import patch from ubuntu setuptools_45.2.0-1ubuntu0.1 .
(From OE-Core rev: a939696d7c70c42e404ec30a9d75e5ea4f742c78)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
https://docs.python.org/release/3.8.18/whatsnew/changelog.html#changelog
Release date: 2023-08-24
Security
gh-108310: Fixed an issue where instances of ssl.SSLSocket were
vulnerable to a bypass of the TLS handshake and included protections
(like certificate verification) and treating sent unencrypted data as if
it were post-handshake TLS encrypted data. Security issue reported as
CVE-2023-40217 by Aapo Oksman. Patch by Gregory P. Smith.
Library
gh-107845: tarfile.data_filter() now takes the location of symlinks into
account when determining their target, so it will no longer reject some
valid tarballs with LinkOutsideDestinationError.
Tools/Demos
gh-107565: Update multissltests and GitHub CI workflows to use OpenSSL
1.1.1v, 3.0.10, and 3.1.2.
(From OE-Core rev: 9205496344bede4a16372ca7a02c2819a976640b)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This CVE shouldn't have been filed as the "exploit" is described in the
documentation as how the library behaves.
(From OE-Core rev: b66a677b76c7f15eb5c426f8dc7ac42e1e2e3f40)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit c652f094d86c4efb7ff99accba63b8169493ab18)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
License-Update: update year to 2023
30afa75ad8
Release Notes for 3.8.15:
Security content in this release
CVE-2022-40674: bundled libexpat was upgraded from 2.4.7 to 2.4.9 which
fixes a heap use-after-free vulnerability in function doContent
gh-97616: a fix for a possible buffer overflow in list *= int
gh-97612: a fix for possible shell injection in the example script
get-remote-certificate.py (this issue originally had a CVE assigned to
it, which its author withdrew)
gh-96577: a fix for a potential buffer overrun in msilib
https://www.python.org/downloads/release/python-3815/
Release Notes for 3.8.16:
Security content in this release
gh-98739: Updated bundled libexpat to 2.5.0 to fix CVE-2022-43680 (heap
use-after-free).
gh-98517: Port XKCP’s fix for the buffer overflows in SHA-3 to fix
CVE-2022-37454.
gh-98433: The IDNA codec decoder used on DNS hostnames by socket or
asyncio related name resolution functions no longer involves a quadratic
algorithm to fix CVE-2022-45061. This prevents a potential CPU denial of
service if an out-of-spec excessive length hostname involving
bidirectional characters were decoded. Some protocols such as urllib
http 3xx redirects potentially allow for an attacker to supply such a
name.
gh-68966: The deprecated mailcap module now refuses to inject unsafe
text (filenames, MIME types, parameters) into shell commands to address
CVE-2015-20107. Instead of using such text, it will warn and act as if a
match was not found (or for test commands, as if the test failed).
gh-100001: python -m http.server no longer allows terminal control
characters sent within a garbage request to be printed to the stderr
server log.
gh-87604: Avoid publishing list of active per-interpreter audit hooks
via the gc module.
https://www.python.org/downloads/release/python-3816/
Release Notes for 3.8.17:
Security content in this release
gh-103142: The version of OpenSSL used in Windows and Mac installers has
been upgraded to 1.1.1u to address CVE-2023-2650, CVE-2023-0465,
CVE-2023-0466, CVE-2023-0464, as well as CVE-2023-0286, CVE-2022-4303,
and CVE-2022-4303 fixed previously in 1.1.1t (gh-101727).
gh-102153: urllib.parse.urlsplit() now strips leading C0 control and
space characters following the specification for URLs defined by WHATWG
in response to CVE-2023-24329.
gh-99889: Fixed a security in flaw in uu.decode() that could allow for
directory traversal based on the input if no out_file was specified.
gh-104049: Do not expose the local on-disk location in directory indexes
produced by http.client.SimpleHTTPRequestHandler.
gh-103935: trace.__main__ now uses io.open_code() for files to be
executed instead of raw open().
gh-101283: subprocess.Popen now uses a safer approach to find cmd.exe
when launching with shell=True.
gh-102953: The extraction methods in tarfile, and
shutil.unpack_archive(), have a new filter argument that allows limiting
tar features than may be surprising or dangerous, such as creating files
outside the destination directory. See Extraction filters for details.
https://www.python.org/downloads/release/python-3817/
(From OE-Core rev: 01a1f016a6558566a36098a993adaf4b40e30c78)
Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Security and bug fixes.
* Drop CVE-2021-28861.patch as it was merged in 3.8.14 release.
Fixes:
* CVE-2020-10735
https://nvd.nist.gov/vuln/detail/CVE-2020-10735
* CVE-2021-28861
https://nvd.nist.gov/vuln/detail/CVE-2021-28861
* CVE-2018-25032
https://nvd.nist.gov/vuln/detail/CVE-2018-25032
Python 3.8.14
Release Date: Sept. 6, 2022
This is a security release of Python 3.8
Note: The release you're looking at is Python 3.8.14, a security bugfix
release for the legacy 3.8 series. Python 3.10 is now the latest
feature release series of Python 3.
Security content in this release
CVE-2020-10735: converting between int and str in bases other than
2 (binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base
10 (decimal) now raises a ValueError if the number of digits in string
form is above a limit to avoid potential denial of service attacks due
to the algorithmic complexity.
gh-87389: http.server: Fix an open redirection vulnerability in the HTTP
server when an URI path starts with //.
gh-93065: Fix contextvars HAMT implementation to handle iteration over
deep trees to avoid a potential crash of the interpreter.
gh-90355: Fix ensurepip environment isolation for the subprocess running
pip.
gh-80254: Raise ProgrammingError instead of segfaulting on recursive usage
of cursors in sqlite3 converters.
(From OE-Core rev: 25fafd35a4698daa0d4abb814a91601e68223128)
Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
CVE-2015-20107 describes an arbitrary command execution in the mailcap
module, but this is by design in mailcap and needs to be worked around
by the calling application.
Upstream Python will be documenting this flaw in the library reference,
and it is likely that the mailcap module will be deprecated and removed
in the future.
(From OE-Core rev: 1ed7bb74d35f08af3babf73c68ee01af5f28a50b)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 85fac8408baf92d8b71946f5bfea92952b7eab01)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This CVE is specific to Microsoft Windows, so we can ignore it.
(From OE-Core rev: d966a07d1f04aa76a4970d4af141f817197be0d2)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 2bd3c5a93988140d9927340b3af68785ae03db65)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Release Date: Aug. 30, 2021
This is a security release of Python 3.8
Note: The release you're looking at is Python 3.8.12, a security bugfix release
for the legacy 3.8 series. Python 3.10 is now the latest feature release series
of Python 3. Get the latest release of 3.10.x here.
Security content in this release contains four fixes. There are also four
additional fixes for bugs that might have lead to denial-of-service attacks.
Finally, while we're not providing binary installers anymore, for those users
who produce installers, we upgraded the OpenSSL version used to 1.1.1l.
Take a look at the change log for details.
According to the release calendar specified in PEP 569, Python 3.8 is now in the
"security fixes only" stage of its life cycle: 3.8 branch only accepts security
fixes and releases of those are made irregularly in source-only form until
October 2024. Python 3.8 isn't receiving regular bug fixes anymore, and binary
installers are no longer provided for it. Python 3.8.10 was the last full bugfix
release of Python 3.8 with binary installers.
This release includes a fix for CVE-2021-29921.
References:
https://docs.python.org/release/3.8.12/whatsnew/changelog.html#changelog
(From OE-Core rev: ff52cf448c5e26246f8637d0b8957c5c479fa389)
Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Since file-native is ASSUME_PROVIDED magic.mgc is not being staged. As
a result diffoscope-native is failing with:
magic.MagicException: b'could not find any valid magic files!
Fix this by adding dependency on file-replacement-native
(From OE-Core rev: dcd8294f826f6e061cdd01c6c3594789ed46732e)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Add the missing rdepends to fix below error:
# python3
[snip]
>>> import magic
[snip]
ModuleNotFoundError: No module named 'ctypes'
ModuleNotFoundError: No module named 'tempfile'
(From OE-Core rev: ba5562d34653fa6b5819dbc8ca80a42167c38c96)
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 115791844124bdddfbaec9d75bb887ef35c41f20)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Add a fix for reproducibility issues where pyc files for python-config.py
may not always be generated.
(From OE-Core rev: 917f800368c6d452670d3ccf74057afae98013b0)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit d1c3a87c48b598b6e5624d0affe8bd89320631bf)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Currently in dunfell branch python3 version is 3.8.11.
so, python3_3.8.10.bb is not needed.
Hence, removed.
(From OE-Core rev: 2b44de6e7b3e02b78e2b09294ac37799ad4cfadb)
Signed-off-by: Purushottam Choudhary <purushottamchoudhary29@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Release Date: June 28, 2021
This is a security release of Python 3.8
Note: The release you're looking at is Python 3.8.11, a security bugfix release
for the legacy 3.8 series. Python 3.9 is now the latest feature release series
of Python 3. Get the latest release of 3.9.x here.
Security content in this release contains three fixes. There's also two fixes
for 3.8.10 regressions. Take a look at the change log for details.
According to the release calendar specified in PEP 569, Python 3.8 is now in
security fixes only stage of its life cycle: 3.8 branch only accepts security
fixes and releases of those are made irregularly in source-only form until
October 2024. Python 3.8 isn't receiving regular bugfixes anymore, and binary
installers are no longer provided for it. Python 3.8.10 was the last full
bugfix release of Python 3.8 with binary installers.
References:
https://docs.python.org/release/3.8.11/whatsnew/changelog.html#python-3-8-11-final
(From OE-Core rev: 1ba51ee2d52ee92bbdede9f2cd2f9ed9ff04ddb6)
Signed-off-by: Tim Orling <timothy.t.orling@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Testing IMAGE_FEATURES from component recipes cannot possibly work;
adjusting the test to soft-fail if needed items are not available
is not trivial, so let's just skip unconditionally for now.
(From OE-Core rev: 68b816cb90badddd0aafa2a5c6633e000cb21a21)
(From OE-Core rev: 0bb221206c55564fd5cfe1d2452a6abe5e86d2c3)
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 01b41f7deed48b33b35c84e32ef55de3e63b9bc1)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Making ptest images based on core-image-minimal uncovered quite a
few missing depenendcies from various recipes, here they are.
(From OE-Core rev: 2cda6242f2f0f6f9c6bdef72bbb271eab7e5e1f5)
(From OE-Core rev: 9423ad8f0f42d249c2fcb1b86ec9abb75854f011)
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Backport to Python 3.8.10 (only python3 portion of patch)
Signed-off-by: Tim Orling <timothy.t.orling@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Causes build failures on autobuilder
This reverts commit 8a59c47ce4c101b2470a06ecf101ca5ab7d1f82e.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before
3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable
to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by
using a vector called parameter cloaking. When the attacker can separate query
parameters using a semicolon (;), they can cause a difference in the
interpretation of the request between the proxy (running with default
configuration) and the server. This can result in malicious requests being
cached as completely safe ones, as the proxy would usually not see the
semicolon as a separator, and therefore would not include it in a cache key of
an unkeyed parameter.
References:
https://nvd.nist.gov/vuln/detail/CVE-2021-23336https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23336
(From OE-Core rev: 8a59c47ce4c101b2470a06ecf101ca5ab7d1f82e)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Tim Orling <timothy.t.orling@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Added missing HOMEPAGE and DESCRIPTION found using the test command
`oe-selftest -r distrodata.Distrodata.test_missing_homepg`
[YOCTO #13471]
(From OE-Core rev: a6f1da03c9534c3ea1607d479e08d1037688a59f)
Signed-off-by: Dorinda Bassey <dorindabassey@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 7290b773486da3888f848abf0dba747f2d9f42e1)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Added HOMEPAGE and DESCRIPTION for recipes with missing decriptions or homepage
[YOCTO #13471]
(From OE-Core rev: bd3352880322598b0ba6dc439ff08c2e4c592e36)
Signed-off-by: Dorinda Bassey <dorindabassey@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit bb05814335e7101bfd8df0a11dc18a044e867bed)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The externalsrc class deletes do_patch task which results with:
| ERROR: Task do_create_manifest in <PATH>/python3_3.8.2.bb depends upon
| non-existent task do_patch in <PATH>/python3_3.8.2.bb
Use addtask to define correct order to prevent this error, since addtask
mechanism accepts deleted tasks.
[YOCTO #14151]
(From OE-Core rev: 35ca0a401e62a8a8b88c3089929eda401a90f762)
Signed-off-by: Tomasz Dziendzielski <tomasz.dziendzielski@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit a746d034fa7eaad4f4876fa61c5a8c3c15e211c8)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
There are several thousand files in the test directory which we don't need.
Adding these for the native and target sysroots is a crazy amount of files
to be throwing around needlessly. Delete the files from the sysroot side
of things to tidy up the sysroots and improve performance.
(From OE-Core rev: f73ac290617e89b80e10dc700c0e90efddc8e1b2)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit f6bced03011ad1663d68b0322a2f8aeb4d836646)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This issue describes expected behaviour, do not use tarfile with
untrusted data.
(From OE-Core rev: 267130c66dde462a0a1043ab5dffdb86781389a0)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit f4c22e83f2e68ff157da5ea1303acc2931d63f5f)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This CVE is issue on _Py_CheckPython3 uses uninitialized dllpath when embedder sets module path with Py_SetPath.
Since it is .dll issue (on windows only), hence whitelist it.
https://bugs.python.org/issue29778
(From OE-Core rev: c216431d0704bd8be237e860bbdc32be34a82aee)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The ctypes module needs to use "ldconfig -p" to find the
library path and it simply has below logic if no ldconfig
installed.
except OSError:
pass
Before the patch:
>>> from ctypes.util import find_library
>>> lib_path = find_library('archive')
>>> print(lib_path)
None
After the patch:
>>> from ctypes.util import find_library
>>> lib_path = find_library('archive')
>>> print(lib_path)
libarchive.so.13
(From OE-Core rev: 84e1a32096db9deb98d282a652beec95dbfe80f1)
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit ddb96902a124a6e1f035f0fd868b0139989bc1bc)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This is used by some of the results handling code and needed as part of
buildtools tarball on various autobuilder worker for testing.
ptest is disabled for OE-Core, at least for now since it depends on
python3-pytest which in turn has may other dependencies.
Acked-by: Tim Orling <ticotimo@gmail.com>
(From OE-Core rev: cc0f56a788c33ad3fd2bb5402dee497234fb06bb)
Signed-off-by: Tim Orling <ticotimo@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit b5156e95e9e80e3e0f7eea181cd12f85e03a111d)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
