mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-06-27 20:13:41 +02:00
Code Issues Packages Projects Releases Wiki Activity
76,059 Commits 38 Branches 625 Tags
c0d690e103eec99e329a222fdeed7d4380f23a48
Commit Graph

1 Commits

Author SHA1 Message Date
Sudhir Dumbhare
1401e6e003 python3: Fix CVE-2026-4519 and CVE-2026-4786 
Apply the upstream v3.12 fix [1], aligned with the original v3.11 fix [2],
and follow-up fix [3] to address CVE-2026-4519 by disallowing URLs with
leading dashes when invoking browser commands, as referenced in [5].

CVE-2026-4786 [6] revealed the CVE-2026-4519 fix was incomplete, as %action
in URLs could bypass dash-prefix checks. Apply follow-up fix [4], noted in
[5], to revalidate the URL after %action expansion.

[1] cbba611939
[2] ceac1efc66
[3] 96fc504860
[4] f4654824ae
[5] https://security-tracker.debian.org/tracker/CVE-2026-4519
[6] https://security-tracker.debian.org/tracker/CVE-2026-4786

References:
https://nvd.nist.gov/vuln/detail/CVE-2026-4519
https://nvd.nist.gov/vuln/detail/CVE-2026-4786

(From OE-Core rev: e6d81b3be531e97058366c81056a38c0b6fa7380)

Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
 2026-06-26 16:55:53 +01:00