python3: Fix CVE-2026-6019

This patch applies the upstream fix [1] and follow-up fix [2], as referenced in [3] and [4], to address an http.cookies.Morsel.js_output() flaw where inline JavaScript output escaped quotes but did not neutralize the HTML parser-sensitive </script> sequence. [1] 3c59b8b53f [2] e7d4c3ff42 [3] https://github.com/python/cpython/issues/149144 [4] https://security-tracker.debian.org/tracker/CVE-2026-6019 Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-6019 (From OE-Core rev: e17af14ae72e21f7f63407ba5c88da160c73bea9) Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-27 11:13:38 +02:00 · 2026-06-13 03:11:39 -07:00
parent 1401e6e003
commit 7731db5592
3 changed files with 264 additions and 0 deletions
--- a/meta/recipes-devtools/python/python3_3.12.13.bb
+++ b/meta/recipes-devtools/python/python3_3.12.13.bb
@@ -40,6 +40,8 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
           file://CVE-2026-4519_p1.patch \
           file://CVE-2026-4519_p2.patch \
           file://CVE-2026-4519_CVE-2026-4786.patch \
+           file://CVE-2026-6019_p1.patch \
+           file://CVE-2026-6019_p2.patch \
           "

 SRC_URI:append:class-native = " \