Some ptests have started to fail, due to a change in libxml 2.9.12 (oe-core
ships with 2.9.14 currently).
See upstream issue: https://github.com/facelessuser/soupsieve/issues/220
This backported patch solves this issue.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
The current script doesn't execute any tests. This patch fixes the
run-ptest script.
This is mostly a backport of e183db0c8f.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
It fails sometimes when system is under stress
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 38e2f6a9a9)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Twisted is an event-based framework for internet applications. Prior to version
23.10.0rc1, when sending multiple HTTP requests in one TCP packet, twisted.web
will process the requests asynchronously without guaranteeing the response order.
If one of the endpoints is controlled by an attacker, the attacker can delay the
response on purpose to manipulate the response of the second request when a
victim launched two requests using HTTP pipeline. Version 23.10.0rc1 contains a
patch for this issue.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-46137https://security-tracker.debian.org/tracker/CVE-2023-46137
Upstream patch:
1e6e9d23ca
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Twisted is an event-based framework for internet applications, supporting Python 3.6+.
The `twisted.web.util.redirectTo` function contains an HTML injection vulnerability.
If application code allows an attacker to control the redirect URL this vulnerability
may result in Reflected Cross-Site Scripting (XSS) in the redirect response HTML body.
This vulnerability is fixed in 24.7.0rc1.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-41810
Upstream patch:
046a164f89
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
This CVE fix was added to protobuf recipe but since it's patching python
code, it should have been submitted to python3-protobuf.
Take the patch from protobuf recipe and adapt to python3-protobuf.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
- Fix CVE-2025-53643:
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and
Python. Prior to version 3.12.14, the Python parser is vulnerable to a
request smuggling vulnerability due to not parsing trailer sections of
an HTTP request. If a pure Python version of aiohttp is installed (i.e.
without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled,
then an attacker may be able to execute a request smuggling attack to
bypass certain firewalls or proxy protections. Version 3.12.14 contains
a patch for this issue.
References:
https://nvd.nist.gov/vuln/detail/CVE-2025-53643
- Drop CVE-2024-42367.patch:
According to upstream discussion and advisory [1][2], aiohttp 3.8.6 is
not affected by CVE-2024-42367, and the patch is therefore no longer
needed.
[1] https://github.com/advisories/GHSA-jwhx-xcg6-8xhj
[2] https://github.com/aio-libs/aiohttp/issues/11149
Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
aiohttp is an asynchronous HTTP client/server framework for asyncio and
Python. Prior to version 3.10.2, static routes which contain files with
compressed variants (`.gz` or `.br` extension) are vulnerable to path
traversal outside the root directory if those variants are symbolic
links. The server protects static routes from path traversal outside the
root directory when `follow_symlinks=False` (default). It does this by
resolving the requested URL to an absolute path and then checking that
path relative to the root. However, these checks are not performed when
looking for compressed variants in the `FileResponse` class, and
symbolic links are then automatically followed when performing the
`Path.stat()` and `Path.open()` to send the file. Version 3.10.2
contains a patch for the issue.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-42367https://github.com/aio-libs/aiohttp/security/advisories/GHSA-jwhx-xcg6-8xhj
Upstream patch:
ce2e975881
Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Twisted is an event-based framework for internet applications, supporting Python 3.6+.
The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP
requests out-of-order, possibly resulting in information disclosure. This vulnerability
is fixed in 24.7.0rc1.
References:
https://nvd.nist.gov/vuln/detail/CVE-2024-41671https://ubuntu.com/security/CVE-2024-41671
Upstream patches:
f1cb4e616eef2c755e9e
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Set GRPC_PYTHON_BUILD_EXT_COMPILER_JOBS to limit spawned compiler
processes. Without this it uses all available CPUs (via
multiprocessing.cpu_count()) and can exhaust build host since there are
lot of files to compile (e.g. with 128 cores it manages to spawn 128 gcc
processes)
Note that this is a general problem for all setuptools based builds with
build_ext compilation which can either compile with 1 thread or
cpu_count threads. grpcio hot-patches setuptools and allows to set
specific build concurrency value.
(From master rev: fe582374d3)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Passing a heavily nested list to sqlparse.parse() leads to a Denial
of Service due to RecursionError.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-4340
Upstream-patch:
b4a39d9850
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2
before 4.2.17. The strip_tags() method and striptags template filter are subject
to a potential denial-of-service attack via certain inputs containing large
sequences of nested incomplete HTML entities.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-53907
Upstream-patch:
790eb058b0
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
An issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. The
django.contrib.auth.forms.PasswordResetForm class, when used in a view
implementing password reset flows, allows remote attackers to enumerate
user e-mail addresses by sending password reset requests and observing
the outcome (only when e-mail sending is consistently failing).
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-45231
Upstream-patch:
bf4888d317
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
An issue was discovered in Django 5.1 before 5.1.1, 5.0 before 5.0.9, and
4.2 before 4.2.16. The urlize() and urlizetrunc() template filters are
subject to a potential denial-of-service attack via very large inputs with
a specific sequence of characters.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-45230
Upstream-patch:
d147a8ebbd
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The
urlize and urlizetrunc template filters, and the AdminURLFieldWidget widget,
are subject to a potential denial-of-service attack via certain inputs with a
very large number of Unicode characters.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-41991
Upstream-patch:
efea1ef7e2
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15.
The urlize() and urlizetrunc() template filters are subject to a potential
denial-of-service attack via very large inputs with a specific sequence of
characters.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-41990
Upstream-patch:
d0a82e26a7
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The
floatformat template filter is subject to significant memory consumption when
given a string representation of a number in scientific notation with a large
exponent.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-41989
Upstream-patches:
08c5a787264b066bde69dcd9746983fc76660f58
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14.
get_supported_language_variant() was subject to a potential denial-of-service
attack when used with very long strings containing specific characters.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-39614
Upstream-patch:
17358fb35f
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values
of Accept-Language headers are cached in order to avoid repetitive parsing. This leads
to a potential denial-of-service vector via excessive memory usage if the raw value of
Accept-Language headers is very large.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-23969
Upstream-patch:
c7e0151fdf
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
An issue was discovered in Django 4.2 before 4.2.14 and 5.0 before 5.0.7.
urlize and urlizetrunc were subject to a potential denial of service attack
via certain inputs with a very large number of brackets.
References:
https://nvd.nist.gov/vuln/detail/CVE-2024-38875https://github.com/advisories/GHSA-qg2p-9jwr-mmqf
Upstream-patch:
79f3687642
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Werkzeug is a Web Server Gateway Interface web application library. Applications
using `werkzeug.formparser.MultiPartParser` corresponding to a version of Werkzeug
prior to 3.0.6 to parse `multipart/form-data` requests (e.g. all flask applications)
are vulnerable to a relatively simple but effective resource exhaustion (denial of
service) attack. A specifically crafted form submission request can cause the parser
to allocate and block 3 to 8 times the upload size in main memory. There is no upper
limit; a single upload at 1 Gbit/s can exhaust 32 GB of RAM in less than 60 seconds.
Werkzeug version 3.0.6 fixes this issue.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-49767
Upstream-patch:
8760275afb
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Werkzeug is a comprehensive WSGI web application library. The debugger in
affected versions of Werkzeug can allow an attacker to execute code on a
developer's machine under some circumstances. This requires the attacker
to get the developer to interact with a domain and subdomain they control,
and enter the debugger PIN, but if they are successful it allows access to
the debugger even if it is only running on localhost. This also requires
the attacker to guess a URL in the developer's application that will trigger
the debugger. This vulnerability is fixed in 3.0.3.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-34069
Upstream-patches:
71b69dfb7d890b6b6263
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
CVE-2023-49081:
aiohttp is an asynchronous HTTP client/server framework for asyncio and
Python. Improper validation made it possible for an attacker to modify
the HTTP request (e.g. to insert a new header) or create a new HTTP
request if the attacker controls the HTTP version. The vulnerability
only occurs if the attacker can control the HTTP version of the request.
This issue has been patched in version 3.9.0.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-49081
Upstream patches:
1e86b777e6
CVE-2024-30251:
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python.
In affected versions an attacker can send a specially crafted POST
(multipart/form-data) request. When the aiohttp server processes it, the server
will enter an infinite loop and be unable to process any further requests. An
attacker can stop the application from serving requests after sending a single
request. This issue has been addressed in version 3.9.4. Users are advised to
upgrade. Users unable to upgrade may manually apply a patch to their systems.
Please see the linked GHSA for instructions.
References:
https://nvd.nist.gov/vuln/detail/CVE-2024-30251
Upstream patches:
cebe526b9c7eecdff163f21c6f2ca5
CVE-2024-52304:
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python.
Prior to version 3.10.11, the Python parser parses newlines in chunk extensions
incorrectly which can lead to request smuggling vulnerabilities under certain
conditions. If a pure Python version of aiohttp is installed (i.e. without the
usual C extensions) or `AIOHTTP_NO_EXTENSIONS` is enabled, then an attacker may
be able to execute a request smuggling attack to bypass certain firewalls or
proxy protections. Version 3.10.11 fixes the issue.
References:
https://nvd.nist.gov/vuln/detail/CVE-2024-52304
Upstream patches:
259edc3690
CVE-2023-49082:
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python.
Improper validation makes it possible for an attacker to modify the HTTP
request (e.g. insert a new header) or even create a new HTTP request if the
attacker controls the HTTP method. The vulnerability occurs only if the
attacker can control the HTTP method (GET, POST etc.) of the request. If the
attacker can control the HTTP version of the request it will be able to modify
the request (request smuggling). This issue has been patched in version 3.9.0.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-49082
Upstream patches:
a43bc17798
CVE-2024-27306:
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python.
A XSS vulnerability exists on index pages for static file handling. This
vulnerability is fixed in 3.9.4. We have always recommended using a reverse
proxy server (e.g. nginx) for serving static files. Users following the
recommendation are unaffected. Other users can disable `show_index` if unable
to upgrade.
References:
https://nvd.nist.gov/vuln/detail/CVE-2024-27306
Upstream patches:
28335525d1
Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
* drop unused SRC_URI[sha256sum] as this recipe uses git fetcher
* release-0.3.0 branch doesn't exist, but the SRCREV is in master branch:
geomet $ git branch -a --contains 73ec5ec96cca32f2e2461d3964fc3d4ab80248f9
* master
remotes/origin/HEAD -> origin/master
remotes/origin/master
remotes/origin/release-1.0
remotes/origin/release-1.1.0
* release-0.3.0 branch doesn't exist even the tarball on MIRROR:
https://sources.yoctoproject.org/mirror/sources/git2_github.com.geomet.geomet.git.tar.gz
not sure when it was removed from upstream git repo, but it was removed:
Pruning origin
URL: https://github.com/geomet/geomet.git
* [pruned] refs/heads/issue_esri_srid
* [pruned] refs/pull/74/merge
* [pruned] refs/pull/76/merge
* [pruned] refs/pull/77/merge
* [pruned] refs/heads/release-0.3.0
* master branch is used since mickledore upgrade to 1.0.0 in:
https://git.openembedded.org/meta-openembedded/commit/?h=mickledore&id=382f7d51e3b92b8b7a23cd98f9bfc63c51a33dfd
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Change the reference to the MIT license containing LICENSE file in the
downloaded archive.
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Change the reference to the MIT license containing LICENSE file in the
downloaded archive.
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Change the reference to the Apache-2.0 license containing LICENSE file
in the downloaded archive.
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Contents of
https://github.com/pycurl/pycurl/blob/REL_7_45_1/COPYING-LGPL
correspond to version 2.1 of the license rather than 2.0.
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
According to https://pypi.org/project/pillow/ and
https://github.com/python-pillow/Pillow/blob/9.4.0/LICENSE the project
is subject to HPND license.
Also change SUMMARY to DESCRIPTION as it's value is clearly over 72
characters long.
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Both project pypi page: https://pypi.org/project/cbor2/ as well as
https://github.com/agronholm/cbor2/blob/5.4.2/LICENSE.txt state that it
is subject to MIT rather than Apache-2.0 license. Also update
LIC_FILES_CHKSUM value to reference the LICENSE.txt file from the
downloaded archive.
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
The repositorys LICENSE file contains BSD-3-Clause license text, so
update the relevant recipe information field to match.
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15.
QuerySet.values() and values_list() methods on models with a JSONField are
subject to SQL injection in column aliases via a crafted JSON object key
as a passed *arg.
References:
https://nvd.nist.gov/vuln/detail/CVE-2024-42005
Upstream-patch:
f4af67b9b4
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
To fix crash due to missing module:
File "/usr/lib/python3.11/site-packages/twisted/internet/defer.py", line 42, in <module>
from typing_extensions import Literal, ParamSpec, Protocol
ModuleNotFoundError: No module named 'typing_extensions'
Signed-off-by: Hains van den Bosch <hainsvdbosch@ziggo.nl>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Guðni Már Gilbert <gudnimar@noxmedical.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
To fix crash due to missing module:
from twisted.internet import defer
File "/usr/lib/python3.11/site-packages/twisted/internet/defer.py", line 14, in <module>
from asyncio import AbstractEventLoop, Future, iscoroutine
ModuleNotFoundError: No module named 'asyncio'
Signed-off-by: Hains van den Bosch <hainsvdbosch@ziggo.nl>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Guðni Már Gilbert <gudnimar@noxmedical.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
aiohttp is an asynchronous HTTP client/server framework
for asyncio and Python.When using aiohttp as a web server
and configuring static routes, it is necessary to specify
the root path for static files. Additionally, the option
'follow_symlinks' can be used to determine whether to
follow symbolic links outside the static root directory.
When 'follow_symlinks' is set to True, there is no
validation to check if reading a file is within the root
directory. This can lead to directory traversal
vulnerabilities, resulting in unauthorized access to
arbitrary files on the system, even when symlinks are not
present. Disabling follow_symlinks and using a reverse proxy
are encouraged mitigations. Version 3.9.2 fixes this issue.
References:
https://security-tracker.debian.org/tracker/CVE-2024-23334https://github.com/aio-libs/aiohttp/releases/tag/v3.9.2
Signed-off-by: Rahul Janani Pandi <RahulJanani.Pandi@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
