CVE-2024-45230: Potential denial-of-service vulnerability in
django.utils.html.urlize()
urlize and urlizetrunc were subject to a potential denial-of-service attack
via very large inputs with a specific sequence of characters.
CVE-2024-45231: Potential user email enumeration via response status on
password reset
Due to unhandled email sending failures, the
django.contrib.auth.forms.PasswordResetForm class allowed remote attackers to
enumerate user emails by issuing password reset requests and observing the
outcomes.
To mitigate this risk, exceptions occurring during password reset email
sending are now handled and logged using the django.contrib.auth logger.
CVE-2024-41989: Memory exhaustion in django.utils.numberformat.floatformat()
The floatformat template filter is subject to significant memory consumption
when given a string representation of a number in scientific notation with
a large exponent.
CVE-2024-41990: Potential denial-of-service in django.utils.html.urlize()
The urlize() and urlizetrunc() template filters are subject to a potential
denial-of-service attack via very large inputs with a specific sequence of
characters.
CVE-2024-41991: Potential denial-of-service vulnerability in
django.utils.html.urlize() and AdminURLFieldWidget
The urlize and urlizetrunc template filters, and the AdminURLFieldWidget widget,
are subject to a potential denial-of-service attack via certain inputs with
a very large number of Unicode characters.
CVE-2024-42005: Potential SQL injection in QuerySet.values() and values_list()
QuerySet.values() and values_list() methods on models with a JSONField are
subject to SQL injection in column aliases via a crafted JSON object key as
a passed *arg.
CVE-2024-38875: Potential denial-of-service in django.utils.html.urlize()
urlize() and urlizetrunc() were subject to a potential denial-of-service
attack via certain inputs with a very large number of brackets.
CVE-2024-39329: Username enumeration through timing difference for users with
unusable passwords
The django.contrib.auth.backends.ModelBackend.authenticate() method allowed
remote attackers to enumerate users via a timing attack involving login
requests for users with unusable passwords.
CVE-2024-39330: Potential directory-traversal in
django.core.files.storage.Storage.save()
Derived classes of the django.core.files.storage.Storage base class which
override generate_filename() without replicating the file path validations
existing in the parent class, allowed for potential directory-traversal via
certain inputs when calling save().
Built-in Storage sub-classes were not affected by this vulnerability.
CVE-2024-39614: Potential denial-of-service in
django.utils.translation.get_supported_language_variant()
get_supported_language_variant() was subject to a potential denial-of-service
attack when used with very long strings containing specific characters.
To mitigate this vulnerability, the language code provided to
get_supported_language_variant() is now parsed up to a maximum length of
500 characters.
Fixed a crash in Django 4.2 when validating email max line lengths with content
decoded using the surrogateescape error handling scheme (#35361)
Signed-off-by: Fathi Boudra <fathi.boudra@linaro.org>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
grl-type-builtins.* are generated by glib-mkenums which leave full paths
in comment and #include directives. Rewrite those before *-src packaging.
Previous fix did not correct the .c file and did not work in the
"devtool modify" case.
Fix these errors:
ERROR: grilo-0.3.16-r0 do_package_qa: QA Issue: File /usr/src/debug/grilo/0.3.16/src/grl-type-builtins.c in package grilo-src contains reference to TMPDIR [buildpaths]
ERROR: grilo-0.3.16-r0 do_package_qa: QA Issue: File /usr/src/debug/grilo/0.3.16/src/grl-type-builtins.h in package grilo-src contains reference to TMPDIR [buildpaths]
ERROR: grilo-0.3.16-r0 do_package_qa: Fatal QA errors were found, failing task.
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The fix is required to deal with absolute paths when using genimage in
openembedded context.
Signed-off-by: Enrico Jörns <ejo@pengutronix.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Building autotools packages from git can be a bit tricky and requires
manual invocations of autogen.sh, etc.
An attempt to build for native build fails with:
| autoreconf: running: autopoint --force
| Can't exec "autopoint": No such file or directory at [..]/tmp/work/x86_64-linux/libconfuse-native/3.3/recipe-sysroot-native/usr/share/autoconf/Autom4te/FileUtils.pm line 318.
| autoreconf: error: autopoint failed with exit status: 2
| WARNING: exit code 2 from a shell command.
Since the project itself states
> Please ensure you download a versioned archive from:
> https://github.com/libconfuse/libconfuse/releases/
simply switch this recipe to using release archives and thus simplify it
and fix the automake issue.
Signed-off-by: Enrico Jörns <ejo@pengutronix.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
DESCRIPTION will default to SUMMARY, but not the other way round.
Signed-off-by: Enrico Jörns <ejo@pengutronix.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Allows to use libconfuse in native tools like 'genimage'.
Signed-off-by: Enrico Jörns <ejo@pengutronix.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This prepares for using libconfuse for the 'genimage' recipe which
should reside in meta-oe.
Also libftdi (which is in meta-oe already) optionally requires
libconfuse when PACKAGECONFIG option 'ftdi-eeprom' is enabled.
Signed-off-by: Enrico Jörns <ejo@pengutronix.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Commit 5f453c3401 installs
libraries but without the pkgconfig files, making them harder to link
to. This adds pkgconfig files for these libraries
Signed-off-by: Einar Jon Gunnarsson <tolvupostur@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
ChangeLog:
https://git.kernel.org/pub/scm/linux/storage/autofs/autofs.git/tree/CHANGELOG?h=release_5_1_9
* Drop backport patches:
0001-autofs-5.1.8-add-autofs_strerror_r-helper-for-musl.patch
0002-autofs-5.1.8-handle-innetgr-not-present-in-musl.patch
* Drop the following patches as the issues have been fixed upstream:
cross.patch
pkgconfig-libnsl.patch
fix_disable_ldap.patch
add-the-needed-stdarg.h.patch
autofs-5.0.7-fix-lib-deps.patch
0001-Define-__SWORD_TYPE-if-undefined.patch
0001-Define-__SWORD_TYPE-and-_PATH_NSSWITCH_CONF.patch
0001-Bug-fix-for-pid_t-not-found-on-musl.patch
0001-modules-lookup_multi.c-Replace-__S_IEXEC-with-S_IEXE.patch
0002-Replace-__S_IEXEC-with-S_IEXEC.patch
* Reresh the following patches:
no-bash.patch
remove-bashism.patch
mount_conflict.patch
force-STRIP-to-emtpy.patch
0001-include-libgen.h-for-basename.patch
0001-Do-not-hardcode-path-for-pkg.m4.patch
fix-the-YACC-rule-to-fix-a-building-failure.patch
using-pkg-config-to-detect-libxml-2.0-and-krb5.patch
* Add patch to fix build on musl:
0009-hash.h-include-sys-reg.h-instead-of-bits-reg.h.patch
* Backport patch to fix build with gcc14:
0010-autofs-5.1.9-Fix-incompatible-function-pointer-types.patch
* Add PACKAGECONFIG[openldap] and PACKAGECONFIG[sasl]
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
* switched to libpcre2 in:
828ab48764
* in builds hwere libpcre2 isn't pulled by some other dependency it was failing with:
| service_scan.h:74:10: fatal error: pcre2.h: No such file or directory | 74 | #include <pcre2.h> | | ^~~~~~~~~|
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Additional changes:
Use https protocol for git fetch
Build with meson
Signed-off-by: Einar Jon Gunnarsson <tolvupostur@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
===========
- don't use O_DIRECT on the RT device
- Fix memory leak
- suggest -x rather than assert for false roots in restore
- fix rootdir due to xfsdump bulkstat misuse
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
===========
- Fix typos in RapidJsonAdapter, only failing when certain features are used
- Added explicit default move constructors/operators
- Various cosmetic fixes
- Implemented functioning move constructors/operators
- Compatibility with boost-1.85.0
- Ability to customize regular expression engine
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
=========
- Added support for Raspberry Pi 5
- Fixed bug for big-endian platforms
- Fixed sysfs path bug for Linux kernel 6.x or higher
- Added flash (inverted cycle) option - turn power on then off
- Improved Linux detection
- Added more devices to supported table
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
============
- Improve performance when IP addresses change frequently
- Improve helpfulness of ServiceInfo.request assertions
- Improve performance of ip address caching
- Enable building of arm64 macOS builds
- Add classifier for python 3.13
- Python 3.13 support
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
==========
- Fixed joining a path when the existing path was empty
- Added :meth:URL.without_query_params() <yarl.URL.without_query_params> method,
to drop some parameters from query string
- The previously protected types _SimpleQuery, _QueryVariable, and _Query are
now available for use externally as SimpleQuery, QueryVariable, and Query
- Replaced all :class:~typing.Optional with :class:~typing.Union
- Significantly improved performance of parsing the network location
- Added internal types to the cache to prevent future refactoring errors
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
===========
- Enable OS specific Mypy checks
- [watchmedo] Fix tricks argument type of schedule_tricks()
- [kqueue] Fix TypeError: kqueue.control() only accepts positional parameters
- Drop support for Python 3.8
- [core] Enforced usage of proper keyword-arguments
- [core] Renamed the BaseObserverSubclassCallable class to ObserverType
- [inotify] Renamed the inotify_event_struct class to InotifyEventStruct
- [inotify] Renamed the UnsupportedLibc exception to UnsupportedLibcError
- [inotify] Removed the InotifyConstants.IN_CLOSE constant
- [watchmedo] Renamed the LogLevelException exception to LogLevelError
- [watchmedo] Renamed the WatchdogShutdown exception to WatchdogShutdownError
- [windows] Renamed the FILE_NOTIFY_INFORMATION class to FileNotifyInformation
- [windows] Removed the unused WATCHDOG_TRAVERSE_MOVED_DIR_DELAY constant
- [core] Enable disallow_untyped_calls Mypy rule
- [core] Enable disallow_untyped_defs Mypy rule
- [core] Improve typing references for events
- [inotify] Add support for IN_CLOSE_NOWRITE events.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
