mirrors/poky - poky - zepto initiative

mirrors/poky

Fork 0

mirror of https://git.yoctoproject.org/poky synced 2026-02-06 16:56:37 +01:00

Commit Graph

Author	SHA1	Message	Date
Peter Marko	e371e6b3a7	python3: patch CVE-2025-8194 Pick commit from 3.12 branch mentioned in NVD report. https://nvd.nist.gov/vuln/detail/CVE-2025-8194 (From OE-Core rev: 4ae9daf3d05530952a8b002257dd9afda2e077e4) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>	2025-08-18 13:18:01 -07:00
Peter Marko	843820d9e4	python3: update CVE product There are two "new" CVEs reported for python3, their CPEs are: * CVE-2020-1171: cpe:2.3🅰️microsoft:python::::::visual_studio_code::* (< 2020.5.0) * CVE-2020-1192: cpe:2.3🅰️microsoft:python::::::visual_studio_code::* (< 2020.5.0) These are for "Visual Studio Code Python extension". Solve this by addding CVE vendor to python CVE product to avoid confusion with Microsoft as vendor. Examining CVE DB for historical python entries shows: sqlite> select vendor, product, count(*) from products where product = 'python' or product = 'cpython' ...> or product like 'python%3' group by vendor, product; microsoft\|python\|2 python\|python\|1054 python_software_foundation\|python\|2 (From OE-Core rev: 06f615e6939a22bc8f12b30d8dea582ab3ccebe6) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>	2025-07-18 08:32:26 -07:00
Peter Marko	8cd040c218	python3: upgrade 3.10.16 -> 3.10.18 Drop upstreamed patch and refresh remaining patches. * https://www.python.org/downloads/release/python-31017/ Security content in this release * gh-131809: Upgrade vendored expat to 2.7.1 * gh-80222: Folding of quoted string in display_name violates RFC * gh-121284: Invalid RFC 2047 address header after refolding with email.policy.default * gh-131261: Update libexpat to 2.7.0 * gh-105704: CVE-2025-0938 urlparse does not flag hostname containing [ or ] as incorrect * gh-119511: OOM vulnerability in the imaplib module * https://www.python.org/downloads/release/python-31018/ Security content in this release * gh-135034: [CVE 2024-12718] [CVE 2025-4138] [CVE 2025-4330] [CVE 2025-4435] [CVE 2025-4517] Fixes multiple issues that allowed tarfile extraction filters (filter="data" and filter="tar") to be bypassed using crafted symlinks and hard links. * gh-133767: Fix use-after-free in the “unicode-escape” decoder with a non-“strict” error handler. * gh-128840: Short-circuit the processing of long IPv6 addresses early in ipaddress to prevent excessive memory consumption and a minor denial-of-service. gh-133767 got meawhile CVE-2025-4516 assigned. (From OE-Core rev: 838a8b5ca148dfa6c6c2c76f1705d1e358a31648) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>	2025-06-13 08:42:35 -07:00

Author

SHA1

Message

Date

Peter Marko

e371e6b3a7

python3: patch CVE-2025-8194

Pick commit from 3.12 branch mentioned in NVD report.
https://nvd.nist.gov/vuln/detail/CVE-2025-8194

(From OE-Core rev: 4ae9daf3d05530952a8b002257dd9afda2e077e4)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>

2025-08-18 13:18:01 -07:00

Peter Marko

843820d9e4

python3: update CVE product

There are two "new" CVEs reported for python3, their CPEs are:
* CVE-2020-1171: cpe:2.3🅰️microsoft:python:*:*:*:*:*:visual_studio_code:*:* (< 2020.5.0)
* CVE-2020-1192: cpe:2.3🅰️microsoft:python:*:*:*:*:*:visual_studio_code:*:* (< 2020.5.0)
These are for "Visual Studio Code Python extension".

Solve this by addding CVE vendor to python CVE product to avoid
confusion with Microsoft as vendor.

Examining CVE DB for historical python entries shows:
sqlite> select vendor, product, count(*) from products where product = 'python' or product = 'cpython'
   ...> or product like 'python%3' group by vendor, product;
microsoft|python|2
python|python|1054
python_software_foundation|python|2

(From OE-Core rev: 06f615e6939a22bc8f12b30d8dea582ab3ccebe6)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>

2025-07-18 08:32:26 -07:00

Peter Marko

8cd040c218

python3: upgrade 3.10.16 -> 3.10.18

Drop upstreamed patch and refresh remaining patches.

* https://www.python.org/downloads/release/python-31017/

  Security content in this release
  * gh-131809: Upgrade vendored expat to 2.7.1
  * gh-80222: Folding of quoted string in display_name violates RFC
  * gh-121284: Invalid RFC 2047 address header after refolding with
    email.policy.default
  * gh-131261: Update libexpat to 2.7.0
  * gh-105704: CVE-2025-0938 urlparse does not flag hostname containing
    [ or ] as incorrect
  * gh-119511: OOM vulnerability in the imaplib module

* https://www.python.org/downloads/release/python-31018/

  Security content in this release
  * gh-135034: [CVE 2024-12718] [CVE 2025-4138] [CVE 2025-4330]
    [CVE 2025-4435] [CVE 2025-4517] Fixes multiple issues that allowed
    tarfile extraction filters (filter="data" and filter="tar") to be
    bypassed using crafted symlinks and hard links.
  * gh-133767: Fix use-after-free in the “unicode-escape” decoder with a
    non-“strict” error handler.
  * gh-128840: Short-circuit the processing of long IPv6 addresses early
    in ipaddress to prevent excessive memory consumption and a minor
    denial-of-service.

gh-133767 got meawhile CVE-2025-4516 assigned.

(From OE-Core rev: 838a8b5ca148dfa6c6c2c76f1705d1e358a31648)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>

2025-06-13 08:42:35 -07:00

3 Commits