mirrors/poky - poky - zepto initiative

mirrors/poky

Fork 0

mirror of https://git.yoctoproject.org/poky synced 2026-02-06 00:38:45 +01:00

Commit Graph

Author	SHA1	Message	Date
Peter Marko	bf232d95e8	python3: update CVE product There are two "new" CVEs reported for python3, their CPEs are: * CVE-2020-1171: cpe:2.3🅰️microsoft:python::::::visual_studio_code::* (< 2020.5.0) * CVE-2020-1192: cpe:2.3🅰️microsoft:python::::::visual_studio_code::* (< 2020.5.0) These are for "Visual Studio Code Python extension". Solve this by addding CVE vendor to python CVE product to avoid confusion with Microsoft as vendor. Examining CVE DB for historical python entries shows: sqlite> select vendor, product, count(*) from products where product = 'python' or product = 'cpython' ...> or product like 'python%3' group by vendor, product; microsoft\|python\|2 python\|python\|1054 python_software_foundation\|python\|2 Note that this already shows that cpython product is not used, so CVE-2023-33595 mentioned in 62598e1138f21a16d8b1cdd1cfe902aeed854c5c was updated. But let's keep it for future in case new CVE starts with that again. (From OE-Core rev: 8659e3537facbf3f5f5a5080137be4d9faf9c970) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>	2025-07-17 13:57:58 -07:00
Guðni Már Gilbert	741e4d2ed9	python3: drop old nis module dependencies libnsl2 and libtirpc were build dependencies for the nis module. The nis module was deprecated in Python 3.11 and removed in Python 3.13 (From OE-Core rev: cbc7b1ed7747ef69d8bcbaee27c90560ded713d6) Signed-off-by: Guðni Már Gilbert <gudni.m.g@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Steve Sakoman <steve@sakoman.com>	2025-07-04 07:50:16 -07:00
Peter Marko	5e9c6deafb	python3: upgrade 3.13.3 -> 3.13.4 Refresh patches. * https://www.python.org/downloads/release/python-3134/ Security content in this release * gh-135034: [CVE 2024-12718] [CVE 2025-4138] [CVE 2025-4330] [CVE 2025-4435] [CVE 2025-4517] Fixes multiple issues that allowed tarfile extraction filters (filter="data" and filter="tar") to be bypassed using crafted symlinks and hard links. * gh-133767: Fix use-after-free in the “unicode-escape” decoder with a non-“strict” error handler. * gh-128840: Short-circuit the processing of long IPv6 addresses early in ipaddress to prevent excessive memory consumption and a minor denial-of-service. gh-133767 got meawhile CVE-2025-4516 assigned. (From OE-Core rev: 55a9cd748531c75d46f5d6d53af692a38c6b6716) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>	2025-06-13 09:01:26 -07:00

Author

SHA1

Message

Date

Peter Marko

bf232d95e8

python3: update CVE product

There are two "new" CVEs reported for python3, their CPEs are:
* CVE-2020-1171: cpe:2.3🅰️microsoft:python:*:*:*:*:*:visual_studio_code:*:* (< 2020.5.0)
* CVE-2020-1192: cpe:2.3🅰️microsoft:python:*:*:*:*:*:visual_studio_code:*:* (< 2020.5.0)
These are for "Visual Studio Code Python extension".

Solve this by addding CVE vendor to python CVE product to avoid
confusion with Microsoft as vendor.

Examining CVE DB for historical python entries shows:
sqlite> select vendor, product, count(*) from products where product = 'python' or product = 'cpython'
   ...> or product like 'python%3' group by vendor, product;
microsoft|python|2
python|python|1054
python_software_foundation|python|2

Note that this already shows that cpython product is not used, so
CVE-2023-33595 mentioned in 62598e1138f21a16d8b1cdd1cfe902aeed854c5c
was updated.
But let's keep it for future in case new CVE starts with that again.

(From OE-Core rev: 8659e3537facbf3f5f5a5080137be4d9faf9c970)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>

2025-07-17 13:57:58 -07:00

Guðni Már Gilbert

741e4d2ed9

python3: drop old nis module dependencies

libnsl2 and libtirpc were build dependencies for the nis module.

The nis module was deprecated in Python 3.11 and removed in Python 3.13

(From OE-Core rev: cbc7b1ed7747ef69d8bcbaee27c90560ded713d6)

Signed-off-by: Guðni Már Gilbert <gudni.m.g@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>

2025-07-04 07:50:16 -07:00

Peter Marko

5e9c6deafb

python3: upgrade 3.13.3 -> 3.13.4

Refresh patches.

* https://www.python.org/downloads/release/python-3134/
  Security content in this release
  * gh-135034: [CVE 2024-12718] [CVE 2025-4138] [CVE 2025-4330]
    [CVE 2025-4435] [CVE 2025-4517] Fixes multiple issues that allowed
    tarfile extraction filters (filter="data" and filter="tar") to be
    bypassed using crafted symlinks and hard links.
  * gh-133767: Fix use-after-free in the “unicode-escape” decoder with a
    non-“strict” error handler.
  * gh-128840: Short-circuit the processing of long IPv6 addresses early
    in ipaddress to prevent excessive memory consumption and a minor
    denial-of-service.

gh-133767 got meawhile CVE-2025-4516 assigned.

(From OE-Core rev: 55a9cd748531c75d46f5d6d53af692a38c6b6716)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>

2025-06-13 09:01:26 -07:00

3 Commits