8a69f13465
python3-django: upgrade 4.2.29 -> 4.2.30
...
Release Notes:
https://docs.djangoproject.com/en/dev/releases/4.2.30/
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-08 07:22:44 +05:30
e424330cc1
python3-django: upgrade 5.2.12 -> 5.2.13
...
Contains fixes for CVE-2026-3902, CVE-2026-4277, CVE-2026-4292,
CVE-2026-33033 and CVE-2026-33034.
Changelog: https://docs.djangoproject.com/en/6.0/releases/5.2.13/
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-08 07:22:44 +05:30
d301c5a3e0
python3-gpiod: update to v2.4.2
...
Bug-fix release addressing a buffer overflow bug discovered during an
AI-augmented security audit as well as another minor issue with
unnecessarily duplicated code.
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit 7e24f2b5a8ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-08 07:22:44 +05:30
2259e75e79
python3-bitarray: upgrade 3.8.0 -> 3.8.1
...
Changelog:
==========
* fixed critial findings in C Extension Analysis Report
* add tests, in particular 'devel/test_capi.py'
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit 041704b01cankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-08 07:22:44 +05:30
f92680f61d
python3-tzdata: upgrade 2025.3 -> 2026.1
...
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit 36111dde1aankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-08 07:22:44 +05:30
8ecca3786c
python3-tzdata: upgrade 2025.2 -> 2025.3
...
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 2c0a4edb58ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-08 07:22:44 +05:30
2ce4783d77
python3-werkzeug: upgrade 3.1.7 -> 3.1.8
...
Request.host and get_host return the empty string if the header is missing or has invalid characters.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit d8c310aa52ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-08 07:22:44 +05:30
f110ce82a6
python3-werkzeug: upgrade 3.1.6 -> 3.1.7
...
Changelog:
==========
- parse_list_header preserves partially quoted items, discards empty items, and
returns empty for unclosed quoted values.
- WWWAuthenticate.to_header does not produce a trailing space when there are no
parameters.
- Transfer-Encoding is parsed as a set.
- Request.host, get_host, and host_is_trusted validate the characters of the
value. An empty value is no longer allowed. A Unix socket server address is
ignored. The trusted_list argument to host_is_trusted is optional.
- Fix multipart form parser handling of newline at boundary.
- Response.make_conditional sets the Accept-Ranges header even if it is not a
satisfiable range request.
- merge_slashes merges any number of consecutive slashes.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit db8bd24b0dankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-08 07:22:44 +05:30
6ae02f0f60
python3-ecdsa: Upgrade 0.19.1 -> 0.19.2
...
Changlog:
https://github.com/tlsfuzzer/python-ecdsa/releases/tag/python-ecdsa-0.19.2
Signed-off-by: Mingli Yu <mingli.yu@windriver.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit 27d096d984ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-08 07:22:44 +05:30
9f003507af
python3-grpcio: ignore CVE-2026-33186
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-33186
The vulnerability only affects the Go implememtation of the library,
not the Python one. Ignore this CVE due to this.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit 468ee626f8ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-08 07:22:44 +05:30
850b7f6fd7
protobuf, python3-protobuf: ignore CVE-2026-6409
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-6409
The vulnerability impacts only the PHP library component, not the
cpp/python one. Ignore this CVE due to this.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com >
(cherry picked from commit aef8bc3422ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-05-08 07:22:44 +05:30
f6ba658a27
python3-apiflash: upgrade 3.0.0 -> 3.0.2
...
https://github.com/apiflask/apiflask/releases/tag/3.0.1
https://github.com/apiflask/apiflask/releases/tag/3.0.2
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-21 08:57:47 +05:30
afaedb6761
python3-alembic: add HOMEPAGE
...
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-21 08:57:47 +05:30
9fedb9a3e7
python3-aiofiles: fix HOMEPAGE
...
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-21 08:57:47 +05:30
797f437169
python3-astroid: upgrade 4.0.2 -> 4.0.4
...
https://github.com/pylint-dev/astroid/releases/tag/v4.0.3
https://github.com/pylint-dev/astroid/releases/tag/v4.0.4
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-04-21 08:57:47 +05:30
40642ec810
python3-gpiod: update to v2.4.1
...
Bug-fix release addressing a memory leak and a couple minor issues.
We now ship the license file with the dist tarball so update the recipe
to take this into account. While at it: trim the LICENSE value to only
include LGPL-v2.1-or-later as the other two licenses cover tests and
text files.
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit f75f4164fdankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-26 10:29:24 +05:30
6e9eff155e
python3-marshmallow: mark CVE-2025-68480 patched
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-68480
The vulnerability has been fixed in version 4.1.2[1], however
NVD tracks this CVE without version info. Mark it as patched explicitly.
[1]: https://github.com/marshmallow-code/marshmallow/commit/d24a0c9df061c4daa92f71cf85aca25b83eee508
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-26 10:29:24 +05:30
eb76962875
python3-tornado: upgrade 6.5.4 -> 6.5.5
...
Security fixes including CVE-2026-31958
https://www.tornadoweb.org/en/stable/releases/v6.5.5.html
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-26 10:29:24 +05:30
dbde84f17b
python3-pyjwt: Fix CVE-2026-32597
...
Details https://nvd.nist.gov/vuln/detail/CVE-2026-32597
Backport commit[1] which fixes this vulnerability as mentioned in changelog[2]
Dropped changes to the changelog, version bump and tests during backport.
[1] https://github.com/jpadilla/pyjwt/commit/051ea341b5573fe3edcd53042f347929b92c2b92
[2] https://github.com/jpadilla/pyjwt/blob/2.12.0/CHANGELOG.rst
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-26 10:29:24 +05:30
d7546078a9
python3-django: upgrade 4.2.28 -> 4.2.29
...
Contains fixes for CVE-2026-25673 and CVE-2026-25674.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-26 10:29:23 +05:30
c08b3e9d8f
python3-django: upgrade 5.2.11 -> 5.2.12
...
Ptests passed successfully.
Changelog: https://docs.djangoproject.com/en/6.0/releases/5.2.12/
- Fixed CVE-2026-25673 and CVE-2026-25674
- Fixed NameError when inspecting functions making use of deferred
annotations in Python 3.14.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-26 10:29:23 +05:30
6bb74fff88
python3-protobuf: mark CVE-2026-0994 patched
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-0994
It is fixed already in the currently used version, however NVD tracks
it without any version info, so it still shows up in CVE reports.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-09 07:49:32 +05:30
9fcdfa8b22
python3-pillow: patch CVE-2026-25990
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-25990
Backport the patch referenced by the NVD advisory.
Note that the patch contain some new binary test data, which
requires "git" PATCHTOOL - other tools fail to apply binary patches.
All ptests passed successfully:
Testsuite summary
TOTAL: 5011
PASS: 4577
SKIP: 431
XFAIL: 3
FAIL: 0
XPASS: 0
ERROR: 0
DURATION: 59
END: /usr/lib/python3-pillow/ptest
2026-03-06T17:58
STOP: ptest-runner
TOTAL: 1 FAIL: 0
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-09 07:49:31 +05:30
a892f6cfc9
python3-nltk: upgrade 3.9.2 -> 3.9.3
...
Contains fix for CVE-2026-14009.
Changelog:
* Fix CVE-2025-14009: secure ZIP extraction in nltk.downloader
* Block path traversal/arbitrary reads in nltk.data for protocol-less refs
* Block path traversal/abs paths in corpus readers and FS pointers
* Validate external StanfordSegmenter JARs using SHA256
* Add optional sandbox enforcement for filestring()
* Maintenance: downloader/zipped models, CI/tooling updates
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 14d464c150skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-09 07:49:30 +05:30
d925b85aee
python3-flask: Upgrade 3.1.2 -> 3.1.3
...
Upgrade to release 3.1.3:
- The session is marked as accessed for operations that only access
the keys but not the values, such as in and len.
Signed-off-by: Leon Anavi <leon.anavi@konsulko.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 0badc6de53ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-06 10:09:14 +05:30
b75a502874
python3-werkzeug: upgrade 3.1.5 -> 3.1.6
...
Contains fix for CVE-2026-27199
Changelog: safe_join on Windows does not allow special devices names in multi-segment paths
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 9cbc4befe5ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-06 10:09:14 +05:30
34c62e2edf
python3-sqlparse: upgrade 0.5.4 -> 0.5.5
...
Changelog:
==========
* Fix DoS protection to raise SQLParseError instead of silently returning None
when grouping limits are exceeded
* Fix splitting of BEGIN TRANSACTION statements
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 48617f7032ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-06 10:09:13 +05:30
f21e5cdea1
python3-greenlet: upgrade 3.2.4 -> 3.2.5
...
Fix a crash on Python 3.9 if there are active greenlets during interpreter shutdown
https://greenlet.readthedocs.io/en/latest/changes.html#id4
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-06 10:09:13 +05:30
6928c475f2
python3-filelock: Upgrade 3.20.2 -> 3.20.3
...
Upgrade to release 3.20.3:
- Fix TOCTOU symlink vulnerability in SoftFileLock
Signed-off-by: Leon Anavi <leon.anavi@konsulko.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-06 10:09:12 +05:30
21f3c64e8e
python3-filelock: Upgrade 3.20.1 -> 3.20.2
...
Upgrade to release 3.20.2:
- Support Unix systems without O_NOFOLLOW
- [pre-commit.ci] pre-commit autoupdate
Signed-off-by: Leon Anavi <leon.anavi@konsulko.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 8b5e1f5dbfankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-06 10:09:12 +05:30
6829eda4e2
python3-filelock: upgrade 3.20.0 -> 3.20.1
...
Changelog:
CVE-2025-68146: Fix TOCTOU symlink vulnerability in lock file creation
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit c2710a2df9ankur.tyagi85@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-06 10:09:11 +05:30
a82f3ae1f3
python3-pybind11-json: fix Targets.cmake trying to reference host
...
The resulting pybind11_jsonTargets.cmake in the dev-package adds an
absolute path to python include directories in the target properties:
set_target_properties(pybind11_json PROPERTIES
INTERFACE_INCLUDE_DIRECTORIES "/usr/include/python3.13;${_IMPORT_PREFIX}/include"
)
The patch removes ${PYTHON_INCLUDE_DIRS} which is set by pybind11 from
set_target_properties to remove the poisonous host path.
Signed-off-by: Tafil Avdyli <tafil@tafhub.de >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 0332dae9bbtafil@tafhub.de >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-03-06 10:09:01 +05:30
a876a9549e
python3-django: upgrade 4.2.27 -> 4.2.28
...
Contains fixes for CVE-2025-13473, CVE-2025-14550, CVE-2026-1207,
CVE-2026-1285, CVE-2026-1287 and CVE-2026-1312
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-19 08:20:31 +05:30
52ad98a187
python3-django: upgrade 5.2.9 -> 5.2.11
...
Changelog:
5.2.11:
Contains fixes for CVE-2025-13473, CVE-2025-14550, CVE-2026-1207, CVE-2026-1285,
CVE-2026-1287 and CVE-2026-1312
5.2.10:
* Fixed a bug in Django 5.2 where data exceeding max_length was silently
truncated by QuerySet.bulk_create on PostgreSQL.
* Fixed a bug where management command colorized help (introduced in
Python 3.14) ignored the --no-color option and the DJANGO_COLORS setting.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-19 08:20:31 +05:30
5329a32c57
python3-watchdog: Remove obsolete dependencies
...
Python watchdog has removed all dependencies except optional `pyyaml`
dependency for `watchmedo` utility, like follows [1]:
* pathtools dependency was removed in 1.0.0
* python-argh dependency removed in 2.1.6
* requests was never a dependency
* pyyaml only needed for extras (`watchmedo`) and may not be strictly necessary
[1] https://github.com/gorakhargosh/watchdog/blob/master/changelog.rst
Signed-off-by: Tero Kinnunen <tero.kinnunen@vaisala.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-19 08:20:30 +05:30
b6fe5458db
python3-python-multipart: patch CVE-2026-24486
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-24486
Pick the patch that is referenced by the NVD advisory.
Ptests passed successfully:
Testsuite summary
TOTAL: 121
PASS: 121
SKIP: 0
XFAIL: 0
FAIL: 0
XPASS: 0
ERROR: 0
DURATION: 2
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-19 08:20:29 +05:30
5cae540dd4
python3-werkzeug: upgrade 3.1.4 -> 3.1.5
...
Contains fix for CVE-2026-21860
Changelog:
- safe_join on Windows does not allow more special device names,
regardless of extension or surrounding spaces.
- The multipart form parser handles a \r\n sequence at a chunk boundary.
This fixes the previous attempt, which caused incorrect content lengths.
- Fix AttributeError when initializing DebuggedApplication with pin_security=False.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit ecf359d256skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-19 08:20:27 +05:30
5604ce6479
python3-werkzeug: upgrade 3.1.3 -> 3.1.4
...
Changelog:
==============
- safe_join on Windows does not allow special device names. This prevents
reading from these when using send_from_directory. secure_filename already
prevented writing to these.
- The debugger pin fails after 10 attempts instead of 11.
- The multipart form parser handles a \r\n sequence at a chunk boundary.
- Improve CPU usage during Watchdog reloader.
- Request.json annotation is more accurate.
- Traceback rendering handles when the line number is beyond the available
source lines.
- HTTPException.get_response annotation and doc better conveys the distinction
between WSGI and sans-IO responses.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 74aa2bdac6skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-19 08:20:27 +05:30
87ce1e904b
python3-virtualenv: patch CVE-2026-22702
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-22702
Backport the patch that is referenced by the NVD advisory.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-19 08:20:26 +05:30
ea9fb97f53
python3-uvicorn: mark CVE-2020-7694 patched
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2020-7694
The vulnerability was reported to the project[1], and the commit[2] that
resolved the issue has been part of the project since version 0.11.7.
Mark the CVE as patched due to this.
[1]: https://github.com/Kludex/uvicorn/issues/723
[2]: https://github.com/Kludex/uvicorn/commit/895807f94ea9a8e588605c12076b7d7517cda503
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit a5ee234b8cskandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-19 08:20:26 +05:30
4ea2403439
python3-twitter: mark CVE-2012-5825 patched
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2012-5825
The Debian bugtracker[1] indicated that the issue is tracked by
upstream in github[2] (with a difference CVE ID, but same issue),
where the vulnerability was confirmed. Later in the same github issue
the solution is confirmed: the project switched to use the requests
library, which doesn't suffer from this vulnerability.
Due to this mark the CVE as patched.
[1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692444
[2]: https://github.com/tweepy/tweepy/issues/279
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 3ee544e759skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-19 08:20:26 +05:30
8742c9fac0
python3-tornado: upgrade 6.5.3 -> 6.5.4
...
Bug fixes
~~~~~~~~~
- The "in" operator for "HTTPHeaders" was incorrectly case-sensitive, causing
lookups to fail for headers with different casing than the original header name.
This was a regression in version 6.5.3 and has been fixed to restore the intended
case-insensitive behavior from version 6.5.2 and earlier.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit ebca0ae79dskandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-19 08:20:25 +05:30
2b143a275a
python3-tornado: upgrade 6.5.2 -> 6.5.3
...
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 8ba97b6646https://github.com/tornadoweb/tornado/blob/master/docs/releases/v6.5.3.rst
- Fix CVE-2025-67724, CVE-2025-67725 and CVE-2025-67726
- Fix open redirect vulnerabilities in demos
- Fix path traversal vulnerabilites in demos
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-19 08:20:25 +05:30
7049927e65
python3-pyjwt: ignore CVE-2025-45768
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-45768
The CVE is disputed: though the vulnerability is there, but it comes
from incorrect configuration of the library by the main application.
Due to this, ignore this CVE.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-19 08:20:24 +05:30
f17cb75cac
python3-py: ignore CVE-2022-42969
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-42969
Upstream could not reproduce the issue.
The vulnerability has currently the "disputed" flag in the NVD database,
and Github has revoked their related advisory[1].
Ignore this CVE due to this.
[1]: https://github.com/advisories/GHSA-w596-4wvx-j9j6
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 91f6b85b36skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-19 08:20:24 +05:30
67474b0bdc
python3-orjson: upgrade 3.10.17 -> 3.10.18
...
Changelog:
Fix incorrect escaping of the vertical tabulation character.
This was introduced in 3.10.17.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-19 08:20:23 +05:30
a1538075cf
python3-marshmallow: upgrade 4.1.1 -> 4.1.2
...
Changelog:
Merge error store messages without rebuilding collections.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 54691ea40askandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-19 08:20:23 +05:30
b67599470c
python3-marshmallow: upgrade 4.1.0 -> 4.1.1
...
Bug fix:
Ensure URL validator is case-insensitive when using custom schemes
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit 3933501591skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-19 08:20:22 +05:30
341e1204be
python3-m2crypto: mark CVE-2020-25657 as patched
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2020-25657
The commit[1] that fixes the vulnerability has been part of the
package since version 0.39.0
[1]: https://git.sr.ht/~mcepl/m2crypto/commit/84c53958def0f510e92119fca14d74f94215827a
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit ba6468f7a0skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-19 08:20:22 +05:30
49cf55619b
python3-m2crypto: ignore CVE-2009-0127
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2009-0127
The vulnerability is disputed[1] by upstream:
"There is no vulnerability in M2Crypto. Nowhere in the functions
are the return values of OpenSSL functions interpreted incorrectly.
The functions provide an interface to their users that may be
considered confusing, but is not incorrect, nor it is a vulnerability."
[1]: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-0127
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
Signed-off-by: Khem Raj <raj.khem@gmail.com >
(cherry picked from commit b46a5452a1skandigraun@gmail.com >
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com >
2026-02-19 08:20:21 +05:30
Ankur Tyagi
Gyorgy Sarvari
Bartosz Golaszewski
Wang Mingyu
Mingli Yu
Leon Anavi
Tafil Avdyli
Tero Kinnunen