmbX1Ao++1+d27zCefyFzN3 OcqA== X-Gm-Message-State: AOJu0Yx+AtBZBTAe9z/AbDKyBd4X4GrqPi7cNblRfPf9mOzSro4rp4re IDXwkRSmVRt0Y9ylDbu7zt6VYkKaF6LZE7CAeN65KHnN2TxY74mnfUlax3kBbw== X-Gm-Gg: AeBDieuj0Ysx9n/gZKpelfb8P/XB8Zi8u7IkLFfflDsHb/Ax9GFPMc89Aiv/nes6W9w 7uGFLVwps/GX4IzH4JsUNTbs4ykqsQRQRCuPdYsODhgs2BEMWhk0AuO1nDnV2aLB3D7hb9evK7S GLBYlGyROsnGj7Pn1EVvBm00RgPYrF5kOkgSpkHDmMqsJ5NVnVy0lDXyZhjuOULXF/0H/eHu6VE 9r/aoaV4bPHhAwKZWjWPPTtpFDdZyvkJC+Equq4UTnK1pg6zrOJCp6hQz7/u7/SoeQI+7X6+LEh xLQQCnMo0mR/JO4LSrQ/cPUQiEkSTnygxdwmAZA6gmzajl2/3dmrIt+siLWPhbpJGnePHHfoeid 12JUQAW5OOMSaemowUFp/mIUXkDz2Jwq+/mu9ikgCeL1r3W+OpH41My4R3dkDoZMTPTA/2K+XpT PNRSlV07ohjHWwi3XGSEshzgy2P3GT6TFvPYjF X-Received: by 2002:a05:6a20:6a1d:b0:39c:3de:efec with SMTP id adf61e73a8af0-39fe3ca18fbmr8583615637.14.1775906107924; Sat, 11 Apr 2026 04:15:07 -0700 (PDT) Received: from NVAPF55DW0D-IPD.. ([203.211.108.128]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-c793488d824sm130447a12.16.2026.04.11.04.15.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 11 Apr 2026 04:15:07 -0700 (PDT) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Ankur Tyagi Subject: [oe][meta-python][scarthgap][PATCH 4/5] python3-tornado: fix CVE-2026-35536 Date: Sat, 11 Apr 2026 23:14:48 +1200 Message-ID: <20260411111451.2739610-4-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260411111451.2739610-1-ankur.tyagi85@gmail.com> References: <20260411111451.2739610-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 11 Apr 2026 11:15:13 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/126256 From: Ankur Tyagi Backport the commit[1] from version 6.5.5 which fixes this vulnerability according to the NVD[2]. [1] https://github.com/tornadoweb/tornado/commit/24a2d96ea115f663b223887deb0060f13974c104 [2] https://nvd.nist.gov/vuln/detail/CVE-2026-35536 Signed-off-by: Ankur Tyagi --- .../python3-tornado/CVE-2026-35536.patch | 155 ++++++++++++++++++ .../python/python3-tornado_6.4.2.bb | 1 + 2 files changed, 156 insertions(+) create mode 100644 meta-python/recipes-devtools/python/python3-tornado/CVE-2026-35536.patch diff --git a/meta-python/recipes-devtools/python/python3-tornado/CVE-2026-35536.patch b/meta-python/recipes-devtools/python/python3-tornado/CVE-2026-35536.patch new file mode 100644 index 0000000000..783d0aa116 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-tornado/CVE-2026-35536.patch @@ -0,0 +1,155 @@ +From 66587e51009457274cedec28f5fd43000d129e4e Mon Sep 17 00:00:00 2001 +From: Ben Darnell +Date: Fri, 6 Mar 2026 14:50:25 -0500 +Subject: [PATCH] web: Validate characters in all cookie attributes. + +Our previous control character check was missing a check for +U+007F, and also semicolons, which are only allowed in quoted +parts of values. This commit checks all attributes and +updates the set of disallowed characters. + +CVE: CVE-2026-35536 +Upstream-Status: Backport [https://github.com/tornadoweb/tornado/commit/24a2d96ea115f663b223887deb0060f13974c104] +Signed-off-by: Ankur Tyagi +--- + tornado/test/web_test.py | 65 ++++++++++++++++++++++++++++++++++++++++ + tornado/web.py | 27 +++++++++++++++-- + 2 files changed, 89 insertions(+), 3 deletions(-) + +diff --git a/tornado/test/web_test.py b/tornado/test/web_test.py +index 801a80ed..ae39e8fc 100644 +--- a/tornado/test/web_test.py ++++ b/tornado/test/web_test.py +@@ -1,3 +1,5 @@ ++import http ++ + from tornado.concurrent import Future + from tornado import gen + from tornado.escape import ( +@@ -291,11 +293,67 @@ class CookieTest(WebTestCase): + self.set_cookie("unicode_args", "blah", domain="foo.com", path="/foo") + + class SetCookieSpecialCharHandler(RequestHandler): ++ # "Special" characters are allowed in cookie values, but trigger special quoting. + def get(self): + self.set_cookie("equals", "a=b") + self.set_cookie("semicolon", "a;b") + self.set_cookie("quote", 'a"b') + ++ class SetCookieForbiddenCharHandler(RequestHandler): ++ def get(self): ++ # Control characters and semicolons raise errors in cookie names and attributes ++ # (but not values, which are tested in SetCookieSpecialCharHandler) ++ for char in list(map(chr, range(0x20))) + [chr(0x7F), ";"]: ++ try: ++ self.set_cookie("foo" + char, "bar") ++ self.write( ++ "Didn't get expected exception for char %r in name\n" % char ++ ) ++ except http.cookies.CookieError as e: ++ if "Invalid cookie attribute name" not in str(e): ++ self.write( ++ "unexpected exception for char %r in name: %s\n" ++ % (char, e) ++ ) ++ ++ try: ++ self.set_cookie("foo", "bar", domain="example" + char + ".com") ++ self.write( ++ "Didn't get expected exception for char %r in domain\n" ++ % char ++ ) ++ except http.cookies.CookieError as e: ++ if "Invalid cookie attribute domain" not in str(e): ++ self.write( ++ "unexpected exception for char %r in domain: %s\n" ++ % (char, e) ++ ) ++ ++ try: ++ self.set_cookie("foo", "bar", path="/" + char) ++ self.write( ++ "Didn't get expected exception for char %r in path\n" % char ++ ) ++ except http.cookies.CookieError as e: ++ if "Invalid cookie attribute path" not in str(e): ++ self.write( ++ "unexpected exception for char %r in path: %s\n" ++ % (char, e) ++ ) ++ ++ try: ++ self.set_cookie("foo", "bar", samesite="a" + char) ++ self.write( ++ "Didn't get expected exception for char %r in samesite\n" ++ % char ++ ) ++ except http.cookies.CookieError as e: ++ if "Invalid cookie attribute samesite" not in str(e): ++ self.write( ++ "unexpected exception for char %r in samesite: %s\n" ++ % (char, e) ++ ) ++ + class SetCookieOverwriteHandler(RequestHandler): + def get(self): + self.set_cookie("a", "b", domain="example.com") +@@ -329,6 +387,7 @@ class CookieTest(WebTestCase): + ("/get", GetCookieHandler), + ("/set_domain", SetCookieDomainHandler), + ("/special_char", SetCookieSpecialCharHandler), ++ ("/forbidden_char", SetCookieForbiddenCharHandler), + ("/set_overwrite", SetCookieOverwriteHandler), + ("/set_max_age", SetCookieMaxAgeHandler), + ("/set_expires_days", SetCookieExpiresDaysHandler), +@@ -385,6 +444,12 @@ class CookieTest(WebTestCase): + response = self.fetch("/get", headers={"Cookie": header}) + self.assertEqual(response.body, utf8(expected)) + ++ def test_set_cookie_forbidden_char(self): ++ response = self.fetch("/forbidden_char") ++ self.assertEqual(response.code, 200) ++ self.maxDiff = 10000 ++ self.assertMultiLineEqual(to_unicode(response.body), "") ++ + def test_set_cookie_overwrite(self): + response = self.fetch("/set_overwrite") + headers = response.headers.get_list("Set-Cookie") +diff --git a/tornado/web.py b/tornado/web.py +index 8a740504..4b70ea93 100644 +--- a/tornado/web.py ++++ b/tornado/web.py +@@ -643,9 +643,30 @@ class RequestHandler(object): + # The cookie library only accepts type str, in both python 2 and 3 + name = escape.native_str(name) + value = escape.native_str(value) +- if re.search(r"[\x00-\x20]", name + value): +- # Don't let us accidentally inject bad stuff +- raise ValueError("Invalid cookie %r: %r" % (name, value)) ++ if re.search(r"[\x00-\x20]", value): ++ # Legacy check for control characters in cookie values. This check is no longer needed ++ # since the cookie library escapes these characters correctly now. It will be removed ++ # in the next feature release. ++ raise ValueError(f"Invalid cookie {name!r}: {value!r}") ++ for attr_name, attr_value in [ ++ ("name", name), ++ ("domain", domain), ++ ("path", path), ++ ("samesite", samesite), ++ ]: ++ # Cookie attributes may not contain control characters or semicolons (except when ++ # escaped in the value). A check for control characters was added to the http.cookies ++ # library in a Feb 2026 security release; as of March it still does not check for ++ # semicolons. ++ # ++ # When a semicolon check is added to the standard library (and the release has had time ++ # for adoption), this check may be removed, but be mindful of the fact that this may ++ # change the timing of the exception (to the generation of the Set-Cookie header in ++ # flush()). We m ++ if attr_value is not None and re.search(r"[\x00-\x20\x3b\x7f]", attr_value): ++ raise http.cookies.CookieError( ++ f"Invalid cookie attribute {attr_name}={attr_value!r} for cookie {name!r}" ++ ) + if not hasattr(self, "_new_cookie"): + self._new_cookie = ( + http.cookies.SimpleCookie() diff --git a/meta-python/recipes-devtools/python/python3-tornado_6.4.2.bb b/meta-python/recipes-devtools/python/python3-tornado_6.4.2.bb index 3dabcab38b..25f1b2a310 100644 --- a/meta-python/recipes-devtools/python/python3-tornado_6.4.2.bb +++ b/meta-python/recipes-devtools/python/python3-tornado_6.4.2.bb @@ -11,6 +11,7 @@ SRC_URI[sha256sum] = "92bad5b4746e9879fd7bf1eb21dce4e3fc5128d71601f80005afa39237 SRC_URI += "file://CVE-2025-47287.patch \ file://CVE-2025-67724.patch \ file://CVE-2025-67726.patch \ + file://CVE-2026-35536.patch \ " inherit pypi python_setuptools_build_meta From patchwork Sat Apr 11 11:14:49 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 85871 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 45E88F3ED4B for ; Sat, 11 Apr 2026 11:15:23 +0000 (UTC) Received: from mail-pg1-f175.google.com (mail-pg1-f175.google.com [209.85.215.175]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.190720.1775906111798103437 for ; Sat, 11 Apr 2026 04:15:11 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20251104 header.b=eB0Emc7L; spf=pass (domain: gmail.com, ip: 209.85.215.175, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pg1-f175.google.com with SMTP id 41be03b00d2f7-c76e702e01aso1007406a12.3 for ; Sat, 11 Apr 2026 04:15:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775906111; x=1776510911; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=nVS+bVyTk8V9zVfOeEi30KPcev2I1Ssasc49ExeQsEg=; b=eB0Emc7LYIFiHAe2tM0s+g8B+qvSexp06DMu6l9DTEZMIxlDIqgEFyhgYCgq8FiHqd GTj2QhY35n8Hz9Ac8bche4m9Luj6VhzJFofR+8XhOthv71ITqY2tB28tSChIF20L8Wj3 MolaW8jnY1s1zq6LkfHBSGFjjk7O/LV4omgwQ6Cs7rotDjGnrH7g/nE7YR/A98Qs3i3r 429gsAGhdb40tLqyQ7EqP1NBG8BjRqrFBt2Y9pftDePdOPkSGA11bfJ+zh4JbBxnsxUe cVPXSjt9t0qvoycqW4R9lozu8B8CVEGfaKI6DZA4SAG4TXfqtTbchbU39cYgmSuLhAxv lzHQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775906111; x=1776510911; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=nVS+bVyTk8V9zVfOeEi30KPcev2I1Ssasc49ExeQsEg=; b=gZj5p7Oz95WRFKVifzJM635Jrjddr4ReksMg5b+FEcK0PMH2Kg9GlRjFkLUpQ75hlB TFKGurKm84+X6qZfn3Ab1hNEFVidiuAg5Fp79AkCMZG1ZSGrBNah6ybsixSi8Vpd9fR+ RbQu054D3XfYHt7tOt6hM5/WnQq9ix9omQHR2vfMYxHncBwbzBt5evOtLQHnTdps1N+m Ltnw3Qqf7q3rPcaaKIgshSJs+dbbYGLbFFUhnKIOrNY69Z5jQszQ4QCY+otdjAXSEwK2 ppHm0Q4IB8m7hnK34/Y0A1BlmMganNGBzqnUwc+lVsxC7wwB8nJbWPMqSza+UOWEs26L 0Crw== X-Gm-Message-State: AOJu0YwzsxpISlYsor312NHcslWIt7Yba4ePTpMgJkheEbzCMHJG42W6 j3GA57Rl/nBY/ijHcPT+DKQk2YMuz0p4nyB61WxG0V3tIw7ES+VdgO9QWCPSiw== X-Gm-Gg: AeBDieuVxZkkCOvVp3/gHcYY21tzSDyMz9CVmuPqenr6GWImlhacPFymGqK2+ecuA53 mjbc5Ok500RWOr13X0cgMRm+tSnAagLIV5S8jk9BK3Xi7XOmTrItKgy0wMGEWB5uTPwNXyw6WW0 lEwwVSppueXW9QIltXLiN6KTn5RGyTRshPBW980jjj0msO+kc+NOJOWoU/1gnLMC5yQ3OMBDpvG JJAlUNL+/3nhD7GfynvV4wLEmSL8Jo+L6+S9fUtbEy6rkmvz71Hd8IY9wsep7lIohZejP9rNp/N cOnvZHuS6qwZi3kUTZ8C2+zBcZAXQCLx5FPNth4oimu7Aumdyh89trZpnww+rRgHzvDVIUw6zOq V09qUHtJ2wdN53ActiepDxjJm1OWCD0UvTlgKkICNfaQo8cHJRMfdm3iUNzsPJ6wAyLflVFczUX PsscBapS53mvkE3jFaoFRgv3YG0Z65ZlwTXK0l X-Received: by 2002:a05:6a21:6d9b:b0:39c:cdb:5d7c with SMTP id adf61e73a8af0-39fe40e056cmr7240449637.58.1775906110961; Sat, 11 Apr 2026 04:15:10 -0700 (PDT) Received: from NVAPF55DW0D-IPD.. ([203.211.108.128]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-c793488d824sm130447a12.16.2026.04.11.04.15.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 11 Apr 2026 04:15:10 -0700 (PDT) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Ankur Tyagi Subject: [oe][meta-python][scarthgap][PATCH 5/5] python3-werkzeug: ignore CVE-2026-27199 Date: Sat, 11 Apr 2026 23:14:49 +1200 Message-ID: <20260411111451.2739610-5-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260411111451.2739610-1-ankur.tyagi85@gmail.com> References: <20260411111451.2739610-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 11 Apr 2026 11:15:23 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/126257 From: Ankur Tyagi Vvulnerability affects Windows application and can be ignored. Details: https://nvd.nist.gov/vuln/detail/CVE-2026-27199 Signed-off-by: Ankur Tyagi --- meta-python/recipes-devtools/python/python3-werkzeug_3.0.6.bb | 1 + 1 file changed, 1 insertion(+) diff --git a/meta-python/recipes-devtools/python/python3-werkzeug_3.0.6.bb b/meta-python/recipes-devtools/python/python3-werkzeug_3.0.6.bb index 5f88a9577a..e7b00d37ce 100644 --- a/meta-python/recipes-devtools/python/python3-werkzeug_3.0.6.bb +++ b/meta-python/recipes-devtools/python/python3-werkzeug_3.0.6.bb @@ -25,3 +25,4 @@ RDEPENDS:${PN} += " \ CVE_STATUS[CVE-2025-66221] = "not-applicable-platform: The vulnerability is Windows specific" CVE_STATUS[CVE-2026-21860] = "not-applicable-platform: The vulnerability is Windows specific" +CVE_STATUS[CVE-2026-27199] = "not-applicable-platform: The vulnerability is Windows specific"