This change is for python3-django_2.2.28.
During backporting a patch for CVE-2024-56374, an import got into
the patch for v2.2.28 that does not exist yet in that version.
This patch handles this import with a fallback to prevent throwing
and ImportError.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
This change is for python3-django_2.2.28.
This patch is an extension for CVE-2024-27351.patch. The class that patch
introduced wasn't completely suitable for this version of the recipe, because
it was accessing a function of it that was not implemented (the upstream
version that introduced this class did not use that function, it is specific
to this old version).
This patch adds the missing implementation to avoid errors.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
This change is for python3-django_2.2.28.
The patch that mitigated CVE-2024-246680 accidentally also brought
a regression, some numbers were converted to (human-friendly) string incorrectly.
This backported patch mitigates this problem.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
This change is for python3-django_2.2.28.
This patch contains an incorrect intendation, making the tests fail.
This change fixes that.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Fix the following error introduced by CVE-2024-42005.patch:
AttributeError: module 'django.db.models' has no attribute 'JSONField'
The patch assumes JSONField is available from django.db.models, which
is not the case for this Django version.
Revert the changes in the following files to restore compatibility:
tests/expressions/models.py
tests/expressions/test_queryset_values.py
Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Fix the following error introduced by CVE-2024-27351.patch and
CVE-2025-32873.patch:
NameError: name '_lazy_re_compile' is not defined
Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Per [1] this is a problem of applications using memcached inproperly.
This should not be a CVE against php-memcached, but for whatever
software the issue was actually found in. php-memcached and
libmemcached provide a VERIFY_KEY flag if they're too lazy to
filter untrusted user input.
[1] https://github.com/php-memcached-dev/php-memcached/issues/519
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 889ccce684)
Adapted to Kirkstone (CVE_STATUS -> CVE_CHECK_IGNORE)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-28370
The NVD advisory mentions that the vulnerability was fixed
in v6.3.2. I checked the commits in that tag, and picked the
only one that's commit message described the same vulnerability
as the NVD report.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
The recipe contains two CVE_CHECK_IGNORE declarations, and the second
one overwrites the first one - however the first one is also important.
Instead of overwriting it, just append them to each other. Also, move the
operations closer to each other, so it's easier to see what's going on.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
These grpc python modules contain parts of grpc core.
Each CVE needs to be assessed if the patch applies also to core parts
included in each module.
Note that so far there was never a CVE specific for python module, only
for grpc:grpc and many of those needed to be fixed at leasts in grpcio:
sqlite> select vendor, product, count(*) from products where product like '%grpc%' group by vendor, product;
grpc|grpc|21
grpck|grpck|1
linuxfoundation|grpc_swift|9
microsoft|grpconv|1
opentelemetry|configgrpc|1
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit f993cb2ecb)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
This is a bugfix release, with some ioctl handling fixes.
Changelog:
- Adjust the handling of SPI_IOC_RD_LSB_FIRST ioctl call
- Parameter for SPI_IOC_WR_LSB_FIRST ioctl is {0, 1}.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Changelog:
2.0.4:
- Fix missing comma in JSON output.
2.0.3:
- Fix segfault when filelimit is used and tree encounters a directory it
cannot enter.
- Use += when assigning CFLAGS and LDFLAGS in the Makefile allowing
them to be modified by environment variables during make. (Ben Brown)
Possibly assumes GNU make.
- Fixed broken -x option (stops recursing.)
- Fix use after free (causing segfault) for dir/subdir in list.c
- Fixes for .gitignore functionality
- Fixed * handing in patmatch. Worked almost like ** before, now properly
stops at /'s. These issues were the result of forgetting that patmatch()
was just to match filenames to patterns, not paths.
- Patterns starting with / are actually relative to the .gitignore file,
not the root of the filesystem, go figure.
- Patterns without /'s in .gitignore apply to any file in any directory
under the .gitignore, not just the .gitignore directory
- Remove "All rights reserved" from copyright statements. A left-over from
trees original artistic license.
- Add in --du and --prune to --help output
- Fixed segfault when an unknown directory is given with -X
- Fixed output up for -X and -J options.
- Remove one reference to strnlen which isn't necessary since it may not
be available on some OS's.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
The upstream site (landley.net) serves inconsistent content when using HTTP,
causing checksum mismatches during do_fetch. Using HTTPS ensures stable
downloads and resolves checksum failures.
Signed-off-by: Sanjay Chitroda <sanjayembeddedse@gmail.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
This CVE is not for python-django, but for some go project
which shares the same name.
Ignore this CVE due to this.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Gyorgy Sarvari
Haixiao Yan
Peter Marko
Hitendra Prajapati
Jeroen Hofstee
Vijay Anusuri
wangmy
Jason Schonberg
Sanjay Chitroda