This recipe was previously part of the master branch but was removed
because the zstd module was integrated into the Python standard library
starting from Python 3.14.
Since Scarthgap uses Python 3.12, restore and update this recipe for users
on this branch.
Signed-off-by: Jérémie Dautheribes (Schneider Electric) <jeremie.dautheribes@bootlin.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Set the correct CVE_PRODUCT value, the default python: ecdsa doesn't
match relevant entries.
The correct values were taken from the CVE db, by checking which CVEs
are relevant.
See CVE db query:
sqlite> select * from products where product like '%ecdsa%';
CVE-2019-14853|python-ecdsa_project|python-ecdsa|||0.13.3|<
CVE-2019-14859|python-ecdsa_project|python-ecdsa|||0.13.3|<
CVE-2020-12607|antonkueltz|fastecdsa|||2.1.2|<
CVE-2021-43568|starkbank|elixir_ecdsa|1.0.0|=||
CVE-2021-43569|starkbank|ecdsa-dotnet|1.3.2|=||
CVE-2021-43570|starkbank|ecdsa-java|1.0.0|=||
CVE-2021-43571|starkbank|ecdsa-node|1.1.2|=||
CVE-2021-43572|starkbank|ecdsa-python|||2.0.1|<
CVE-2022-24884|ecdsautils_project|ecdsautils|||0.4.1|<
CVE-2024-21502|antonkueltz|fastecdsa|||2.3.2|<
CVE-2024-23342|tlsfuzzer|ecdsa|||0.18.0|<=
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 7f962ef155)
Signed-off-by: Himanshu Jadon <hjadon@cisco.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
These grpc python modules contain parts of grpc core.
Each CVE needs to be assessed if the patch applies also to core parts
included in each module.
Note that so far there was never a CVE specific for python module, only
for grpc:grpc and many of those needed to be fixed at leasts in grpcio:
sqlite> select vendor, product, count(*) from products where product like '%grpc%' group by vendor, product;
grpc|grpc|21
grpck|grpck|1
linuxfoundation|grpc_swift|9
microsoft|grpconv|1
opentelemetry|configgrpc|1
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit f993cb2ecb)
Signed-off-by: Himanshu Jadon <hjadon@cisco.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
The resulting pybind11_jsonTargets.cmake in the dev-package adds an
absolute path to python include directories in the target properties:
set_target_properties(pybind11_json PROPERTIES
INTERFACE_INCLUDE_DIRECTORIES "/usr/include/python3.13;${_IMPORT_PREFIX}/include"
)
The patch removes ${PYTHON_INCLUDE_DIRS} which is set by pybind11 from
set_target_properties to remove the poisonous host path.
Signed-off-by: Tafil Avdyli <tafil@tafhub.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 0332dae9bb)
Signed-off-by: Tafil Avdyli <tafil@tafhub.de>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
The project has a proper pyproject.toml which declares the hatchling.build PEP-517 backend.
Fix:
WARNING: python3-eventlet-0.36.1-r0 do_check_backend: QA Issue: inherits setuptools3 but has pyproject.toml with hatchling.build, use the correct class [pep517-backend]
Signed-off-by: alperak <alperyasinak1@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 19affc7a21)
This is cherry-picked into Scarthgap, because the Setuptools backend
seems to be broken - it doesn't install the submodules, making import fail:
root@qemux86-64:~# python3
Python 3.12.12 (main, Oct 9 2025, 11:07:00) [GCC 13.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import eventlet
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib/python3.12/site-packages/eventlet/__init__.py", line 6, in <module>
from eventlet import convenience
File "/usr/lib/python3.12/site-packages/eventlet/convenience.py", line 4, in <module>
from eventlet import greenpool
File "/usr/lib/python3.12/site-packages/eventlet/greenpool.py", line 4, in <module>
from eventlet import queue
File "/usr/lib/python3.12/site-packages/eventlet/queue.py", line 48, in <module>
from eventlet.event import Event
File "/usr/lib/python3.12/site-packages/eventlet/event.py", line 1, in <module>
from eventlet import hubs
See also https://github.com/eventlet/eventlet/issues/1071
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
File "/usr/lib/python3.12/site-packages/google/protobuf/internal/type_checkers.py", line 25, in <module>
import ctypes
ModuleNotFoundError: No module named 'ctypes'
tested on qemu86-64
Signed-off-by: Jan Vermaete <jan.vermaete@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(From meta-openembedded rev: d1b8ebc2a5)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Pick patch from PR in NVD report.
It is the only code change in 33.5 release.
Skip the test file change as it's not shipped in python module sources.
Resolve formatting-only conflict.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Upgrade to openssl 3.4.0 added sys/types.h into include/openssl/e_os2.h
Unfortunetelly swig has issue with this and the build broke.
Add a workaroung to remove this include until swig is fixed.
In our setup this include is not necessary.
Upstream issue: https://github.com/swiftlang/swift/issues/69311
(From meta-openembedded rev: f9158ce32f)
This backport is part of effort to upgrade openssl to LTS in scarthgap.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Python watchdog has removed all dependencies except optional `pyyaml`
dependency for `watchmedo` utility, like follows [1]:
* pathtools dependency was removed in 1.0.0
* python-argh dependency removed in 2.1.6
* requests was never a dependency
* pyyaml only needed for extras (`watchmedo`) and may not be strictly necessary
[1] https://github.com/gorakhargosh/watchdog/blob/master/changelog.rst
Signed-off-by: Tero Kinnunen <tero.kinnunen@vaisala.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Contains fixes for CVE-2024-49768 and CVE-2024-49769
Changelog:
3.0.1:
- Python 3.8 is no longer supported.
- Added support for Python 3.13.
- Fix a bug that would lead to Waitress busy looping on select() on a half-open
socket due to a race condition that existed when creating a new HTTPChannel.
- No longer strip the header values before passing them to the WSGI environ.
- Fix a race condition in Waitress when `channel_request_lookahead` is enabled
that could lead to HTTP request smuggling.
3.0.2:
- When using Waitress to process trusted proxy headers, Waitress will now
update the headers to drop any untrusted values, thereby making sure that
WSGI apps only get trusted and validated values that Waitress itself used to
update the environ.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Contains a fix for CVE-2024-6221 (related patch dropped) and CVE-2024-1681
Changelog:
4.0.1:
- Fix Read the Docs builds
- Update extension.py to clean request.path before logging it
- Update CI to include Python 3.12 and flask 3.0.3
4.0.2:
- Bump requests from 2.31.0 to 2.32.0 in /docs
- Backwards Compatible Fix for CVE-2024-6221
- Add unit tests for Private-Network
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Upstream has switched from setuptools3 build backend to setuptools_build_meta,
however their setuptools requirements are higher than what's available in oe-core.
As a workaround, add a patch that lowers the requirements. This change has been
tested by successfully executing the django test suite in qemu (without Selenium tests).
Changes:
4.2.27: https://docs.djangoproject.com/en/6.0/releases/4.2.27/
- Fix CVE-2025-13372
- Fix CVE-2025-64460
- Fixed a regression in Django 4.2.26 where DisallowedRedirect was raised by
HttpResponseRedirect and HttpResponsePermanentRedirect for URLs longer than 2048 characters.
The limit is now 16384 characters
4.2.26: https://docs.djangoproject.com/en/6.0/releases/4.2.26/
- Fix CVE-2025-64458
- Fix CVE-2025-64459
4.2.25: https://docs.djangoproject.com/en/6.0/releases/4.2.25/
- Fix CVE-2025-59681
- Fix CVE-2025-59682
4.2.24: https://docs.djangoproject.com/en/6.0/releases/4.2.24/
- Fix CVE-2025-57833
4.2.23: https://docs.djangoproject.com/en/6.0/releases/4.2.23/
- Fix CVE-2025-48432
4.2.22: https://docs.djangoproject.com/en/6.0/releases/4.2.22/
- Fix CVE-2025-48432
4.2.21: https://docs.djangoproject.com/en/6.0/releases/4.2.21/
- Change build backend
- Fix CVE-2025-32873
- Fixed a data corruption possibility in file_move_safe() when
allow_overwrite=True, where leftover content from a previously larger file could
remain after overwriting with a smaller one due to lack of truncation
- Fixed a regression in Django 4.2.20, introduced when fixing CVE 2025-26699,
where the wordwrap template filter did not preserve empty lines between paragraphs
after wrapping text
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
4.6.3
- Security release to address CVE-2024-5629.
4.6.2
- Fixed a bug appearing in Python 3.12 where "RuntimeError: can't create new thread at interpreter shutdown" could be written to stderr when a MongoClient's thread starts as the python interpreter is shutting down.
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Jérémie Dautheribes (Schneider Electric )
Gyorgy Sarvari
Peter Marko
Hitendra Prajapati
Ankur Tyagi
Haixiao Yan
Tafil Avdyli
Geoff Parker
alperak
Jan Vermaete
Tero Kinnunen