Bug-fix release addressing a memory leak and a couple minor issues.
We now ship the license file with the dist tarball so update the recipe
to take this into account. While at it: trim the LICENSE value to only
include LGPL-v2.1-or-later as the other two licenses cover tests and
text files.
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit f75f4164fd)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
The resulting pybind11_jsonTargets.cmake in the dev-package adds an
absolute path to python include directories in the target properties:
set_target_properties(pybind11_json PROPERTIES
INTERFACE_INCLUDE_DIRECTORIES "/usr/include/python3.13;${_IMPORT_PREFIX}/include"
)
The patch removes ${PYTHON_INCLUDE_DIRS} which is set by pybind11 from
set_target_properties to remove the poisonous host path.
Signed-off-by: Tafil Avdyli <tafil@tafhub.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 0332dae9bb)
Signed-off-by: Tafil Avdyli <tafil@tafhub.de>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Changelog:
5.2.11:
Contains fixes for CVE-2025-13473, CVE-2025-14550, CVE-2026-1207, CVE-2026-1285,
CVE-2026-1287 and CVE-2026-1312
5.2.10:
* Fixed a bug in Django 5.2 where data exceeding max_length was silently
truncated by QuerySet.bulk_create on PostgreSQL.
* Fixed a bug where management command colorized help (introduced in
Python 3.14) ignored the --no-color option and the DJANGO_COLORS setting.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Python watchdog has removed all dependencies except optional `pyyaml`
dependency for `watchmedo` utility, like follows [1]:
* pathtools dependency was removed in 1.0.0
* python-argh dependency removed in 2.1.6
* requests was never a dependency
* pyyaml only needed for extras (`watchmedo`) and may not be strictly necessary
[1] https://github.com/gorakhargosh/watchdog/blob/master/changelog.rst
Signed-off-by: Tero Kinnunen <tero.kinnunen@vaisala.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Contains fix for CVE-2026-21860
Changelog:
- safe_join on Windows does not allow more special device names,
regardless of extension or surrounding spaces.
- The multipart form parser handles a \r\n sequence at a chunk boundary.
This fixes the previous attempt, which caused incorrect content lengths.
- Fix AttributeError when initializing DebuggedApplication with pin_security=False.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit ecf359d256)
From the release notes:
This is the Werkzeug 3.1.5 security fix release, which fixes security issues
and bugs but does not otherwise change behavior and should not result in
breaking changes compared to the latest feature release.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Changelog:
==============
- safe_join on Windows does not allow special device names. This prevents
reading from these when using send_from_directory. secure_filename already
prevented writing to these.
- The debugger pin fails after 10 attempts instead of 11.
- The multipart form parser handles a \r\n sequence at a chunk boundary.
- Improve CPU usage during Watchdog reloader.
- Request.json annotation is more accurate.
- Traceback rendering handles when the line number is beyond the available
source lines.
- HTTPException.get_response annotation and doc better conveys the distinction
between WSGI and sans-IO responses.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 74aa2bdac6)
Contains fix for CVE-2025-66221.
From the release notes:
This is the Werkzeug 3.1.4 fix release, which fixes bugs but does not otherwise
change behavior and should not result in breaking changes compared to the latest
feature release.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Bug fixes
~~~~~~~~~
- The "in" operator for "HTTPHeaders" was incorrectly case-sensitive, causing
lookups to fail for headers with different casing than the original header name.
This was a regression in version 6.5.3 and has been fixed to restore the intended
case-insensitive behavior from version 6.5.2 and earlier.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit ebca0ae79d)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Changelog:
Fix incorrect escaping of the vertical tabulation character.
This was introduced in 3.10.17.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Contains fixes for CVE-2025-61911 and CVE-2025-61912
Changelog:
Security fixes:
- CVE-2025-61911 (GHSA-r7r6-cc7p-4v5m): Enforce str input in
ldap.filter.escape_filter_chars with escape_mode=1; ensure proper
escaping.
- CVE-2025-61912 (GHSA-p34h-wq7j-h5v6): Correct NUL escaping in
ldap.dn.escape_dn_chars to \00 per RFC 4514.
Fixes:
- ReconnectLDAPObject now properly reconnects on UNAVAILABLE, CONNECT_ERROR
and TIMEOUT exceptions (previously only SERVER_DOWN), fixing reconnection
issues especially during server restarts
- Fixed syncrepl.py to use named constants instead of raw decimal values
for result types
- Fixed error handling in SearchNoOpMixIn to prevent a undefined variable error
Tests:
- Added comprehensive reconnection test cases including concurrent operation
handling and server restart scenarios
Doc:
- Updated installation docs and fixed various documentation typos
- Added ReadTheDocs configuration file
Infrastructure:
- Add testing and document support for Python 3.13
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 9eabbca905)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Contains a fix for CVE-2024-6221 (related patch dropped) and CVE-2024-1681
Changelog:
4.0.1:
- Fix Read the Docs builds
- Update extension.py to clean request.path before logging it
- Update CI to include Python 3.12 and flask 3.0.3
4.0.2:
- Bump requests from 2.31.0 to 2.32.0 in /docs
- Backwards Compatible Fix for CVE-2024-6221
- Add unit tests for Private-Network
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
(cherry picked from commit fbe5524dc8)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Ankur Tyagi
Bartosz Golaszewski
Gyorgy Sarvari
Leon Anavi
Wang Mingyu
Tafil Avdyli
Tero Kinnunen