The patch for CVE-2025-68131 does not actually match https://github.com/agronholm/cbor2/commit/f1d701cd2c411ee40bb1fe383afe7f365f35abf0
Specifically, the indenting in decode_from_bytes
This is causing an error in trusted-firmware-m of
| Traceback (most recent call last):
| File "/builder/meta-arm/build/tmp/work/corstone1000_fvp-poky-linux-musl/trusted-firmware-m/1.5.0+gitAUTOINC+f8c7e5361b-r0/git/tfm/bl2/ext/mcuboot/scripts/wrapper/wrapper.py", line 21, in <module>
| import imgtool.main
| File "/builder/meta-arm/build/tmp/work/corstone1000_fvp-poky-linux-musl/trusted-firmware-m/1.5.0+gitAUTOINC+f8c7e5361b-r0/git/mcuboot/scripts/imgtool/main.py", line 25, in <module>
| from imgtool import image, imgtool_version
| File "/builder/meta-arm/build/tmp/work/corstone1000_fvp-poky-linux-musl/trusted-firmware-m/1.5.0+gitAUTOINC+f8c7e5361b-r0/git/mcuboot/scripts/imgtool/image.py", line 24, in <module>
| from .boot_record import create_sw_component_data
| File "/builder/meta-arm/build/tmp/work/corstone1000_fvp-poky-linux-musl/trusted-firmware-m/1.5.0+gitAUTOINC+f8c7e5361b-r0/git/mcuboot/scripts/imgtool/boot_record.py", line 21, in <module>
| from cbor2 import dumps
| File "/builder/meta-arm/build/tmp/work/corstone1000_fvp-poky-linux-musl/trusted-firmware-m/1.5.0+gitAUTOINC+f8c7e5361b-r0/recipe-sysroot-native/usr/lib/python3.10/site-packages/cbor2/__init__.py", line 1, in <module>
| from .decoder import load, loads, CBORDecoder # noqa
| File "/builder/meta-arm/build/tmp/work/corstone1000_fvp-poky-linux-musl/trusted-firmware-m/1.5.0+gitAUTOINC+f8c7e5361b-r0/recipe-sysroot-native/usr/lib/python3.10/site-packages/cbor2/decoder.py", line 215
| with BytesIO(buf) as fp:
| ^
| IndentationError: expected an indented block after 'with' statement on line 214
Indenting to match the original patch fixes this.
Also, because this version of cbor2 is older, it doesn't include commit
53e21063ed1d72ac8f911044dd598a7f9ef72406, which adds 'Any' to encode.py
Because that is missing, we see the following error:
| File "/builder/meta-arm/build/tmp/work/corstone1000_fvp-poky-linux-musl/trusted-firmware-m/1.5.0+gitAUTOINC+f8c7e5361b-r0/recipe-sysroot-native/usr/lib/python3.10/site-packages/cbor2/__init__.py", line 2, in <module>
| from .encoder import dump, dumps, CBOREncoder, shareable_encoder # noqa
| File "/builder/meta-arm/build/tmp/work/corstone1000_fvp-poky-linux-musl/trusted-firmware-m/1.5.0+gitAUTOINC+f8c7e5361b-r0/recipe-sysroot-native/usr/lib/python3.10/site-packages/cbor2/encoder.py", line 68, in <module>
| class CBOREncoder:
| File "/builder/meta-arm/build/tmp/work/corstone1000_fvp-poky-linux-musl/trusted-firmware-m/1.5.0+gitAUTOINC+f8c7e5361b-r0/recipe-sysroot-native/usr/lib/python3.10/site-packages/cbor2/encoder.py", line 266, in CBOREncoder
| def _encode_value(self, obj: Any) -> None:
To get around this issue, remove the "Any" from the encoder.py. The
logic behind this (instead of importing typing) is that this is the only
instance, and since this is not something that will be updated
frequently with patches from upstream.
Signed-off-by: Jon Mason <jon.mason@arm.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
CVE-2024-7254 is a stack overflow vulnerability caused by unbounded
recursion, specifically within the Java Protobuf Lite and Full runtimes
(including Kotlin and JRuby bindings).
The python3-protobuf recipe builds the Python implementation using the
C++ backend (--cpp_implementation). This implementation does not
contain the vulnerable Java-specific parsing logic (such as
DiscardUnknownFieldsParser or ArrayDecoders).
Authoritative security sources, including Red Hat and GitHub Advisory
have confirmed that non-Java implementations
(Python/C++) are not affected by this specific flaw.
Reference: https://access.redhat.com/security/cve/cve-2024-7254
Signed-off-by: Naman Jain <namanj1@kpit.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Pick patch from PR in NVD report.
It is the only code change in 33.5 release.
Skip the test file change as it's not shipped in python module sources.
Resolve formatting-only conflict.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Bugfix releases.
Changelog:
2.10.4:
- Servers offering certificate variants of hostkey algorithms
(eg ssh-rsa-cert-v01@openssh.com) could not have their host
keys verified by Paramiko clients, as it only ever considered
non-cert key types for that part of connection handshaking.
This has been fixed.
- PKey instances’ __eq__ did not have the usual safety guard in
place to ensure they were being compared to another PKey object,
causing occasional spurious BadHostKeyException (among other
things). This has been fixed.
- Update camelCase method calls against the threading module to
be snake_case; this and related tweaks should fix some deprecation
warnings under Python 3.10.
2.10.5:
- Windows-native SSH agent support as merged in 2.10 could encounter
Errno 22 OSError exceptions in some scenarios (eg server not cleanly
closing a relevant named pipe). This has been worked around and
should be less problematic.
- OpenSSH 7.7 and older has a bug preventing it from understanding
how to perform SHA2 signature verification for RSA certificates
(specifically certs - not keys), so when we added SHA2 support it
broke all clients using RSA certificates with these servers. This
has been fixed in a manner similar to what OpenSSH’s own client
does: a version check is performed and the algorithm used is
downgraded if needed.
- Align signature verification algorithm with OpenSSH re: zero-padding
signatures which don’t match their nominal size/length. This shouldn’t
affect most users, but will help Paramiko-implemented SSH servers
handle poorly behaved clients such as PuTTY.
2.10.6:
- Raise SSHException explicitly when blank private key data is loaded,
instead of the natural result of IndexError. This should help more
bits of Paramiko or Paramiko-adjacent codebases to correctly handle
this class of error.
- Update SSHClient so it explicitly closes its wrapped socket object
upon encountering socket errors at connection time. This should help
somewhat with certain classes of memory leaks, resource warnings,
and/or errors (though we hasten to remind everyone that Client and
Transport have their own .close() methods for use in non-error
situations!).
https://www.paramiko.org/changelog.html
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Changelog:
==========
The development server does not set Transfer-Encoding: chunked for 1xx, 204, 304, and HEAD responses.
Response HTML for exceptions and redirects starts with <!doctype html> and <html lang=en>.
Fix ability to set some cache_control attributes to False.
Disable keep-alive connections in the development server, which are not supported sufficiently by Python’s http.server.
Signed-off-by: Xu Huan <xuhuan.fnst@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 0704ebad0d)
Rebased patches in Kirkstone.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Changelog:
==========
-Only include the source code in the source distribution. This reduces the
size of the source distribution from 200kB to 30kB.
-Fix the return type hint of bidict.inverted() to return an Iterator, rather
than an Iterable.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Details: https://nvd.nist.gov/vuln/detail/CVE-2022-24801
Pick the commits from the pull request that is referenced by the NVD report.
(The full set is consisting of 13 patches, but the ones that only updated
news/readme/typo fixes in comments were not backported)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
The upstream project has switched to build_meta build backend with
version 4.2.21, and when the recipe was update to 4.2.26, the build
backend was changed in the layer also.
Even though the recipe compilation didn't fail, it didn't install the required
files (it pretty much produced empty folders), because the build backend
required a much newer setuptools version than the one provided by oe-core,
it errored out silently. This problem may be hidden by other layers that
ship a newer version of setuptools, like the kirkstone-rust branch in
meta-lts-mixins layer.
To be able to install the recipe (without adding extra layers), this patch
partially reverts the build backend change from upstream, and adds back
setuptools build support.
Ptest summary after this patch:
Ran 16377 tests in 353.124s
OK (skipped=1287, expected failures=5)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Changelog:
- Fix CVE-2025-13372
- Fix CVE-2025-64460
- Fixed a regression in Django 4.2.26 where DisallowedRedirect was
raised by HttpResponseRedirect and HttpResponsePermanentRedirect
for URLs longer than 2048 characters. The limit is now 16384 characters
https://docs.djangoproject.com/en/6.0/releases/4.2.27/
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
This change is for python3-django_2.2.28.
The patch was accidentally backported incorrectly. The patch in general
introduces a field-length restrictrion on the email input fields, however
the patch was backported in a way that the restriction was applied on
file input fields instead of email fields.
This change amends the patch in a way to restrict the email field.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
These patches are for python3-django_3.2.25
These patches only touch the tests folder, which is normally not installed.
Most of these changes are backported patches, that adapt tests to modern(er)
Python environment than they were written for, and some other just fix a bug
in the tests that were always present.
0001-Fix-tag_strip-tests.patch: The html parser's behavior in Python has changed,
making this testcase fail. This is a partial backport of the patch, which handles
only the Python version that is shipped with oe-core (The original patch handles
both old and new versions)
0001-Fixed-test_utils.tests.HTMLEqualTests.test_parsing_e.patch: this backported
patch makes a test-verification conform to html5 standard. Previously the test failed.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
This patch is only for python3-django_3.2.25.
The URL validator didn't detect invalid IPv6 addresses, treating them
as correct ones, making a testcase fail. (Also, according to the comment,
it could also crash in some cases, though I haven't encountered that)
This backported patch mitigates this behavior.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
These patches are for python3-django_2.2.28
These patches only touch the tests folder, which is normally not installed.
Most of these changes are backported patches, that adapt tests to modern(er)
Python environment than they were written for, and some other just fix a bug
in the tests that were always present.
0001-Fix-tag_strip-tests.patch: The html parser's behavior in Python has changed
since 3.9, making this testcase fail. This is a partial backport of the patch,
which handles only the Python version that is shipped with oe-core (The original
patch handles both old and new versions)
0001-Fixed-inspectdb.tests.InspectDBTestCase.test_custom_.patch: SQLite3's behavior
has changed also since the tests were written, making some testcases fail. This
backported patch fixes that.
0001-Fixed-test_utils.tests.HTMLEqualTests.test_parsing_e.patch: this backported
patch makes a test-verification conform to html5 standard. Previously the test failed.
0001-Made-RemoteTestResultTest.test_pickle_errors_detecti.patch: This backported
patch once again adapts a test to an evolved library. tblib's behavior has changed
in a way that the tests couldn't pickle the exceptions from the library, and the
tests that verify exceptions were failing due to this.
0001-fix-quote-type-in-expected-error-message.patch: This is not a backported patch.
Error messages are localized, and a test verifies an error message that contains
a quote. The test expects double quotes, but the default locale used with the testimage
is using single quotes. Since the test and the expected error message are correct
otherwise, just changed this expected quote in the test.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
This patch is only for python3-django_2.2.28.
The URL validator didn't detect invalid IPv6 addresses, treating them
as correct ones, making a testcase fail. (Also, according to the comment,
it could also crash in some cases, though I haven't encountered that)
This backported patch mitigates this behavior.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
This patch is for python3-django_2.2.28
The hostname's length has been incorrectly validated, it was checking
an incorrect section of the URL, this made a testcase fail.
This backported patch mitigates this issue.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
This change is for python3-django_2.2.28.
During backporting a patch for CVE-2024-56374, an import got into
the patch for v2.2.28 that does not exist yet in that version.
This patch handles this import with a fallback to prevent throwing
and ImportError.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
This change is for python3-django_2.2.28.
This patch is an extension for CVE-2024-27351.patch. The class that patch
introduced wasn't completely suitable for this version of the recipe, because
it was accessing a function of it that was not implemented (the upstream
version that introduced this class did not use that function, it is specific
to this old version).
This patch adds the missing implementation to avoid errors.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
This change is for python3-django_2.2.28.
The patch that mitigated CVE-2024-246680 accidentally also brought
a regression, some numbers were converted to (human-friendly) string incorrectly.
This backported patch mitigates this problem.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
This change is for python3-django_2.2.28.
This patch contains an incorrect intendation, making the tests fail.
This change fixes that.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Fix the following error introduced by CVE-2024-42005.patch:
AttributeError: module 'django.db.models' has no attribute 'JSONField'
The patch assumes JSONField is available from django.db.models, which
is not the case for this Django version.
Revert the changes in the following files to restore compatibility:
tests/expressions/models.py
tests/expressions/test_queryset_values.py
Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Fix the following error introduced by CVE-2024-27351.patch and
CVE-2025-32873.patch:
NameError: name '_lazy_re_compile' is not defined
Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-28370
The NVD advisory mentions that the vulnerability was fixed
in v6.3.2. I checked the commits in that tag, and picked the
only one that's commit message described the same vulnerability
as the NVD report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Jon Mason
Naman Jain
Gyorgy Sarvari
Hitendra Prajapati
Peter Marko
zhengruoqin
wangmy
Xu Huan
Haixiao Yan