mirrors/poky - poky - zepto initiative

mirrors/poky

Fork 0

mirror of https://git.yoctoproject.org/poky synced 2026-02-05 16:28:43 +01:00

Commit Graph

Author	SHA1	Message	Date
Peter Marko	6d83b872af	python3: patch CVE-2025-8194 Pick commit from 3.12 branch mentioned in NVD report. https://nvd.nist.gov/vuln/detail/CVE-2025-8194 (From OE-Core rev: 34f1b4877a0601d2057453c159c76a54754f229a) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>	2025-08-20 07:37:19 -07:00
Peter Marko	ae35f06bb1	python3: update CVE product There are two "new" CVEs reported for python3, their CPEs are: * CVE-2020-1171: cpe:2.3🅰️microsoft:python::::::visual_studio_code::* (< 2020.5.0) * CVE-2020-1192: cpe:2.3🅰️microsoft:python::::::visual_studio_code::* (< 2020.5.0) These are for "Visual Studio Code Python extension". Solve this by addding CVE vendor to python CVE product to avoid confusion with Microsoft as vendor. Examining CVE DB for historical python entries shows: sqlite> select vendor, product, count(*) from products where product = 'python' or product = 'cpython' ...> or product like 'python%3' group by vendor, product; microsoft\|python\|2 python\|python\|1054 python_software_foundation\|python\|2 Note that this already shows that cpython product is not used, so CVE-2023-33595 mentioned in 62598e1138f21a16d8b1cdd1cfe902aeed854c5c was updated. But let's keep it for future in case new CVE starts with that again. (From OE-Core rev: 72369cd66f78a371608c3fff205e0e96c248f2b3) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>	2025-07-21 09:07:21 -07:00
Peter Marko	c4f82e3fd5	python3: upgrade 3.12.9 -> 3.12.11 Drop upstreamed patch and refresh remaining patches. * https://www.python.org/downloads/release/python-31210/ Python 3.12.10 is the latest maintenance release of Python 3.12, and the last full maintenance release. Subsequent releases of 3.12 will be security-fixes only. * https://www.python.org/downloads/release/python-31211/ Security content in this release * gh-135034: [CVE 2024-12718] [CVE 2025-4138] [CVE 2025-4330] [CVE 2025-4435] [CVE 2025-4517] Fixes multiple issues that allowed tarfile extraction filters (filter="data" and filter="tar") to be bypassed using crafted symlinks and hard links. * gh-133767: Fix use-after-free in the “unicode-escape” decoder with a non-“strict” error handler. * gh-128840: Short-circuit the processing of long IPv6 addresses early in ipaddress to prevent excessive memory consumption and a minor denial-of-service. gh-133767 got meawhile CVE-2025-4516 assigned. (From OE-Core rev: 6cca08b2857efd5481e837ecd6bb295cb8a99ee1) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>	2025-06-13 08:58:01 -07:00

Author

SHA1

Message

Date

Peter Marko

6d83b872af

python3: patch CVE-2025-8194

Pick commit from 3.12 branch mentioned in NVD report.
https://nvd.nist.gov/vuln/detail/CVE-2025-8194

(From OE-Core rev: 34f1b4877a0601d2057453c159c76a54754f229a)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>

2025-08-20 07:37:19 -07:00

Peter Marko

ae35f06bb1

python3: update CVE product

There are two "new" CVEs reported for python3, their CPEs are:
* CVE-2020-1171: cpe:2.3🅰️microsoft:python:*:*:*:*:*:visual_studio_code:*:* (< 2020.5.0)
* CVE-2020-1192: cpe:2.3🅰️microsoft:python:*:*:*:*:*:visual_studio_code:*:* (< 2020.5.0)
These are for "Visual Studio Code Python extension".

Solve this by addding CVE vendor to python CVE product to avoid
confusion with Microsoft as vendor.

Examining CVE DB for historical python entries shows:
sqlite> select vendor, product, count(*) from products where product = 'python' or product = 'cpython'
   ...> or product like 'python%3' group by vendor, product;
microsoft|python|2
python|python|1054
python_software_foundation|python|2

Note that this already shows that cpython product is not used, so
CVE-2023-33595 mentioned in 62598e1138f21a16d8b1cdd1cfe902aeed854c5c
was updated.
But let's keep it for future in case new CVE starts with that again.

(From OE-Core rev: 72369cd66f78a371608c3fff205e0e96c248f2b3)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>

2025-07-21 09:07:21 -07:00

Peter Marko

c4f82e3fd5

python3: upgrade 3.12.9 -> 3.12.11

Drop upstreamed patch and refresh remaining patches.

* https://www.python.org/downloads/release/python-31210/

  Python 3.12.10 is the latest maintenance release of Python 3.12, and
  the last full maintenance release. Subsequent releases of 3.12 will be
  security-fixes only.

* https://www.python.org/downloads/release/python-31211/

  Security content in this release
  * gh-135034: [CVE 2024-12718] [CVE 2025-4138] [CVE 2025-4330]
    [CVE 2025-4435] [CVE 2025-4517] Fixes multiple issues that allowed
    tarfile extraction filters (filter="data" and filter="tar") to be
    bypassed using crafted symlinks and hard links.
  * gh-133767: Fix use-after-free in the “unicode-escape” decoder with a
    non-“strict” error handler.
  * gh-128840: Short-circuit the processing of long IPv6 addresses early
    in ipaddress to prevent excessive memory consumption and a minor
    denial-of-service.

gh-133767 got meawhile CVE-2025-4516 assigned.

(From OE-Core rev: 6cca08b2857efd5481e837ecd6bb295cb8a99ee1)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>

2025-06-13 08:58:01 -07:00

3 Commits