mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-06-27 11:13:38 +02:00
Code Issues Packages Projects Releases Wiki Activity
76,050 Commits 38 Branches 625 Tags
e61bf028a62ff6f3396dfc5d84a3024769ee74a5
Commit Graph

7 Commits

Author SHA1 Message Date
Sudhir Dumbhare
e61bf028a6 python3: Fix CVE-2025-13462 
Apply the upstream v3.12 fix [1], aligned with the original v3.13 fix [2],
to address incorrect tarfile handling where GNU long name follow-up headers
could be normalized as directories, as referenced in [3].

[1] d10950739a
[2] ae99fe3a33
[3] https://security-tracker.debian.org/tracker/CVE-2025-13462

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-13462

(From OE-Core rev: 0b990a354ef858d903d4bed937b1233537c2c478)

Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
 2026-06-26 16:55:53 +01:00
Sudhir Dumbhare
7731db5592 python3: Fix CVE-2026-6019 
This patch applies the upstream fix [1] and follow-up fix [2], as
referenced in [3] and [4], to address an http.cookies.Morsel.js_output()
flaw where inline JavaScript output escaped quotes but did not neutralize
the HTML parser-sensitive </script> sequence.

[1] 3c59b8b53f
[2] e7d4c3ff42
[3] https://github.com/python/cpython/issues/149144
[4] https://security-tracker.debian.org/tracker/CVE-2026-6019

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2026-6019

(From OE-Core rev: e17af14ae72e21f7f63407ba5c88da160c73bea9)

Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
 2026-06-26 16:55:53 +01:00
Sudhir Dumbhare
1401e6e003 python3: Fix CVE-2026-4519 and CVE-2026-4786 
Apply the upstream v3.12 fix [1], aligned with the original v3.11 fix [2],
and follow-up fix [3] to address CVE-2026-4519 by disallowing URLs with
leading dashes when invoking browser commands, as referenced in [5].

CVE-2026-4786 [6] revealed the CVE-2026-4519 fix was incomplete, as %action
in URLs could bypass dash-prefix checks. Apply follow-up fix [4], noted in
[5], to revalidate the URL after %action expansion.

[1] cbba611939
[2] ceac1efc66
[3] 96fc504860
[4] f4654824ae
[5] https://security-tracker.debian.org/tracker/CVE-2026-4519
[6] https://security-tracker.debian.org/tracker/CVE-2026-4786

References:
https://nvd.nist.gov/vuln/detail/CVE-2026-4519
https://nvd.nist.gov/vuln/detail/CVE-2026-4786

(From OE-Core rev: e6d81b3be531e97058366c81056a38c0b6fa7380)

Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
 2026-06-26 16:55:53 +01:00
Sudhir Dumbhare
703b680089 python3: Fix CVE-2026-3644 and CVE-2026-0672 
Apply the upstream v3.13 fix [1], as referenced in [2], to address
CVE-2026-3644 by rejecting control characters in http.cookies.Morsel.update(),
the |= operator, and unpickling paths.

CVE-2026-3644 [2] revealed the CVE-2026-0672 fix was incomplete, as
Morsel.update(), |=, and unpickling could bypass input validation. The fix
also adds output validation to BaseCookie.js_output(), matching the
control-character safeguards already present in BaseCookie.output().

[1] d16ecc6c36
[2] https://security-tracker.debian.org/tracker/CVE-2026-3644

References:
https://security-tracker.debian.org/tracker/CVE-2026-3644
https://security-tracker.debian.org/tracker/CVE-2026-0672
https://nvd.nist.gov/vuln/detail/CVE-2026-3644
https://nvd.nist.gov/vuln/detail/CVE-2026-0672

(From OE-Core rev: ac763f139ba7f836d0fa9377295ef7d3b10f2238)

Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
 2026-06-26 16:55:53 +01:00
Hitendra Prajapati
0c205679dd python3: fix CVE-2026-6100 
Pick patch from [1] also mentioned at NVD report in [2]

[1] c3cf71c336
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-6100
[3] https://security-tracker.debian.org/tracker/CVE-2026-6100

(From OE-Core rev: 0bc9ba624b2fbeff3bf7e2ee4d2858b9c702fca1)

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
 2026-06-19 12:49:08 +01:00
Hitendra Prajapati
d30ed7ed1b python3: fix for CVE-2026-1502 
Pick patch from [1] also mentioned at NVD report in [2]

[1] 05ed7ce7ae
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-1502
[3] https://security-tracker.debian.org/tracker/CVE-2026-1502

(From OE-Core rev: fe96d5bee9c45344e98cda9bac85c9bd853d5a7e)

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
 2026-06-19 12:49:08 +01:00
Vijay Anusuri
2820a673f1 python3: upgrade 3.12.12 -> 3.12.13 
Drop upstreamed patches.

Release information:
* https://www.python.org/downloads/release/python-31213/
* The release you're looking at is Python 3.12.13, a security bugfix
  release for the legacy 3.12 series.

Handles CVE-2024-6923 CVE-2025-12084 CVE-2025-13836 CVE-2025-13837
CVE-2025-15282 CVE-2025-59375 CVE-2026-0865 CVE-2026-24515 CVE-2026-25210

(From OE-Core rev: 8b0c626633a1e443cfb6e5f73c6120bff5f6a5ef)

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
[YC: Full changelog: https://docs.python.org/release/3.12.13/whatsnew/changelog.html#python-3-12-13]
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
 2026-05-04 13:57:31 +01:00