There is a HIGH severity vulnerability affecting the CPython "zipfile"
module. When iterating over names of entries in a zip archive (for example,
methodsof "zipfile.ZipFile" like "namelist()", "iterdir()", "extractall()",
etc) the process can be put into an infinite loop with a maliciously crafted
zip archive. This defect applies when reading only metadata or extracting
the contents of the zip archive. Programs that are not handling
user-controlled zip archives are not affected.
References:
https://nvd.nist.gov/vuln/detail/CVE-2024-8088
Upstream-Patch:
7ae310c56a
(From OE-Core rev: 2d98276ba70ed6c44afecd42a7352f1b3030438f)
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
There is a LOW severity vulnerability affecting CPython, specifically the
'http.cookies' standard library module. When parsing cookies that contained
backslashes for quoted characters in the cookie value, the parser would use
an algorithm with quadratic complexity, resulting in excess CPU resources
being used while parsing the value.
References:
https://nvd.nist.gov/vuln/detail/CVE-2024-7592
Upstream-Patch:
dcc3eaef98
(From OE-Core rev: 3bb9684eef5227e7b1280ee9051884310b0d0b7f)
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for
remote code execution via its download functions. These functions, which are used to download
packages from URLs provided by users or retrieved from package index servers, are susceptible
to code injection. If these functions are exposed to user-controlled inputs, such as package
URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.
References:
https://nvd.nist.gov/vuln/detail/CVE-2024-6345
Upstream-patch:
88807c7062
(From OE-Core rev: 468c5a4e12b9d38768b00151c55fd27b2b504f3b)
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This package can be built using pep517 classes now.
(From OE-Core rev: a9ac262d9dbc57be6ac5c8905c803009e5c4ef4e)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit a32fa3e64d1daf5846c29403e9f258aea42212d3)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Certifi is a curated collection of Root Certificates for validating the
trustworthiness of SSL certificates while verifying the identity of TLS
hosts. Certifi starting in 2021.05.30 and prior to 2024.07.4 recognized
root certificates from `GLOBALTRUST`. Certifi 2024.07.04 removes root
certificates from `GLOBALTRUST` from the root store. These are in the
process of being removed from Mozilla's trust store. `GLOBALTRUST`'s root
certificates are being removed pursuant to an investigation which
identified "long-running and unresolved compliance issues."Certifi is a
curated collection of Root Certificates for validating the trustworthiness
of SSL certificates while verifying the identity of TLS hosts. Certifi
starting in 2021.05.30 and prior to 2024.07.4 recognized root certificates
from `GLOBALTRUST`. Certifi 2024.07.04 removes root certificates from
`GLOBALTRUST` from the root store. These are in the process of being removed
from Mozilla's trust store. `GLOBALTRUST`'s root certificates are being
removed pursuant to an investigation which identified "long-running and
unresolved compliance issues."
References:
https://nvd.nist.gov/vuln/detail/CVE-2024-39689
Upstream-patch:
bd8153872e
(From OE-Core rev: 2ec1ba32a23611484e5d3819008bbab85336ae20)
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
python3-ctypes was dropped as a dependency in v19.2.0
(From OE-Core rev: 48c43d2ff467c067d1518dc55d8d6da39bea159a)
Signed-off-by: Guðni Már Gilbert <gudni.m.g@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 8d06116caf2382ad4782b9b2da50534d076a736d)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This test is causing problems on the Autobuilder, so disable it for now.
(From OE-Core rev: 9eafd0c56b279a7c3025b0dcd00745baead15bb6)
Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit ac000b00ec615b3e51dda8d819015d5e7110ed88)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
These tests are causing hangs on the Autobuilder, so disable them for
now.
(From OE-Core rev: 141c348ce83552beae88e115d9c4db5802c6e0f4)
Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 291f37808f1a2b2fdc8190696867f974994457c0)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
License-Update: Updated copyright year
Changelog:
==========
* Fix issue where specially crafted inputs to encode() could take exceptionally
long amount of time to process. [CVE-2024-3651]
(From OE-Core rev: b6f8938c8048d08e29233fa29f5104b044353cf7)
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Python 2.7 support was dropped in version 22.0.0
python3-six was dropped as a dependency in 22.0.0
(From OE-Core rev: d7ad0495c543ec952817860595c047e5e4263978)
Signed-off-by: Guðni Már Gilbert <gudnimar@noxmedical.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 6eab37a0cdcc6071f79aa5c8198df0b2ba23dd7a)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Python 2.7 support was dropped in version 3.2.0 and
python3-six dependency was subsequently dropped in version 3.2.1
(From OE-Core rev: 214d41b73d235176123fd78143747845aa9c951e)
Signed-off-by: Guðni Már Gilbert <gudnimar@noxmedical.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 50757cc95b3062f11a7455af33e7a7e74ea1d0f7)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2to3 module was dropped as a dependency in setuptools 58.0
(From OE-Core rev: 0d5cd1d867a826cf83fcaee3e8390b9defec47d1)
Signed-off-by: Guðni Már Gilbert <gudni.m.g@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Drop the following dependencies from RDEPENDS:
- python3-ndg-httpsclient
- python3-pyasn1
- python3-pyopenssl
Add a missing dependency into RDEPENDS:
- python3-certifi
Additional fix HOMEPAGE, the old link doesn't work
(From OE-Core rev: 3d9072c346bf7bdeecd6197df8b14e39399bdabd)
Signed-off-by: Guðni Már Gilbert <gudni.m.g@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Switch to use flit core since upstream changed.
They also changed the capitalisation under pypi.
The license didn't change but the file was renamed, probably as it wasn't
rst.
(From OE-Core rev: ac35432687624ad58ff6586446e5e73710658a68)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit e352680528b18c3cdae26233bef7cddc2771d42d)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
These tests are causing hangs on the Autobuilder, so disable them for
now.
(From OE-Core rev: e3b4a05f19e3ba8f84b5d892b787e67bef565e48)
Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
testtools uses the hatchling backend so:
* merge the inc back into the recipe
* drop setuptools
* use the hatchling backend
* add the needed vcs dependency
* drop the now unneeded python3-pbr dependency
This means the submodules are included in packaging, fixing build failures
and the verison in the wheel is no longer 0.0.0
Prior to this fix, testtools in buildtools tarball was completely
broken.
(From OE-Core rev: fe46107e6bf4880d97f03b5e55d722d64f922889)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
For the newer hash equivlance servers we need websockets. Import it
from meta-oe so we can easily include it in buildtools tarball.
(From OE-Core rev: c61ed007b9e06683065aed62af1e1ca4569b8c16)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
python 2 is gone and we don't need the abstraction now, drop the
remaining usage of this variable.
(From OE-Core rev: f64078dd67b2d4db26edea5992f649161e7fee2f)
Signed-off-by: Justin Bronder <jsbronder@cold-front.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
python 2 is gone and we don't need the abstraction now, drop the
remaining usage of this variable.
(From OE-Core rev: 51c6501e7b255f3a699fea3b787abe1a5d8231dd)
Signed-off-by: Justin Bronder <jsbronder@cold-front.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
There's no need to explicitly set PYPI_ARCHIVE_NAME and S when
PYPI_PACKAGE is set correctly.
(From OE-Core rev: e757a0595602dafcd95a988fb123a8fdb3d4d82b)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
bitbake python3 -c create_manifest revealed several changes that were missing.
This commit contains a manual cherry-picked version of those, making sure that
new RDEPENDS are reflected since the last time this was updated.
In this case its taking out unnecessary dependencies to python3-profile and
python3-shell.
(From OE-Core rev: 692013b9aa5106561afb4c6506661bab41d88461)
Signed-off-by: Alejandro Enedino Hernandez Samaniego <alejandro@enedino.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This only needs removal of the custom setting (which no longer produces a webpage suitable for parsing the version out),
as the default SRC_URI is 'tarballs in versioned directoroies' setup, which the version checker is able to handle.
(From OE-Core rev: d9fa89180fe497ce67493b8dec8452d87c05ccba)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
License-Update: copyright years
(From OE-Core rev: bc997c790cd2ccdfce8bf21021be6abe008ba46b)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
It's a hard dependency of recent python3-sphinx-rtd-theme
versions:
4d6de11137
The issue is exposed by latest btrfs-tools update.
(From OE-Core rev: 7a3d074f2d1679b4d4e52c4a023edb46224ca0be)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Since FILES:${PN}-ptest is already defined to include the contents of
${PTEST_PATH}, adding such an entry to the package is superfluous.
(From OE-Core rev: 61949efcdb496b27d03f89ccde3d16c8cf4a56d5)
Signed-off-by: Robert P. J. Day <rpjday@crashcourse.ca>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
https://hypothesis.readthedocs.io/en/latest/changes.html#v6-98-15https://hypothesis.readthedocs.io/en/latest/changes.html#v6-98-14https://hypothesis.readthedocs.io/en/latest/changes.html#v6-98-13
6.98.15 - 2024-02-29
* This release adds support for the Array API’s 2023.12 release via the
api_version argument in make_strategies_namespace(). The API additions
and modifications in the 2023.12 spec do not necessitate any changes in
the Hypothesis strategies, hence there is no distinction between a
2022.12 and 2023.12 strategies namespace.
6.98.14 - 2024-02-29
* This patch adjusts the printing of bundle values to correspond with
their names when using stateful testing.
6.98.13 - 2024-02-27
* This patch implements filter-rewriting for text() and binary() with
the search(), match(), or fullmatch() method of a re.compile()d regex.
(From OE-Core rev: 18ac6584ed92c0ff037076c9977b68dae5fddb44)
Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changelog:
============
-Restore ignoration of files passed as command-line arguments
-Fix failure on broken symlinks that should be ignored
-Docs: Restore official Read the Docs theme
-Config: validate ignore-from-file inside rules
-Rule quoted-strings: fix only-when-needed in flow maps and sequences
-Rule key-duplicates: add forbid-duplicated-merge-keys option
-Rule quoted-strings: add check-keys option
-Docs: add GitLab CI example
-Rule truthy: adapt forbidden values based on YAML version
(From OE-Core rev: dc3f5c4e04c3eafd23a3188deaf6fb170d2969c5)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changelog:
===========
-Fixed issue where "InsecureRequestWarning" was emitted for HTTPS connections
when using Emscripten.
-Fixed "HTTPConnectionPool.urlopen" to stop automatically casting non-proxy
headers to "HTTPHeaderDict".
-Changed "InvalidChunkLength" to "ProtocolError" when response terminates
before the chunk length is sent.
-Changed "ProtocolError" to be more verbose on incomplete reads with excess
content.
-Added support for 'Emscripten and Pyodide
-Added support for "HTTPResponse.read1()" method.
-Added rudimentary support for HTTP/2.
-Fixed issue where requests against urls with trailing dots were failing due to
SSL errors when using proxy.
-Fixed "HTTPConnection.proxy_is_verified" and
"HTTPSConnection.proxy_is_verified" to be always set to a boolean after
connecting to a proxy. It could be "None" in some cases previously.
-Fixed an issue where "headers" passed in a request with "json=" would be
mutated
-Fixed "HTTPSConnection.is_verified" to be set to "False" when connecting
from a HTTPS proxy to an HTTP target. It was set to "True" previously.
-Fixed handling of new error message from OpenSSL 3.2.0 when configuring an
HTTP proxy as HTTPS
-Fixed TLS 1.3 post-handshake auth when the server certificate validation is
disabled
-Note for downstream distributors: To run integration tests, you now need to run
the tests a second time with the "--integration" pytest flag.
(From OE-Core rev: c1968ceeddbad57bc86aaa23a705093c353d3bc9)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changelog:
============
-Add support for PEP 728, supporting the closed keyword argument and the special
__extra_items__ key for TypedDict.
-Add support for PEP 742, adding typing_extensions.TypeIs.
-Drop runtime error when a read-only TypedDict item overrides a mutable one.
Type checkers should still flag this as an error.
-Speedup issubclass() checks against simple runtime-checkable protocols by
around 6% (backporting python/cpython#112717
-Fix a regression in the implementation of protocols where typing.Protocol
classes that were not marked as @runtime_checkable would be unnecessarily
introspected, potentially causing exceptions to be raised if the protocol had
problematic members.
(From OE-Core rev: 91dd6f2878bcdbb6f9ba65927f6c6f981b0b3f1a)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changelog:
-Deprecate py_limited_api option to RustExtension in favour of always using
"auto" to configure this from bdist_wheel.
(From OE-Core rev: 2ba36c4ebfc223111c055a6b521b7a2b9981b368)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changelog:
============
-Fix collection on Windows where initial paths contain the short version
of a path (for example c:\PROGRA~1\tests).
-Fix an IndexError crash raising from getstatementrange_ast.
-Reverted a fix to --maxfail handling in pytest 8.0.0 because it caused a
regression in pytest-xdist whereby session fixture teardowns may get executed
multiple times when the max-fails is reached.
-Correctly handle errors from getpass.getuser() in Python 3.13.
-Fix an edge case where ExceptionInfo._stringify_exception could crash
pytest.raises().
-Fix regression with pytest.warns() using custom warning subclasses which
have more than one parameter in their __init__.
-Fix a regression in pytest 8.0.0 whereby calling pytest.skip() and similar
control-flow exceptions within a pytest.warns() block would get suppressed
instead of propagating.
-Fix a regression in pytest 8.0.0 whereby autouse fixtures defined in a module
get ignored by the doctests in the module.
-Fix a regression in pytest 8.0.0 whereby items would be collected in reverse
order in some circumstances.
(From OE-Core rev: 0a6824bc920bebfa019641f8134cb287c8564bef)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changelog:
============
* Bump minimum required meson version from 0.56.0 to 0.64.0
* Various meson related cleanups
* Fix header file being installed to the wrong location with meson on some systems
* Adds a new "wheel" meson build option as preparation for meson-python support
* Update dependencies (libpng, pixman, zlib) of the Windows wheels
* Various maintenance related updates
(From OE-Core rev: 1b8054fb175b46f21807c124f55d1c807e2c814f)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
no_shebang_mangling.patch
refreshed for 24.0
Changelog:
===========
-Retry on HTTP status code 502
-Automatically use the setuptools PEP 517 build backend when --config-settings
is used for projects without pyproject.toml.
-Make pip freeze and pip uninstall of legacy editable installs of packages
whose name contains _ compatible with setuptools>=69.0.3.
-Support per requirement --config-settings for editable installs.
(From OE-Core rev: 73040d2ed2a440d7497b448b8e81ee19bef5858b)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changelog:
==========
-power_profiles_daemon: Move back to original D-Bus name to avoid breaking compatibility
-Add upower_power_profiles_daemon template for version 0.20 API with new D-Bus name
(From OE-Core rev: 7967c57f305e47f93ba0b27724ff3a077f1cc0c9)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
