CVE-2023-49081:
aiohttp is an asynchronous HTTP client/server framework for asyncio and
Python. Improper validation made it possible for an attacker to modify
the HTTP request (e.g. to insert a new header) or create a new HTTP
request if the attacker controls the HTTP version. The vulnerability
only occurs if the attacker can control the HTTP version of the request.
This issue has been patched in version 3.9.0.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-49081
Upstream patches:
1e86b777e6
CVE-2024-30251:
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python.
In affected versions an attacker can send a specially crafted POST
(multipart/form-data) request. When the aiohttp server processes it, the server
will enter an infinite loop and be unable to process any further requests. An
attacker can stop the application from serving requests after sending a single
request. This issue has been addressed in version 3.9.4. Users are advised to
upgrade. Users unable to upgrade may manually apply a patch to their systems.
Please see the linked GHSA for instructions.
References:
https://nvd.nist.gov/vuln/detail/CVE-2024-30251
Upstream patches:
cebe526b9c7eecdff163f21c6f2ca5
CVE-2024-52304:
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python.
Prior to version 3.10.11, the Python parser parses newlines in chunk extensions
incorrectly which can lead to request smuggling vulnerabilities under certain
conditions. If a pure Python version of aiohttp is installed (i.e. without the
usual C extensions) or `AIOHTTP_NO_EXTENSIONS` is enabled, then an attacker may
be able to execute a request smuggling attack to bypass certain firewalls or
proxy protections. Version 3.10.11 fixes the issue.
References:
https://nvd.nist.gov/vuln/detail/CVE-2024-52304
Upstream patches:
259edc3690
CVE-2023-49082:
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python.
Improper validation makes it possible for an attacker to modify the HTTP
request (e.g. insert a new header) or even create a new HTTP request if the
attacker controls the HTTP method. The vulnerability occurs only if the
attacker can control the HTTP method (GET, POST etc.) of the request. If the
attacker can control the HTTP version of the request it will be able to modify
the request (request smuggling). This issue has been patched in version 3.9.0.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-49082
Upstream patches:
a43bc17798
CVE-2024-27306:
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python.
A XSS vulnerability exists on index pages for static file handling. This
vulnerability is fixed in 3.9.4. We have always recommended using a reverse
proxy server (e.g. nginx) for serving static files. Users following the
recommendation are unaffected. Other users can disable `show_index` if unable
to upgrade.
References:
https://nvd.nist.gov/vuln/detail/CVE-2024-27306
Upstream patches:
28335525d1
Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Change the reference to the Apache-2.0 license containing LICENSE file
in the downloaded archive.
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
The repositorys LICENSE file contains BSD-3-Clause license text, so
update the relevant recipe information field to match.
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15.
QuerySet.values() and values_list() methods on models with a JSONField are
subject to SQL injection in column aliases via a crafted JSON object key
as a passed *arg.
References:
https://nvd.nist.gov/vuln/detail/CVE-2024-42005
Upstream-patch:
f4af67b9b4
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
To fix crash due to missing module:
File "/usr/lib/python3.11/site-packages/twisted/internet/defer.py", line 42, in <module>
from typing_extensions import Literal, ParamSpec, Protocol
ModuleNotFoundError: No module named 'typing_extensions'
Signed-off-by: Hains van den Bosch <hainsvdbosch@ziggo.nl>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Guðni Már Gilbert <gudnimar@noxmedical.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
To fix crash due to missing module:
from twisted.internet import defer
File "/usr/lib/python3.11/site-packages/twisted/internet/defer.py", line 14, in <module>
from asyncio import AbstractEventLoop, Future, iscoroutine
ModuleNotFoundError: No module named 'asyncio'
Signed-off-by: Hains van den Bosch <hainsvdbosch@ziggo.nl>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Guðni Már Gilbert <gudnimar@noxmedical.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
aiohttp is an asynchronous HTTP client/server framework
for asyncio and Python.When using aiohttp as a web server
and configuring static routes, it is necessary to specify
the root path for static files. Additionally, the option
'follow_symlinks' can be used to determine whether to
follow symbolic links outside the static root directory.
When 'follow_symlinks' is set to True, there is no
validation to check if reading a file is within the root
directory. This can lead to directory traversal
vulnerabilities, resulting in unauthorized access to
arbitrary files on the system, even when symlinks are not
present. Disabling follow_symlinks and using a reverse proxy
are encouraged mitigations. Version 3.9.2 fixes this issue.
References:
https://security-tracker.debian.org/tracker/CVE-2024-23334https://github.com/aio-libs/aiohttp/releases/tag/v3.9.2
Signed-off-by: Rahul Janani Pandi <RahulJanani.Pandi@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
* Upgrade to 1.4.1 to make it work with setuptools 59.x as it doesn't
support pep 621 [1], so remove pyproject.toml and add setup.cfg back [2].
* Add python3-toml to RDEPENDS to fix below error:
self = <yamlinclude.readers.TomlReader object at 0x7faceccdbd30>
def __call__(self):
if sys.version_info >= (3, 11):
with open(self._path, "rb") as fp:
return tomllib.load(fp)
else:
try:
import toml
except ImportError as err: # pragma: no cover
> raise ImportError(f'Un-supported file "{self._path}".\n`pip install toml` should solve the problem.\n\n{err}')
E ImportError: Un-supported file "tests/data/include.d/1.toml".
E `pip install toml` should solve the problem.
E
E No module named 'toml'
../../python3.10/site-packages/yamlinclude/readers.py:69: ImportError
[1] https://setuptools.pypa.io/en/latest/userguide/pyproject_config.html
[2] https://github.com/tanbro/pyyaml-include/issues/43
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Add a recipe for the pyyaml-include package that extends PyYAML to include
YAML files within YAML files. Add a ptest to run the unit tests and include
the tests as part of the package lists in meta-python
Signed-off-by: Derek Straka <derek@asterius.io>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit bf011a9f5e)
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
The delta between 4.2.5 and 4.2.7 contains the fixes for
CVE-2023-43665, CVE-2023-46695 and other bugfixes.
git log --oneline 4.2.5..4.2.7 shows:
d254a54e7f (tag: 4.2.7) [4.2.x] Bumped version for 4.2.7 release.
048a9ebb6e [4.2.x] Fixed CVE-2023-46695 -- Fixed potential DoS in UsernameField on Windows.
3fae5d92da [4.2.x] Refs #30601 -- Fixed typos in docs/topics/db/transactions.txt.
a8aa94062b [4.2.x] Refs #15578 -- Made cosmetic edits to fixtures docs.
109f39a38b [4.2.x] Fixed#34932 -- Restored varchar_pattern_ops/text_pattern_ops index creation when deterministic collaction is set.
61612990d8 [4.2.x] Fixed typos in docs/ref/models/expressions.txt.
696fbc32d6 [4.2.x] Fixed#30601 -- Doc'd the need to manually revert all app state on transaction rollbacks.
ffba63180c [4.2.x] Fixed typo in docs/ref/contrib/gis/geos.txt.
43a3646070 [4.2.x] Fixed#15578 -- Stated the processing order of fixtures in the fixtures docs.
0cd8b867a0 [4.2.x] Added stub release notes and release date for 4.2.7, 4.1.13, and 3.2.23.
510a512119 [4.2.x] Fixed typo in docs/releases/4.2.txt.
b644f8bc1f [4.2.x] Corrected note about using accents in writing documentation contributing guide.
a576ef98ae [4.2.x] Refs #34900, Refs #34118 -- Updated assertion in test_skip_class_unless_db_feature() test on Python 3.12.1+.
803caec60b [4.2.x] Fixed#34798 -- Fixed QuerySet.aggregate() crash when referencing expressions containing subqueries.
caec4f4a6f [4.2.x] Refs #34840 -- Improved release note describing index regression.
b6bb2f8099 [4.2.x] Refs #34840 -- Fixed test_validate_nullable_textfield_with_isnull_true() on databases that don's support table check constraints.
e8fe48d3a0 [4.2.x] Fixed#34808 -- Doc'd aggregate function's default argument.
830990fa6c [4.2.x] Reorganized tutorial's part 4 to better understand changes needed in URLConf.
0cbc92bc3a [4.2.x] Refs #26029 -- Improved get_storage_class() deprecation warning with stacklevel=2.
9c7627da30 [4.2.x] Refs #34043 -- Clarified how to test UI changes.
0bd53ab86a [4.2.x] Added backticks to setuptools in docs.
99dcba90b4 [4.2.x] Refs #32275 -- Added scrypt password hasher to PASSWORD_HASHERS setting docs.
6697880219 [4.2.x] Refs #31435 -- Doc'd potential infinite recursion when accessing model fields in __init__.
a9a3317a95 [4.2.x] Corrected wrap_socket() reference in docs/ref/settings.txt.
9962f94a97 [4.2.x] Added CVE-2023-43665 to security archive.
b2d95bb301 [4.2.x] Added stub release notes for 4.2.7.
08d54f83a9 [4.2.x] Post release version bump.
c22017bd1d (tag: 4.2.6) [4.2.x] Bumped version for 4.2.6 release.
be9c27c4d1 [4.2.x] Fixed CVE-2023-43665 -- Mitigated potential DoS in django.utils.text.Truncator when truncating HTML text.
39fc3f46a8 [4.2.x] Added stub release notes and release date for 4.2.6, 4.1.12, and 3.2.22.
dd0bf63d3e [4.2.x] Added warning about flatpages and untrusted users.
fec4ed0a25 [4.2.x] Refs #34320 -- Skipped SchemaTests.test_rename_field_with_check_to_truncated_name on MariaBD 10.5.2+.
a148461f1f [4.2.x] Fixed#34840 -- Avoided casting string base fields on PostgreSQL.
b08f53ff46 [4.2.x] Refs #34808 -- Doc'd that aggregation functions on empty groups can return None.
c70f08c4aa [4.2.x] Added updating the Django release process on Trac to release steps.
d485aa2732 [4.2.x] Fixed typo in docs/howto/custom-file-storage.txt.
ff26e6ad84 [4.2.x] Corrected QuerySet.prefetch_related() note about GenericRelation().
866122690d [4.2.x] Doc'd HttpResponse.cookies.
97e8a2afb1 [4.2.x] Fixed#34821 -- Prevented DEFAULT_FILE_STORAGE/STATICFILES_STORAGE settings from mutating the main STORAGES.
39cb3b08bc [4.2.x] Bumped checkout version in Github actions configuration.
592ebd8920 [4.2.x] Added stub release notes for 4.2.6.
a1dd785139 [4.2.x] Added CVE-2023-41164 to security archive.
a9686cb871 [4.2.x] Post-release version bump.
Release Notes: https://docs.djangoproject.com/en/dev/releases/4.2.7/
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
The delta between 3.2.21 and 3.2.23 contains the fixes for
CVE-2023-43665, CVE-2023-46695 and other bugfixes.
git log --oneline 3.2.21..3.2.23 shows:
60e648a7ae (tag: 3.2.23) [3.2.x] Bumped version for 3.2.23 release.
f9a7fb8466 [3.2.x] Fixed CVE-2023-46695 -- Fixed potential DoS in UsernameField on Windows.
e6d2591d9e [3.2.x] Added stub release notes for 3.2.23.
3c04b74293 [3.2.x] Added CVE-2023-43665 to security archive.
86a14d653f [3.2.x] Post release version bump.
3106e94e52 (tag: 3.2.22) [3.2.x] Bumped version for 3.2.22 release.
ccdade1a02 [3.2.x] Fixed CVE-2023-43665 -- Mitigated potential DoS in django.utils.text.Truncator when truncating HTML text.
6caf7b313d [3.2.x] Added stub release notes for 3.2.22.
9e814c3a5e [3.2.x] Added CVE-2023-41164 to security archive.
4b439dcd05 [3.2.x] Post-release version bump.
Release Notes: https://docs.djangoproject.com/en/dev/releases/3.2.23/
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
CVE-2023-43665:
In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the
django.utils.text.Truncator chars() and words() methods (when used with
html=True) are subject to a potential DoS (denial of service) attack via
certain inputs with very long, potentially malformed HTML text. The chars()
and words() methods are used to implement the truncatechars_html and
truncatewords_html template filters, which are thus also vulnerable.
NOTE: this issue exists because of an incomplete fix for CVE-2019-14232.
CVE-2023-46695:
An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and
4.2 before 4.2.7. The NFKC normalization is slow on Windows. As a consequence,
django.contrib.auth.forms.UsernameField is subject to a potential DoS (denial of
service) attack via certain inputs with a very large number of Unicode characters.
References:
https://www.djangoproject.com/weblog/2023/oct/04/security-releases/https://www.djangoproject.com/weblog/2023/nov/01/security-releases/
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
The command "bitbake universe -c fetch" currently throws a ton of warnings
as there are many 'impossible' dependencies.
In some cases these variants may never have worked and were just added by copy
and paste of recipes. In some cases they once clearly did work but became
broken somewhere along the way. Users may also be carrying local bbappend files
which add further BBCLASSEXTEND.
Having universe fetch work without warnings is desireable so clean up the broken
variants. Anyone actually needing something dropped here can propose adding it
and the correct functional dependencies back quite easily. This also then
ensures we're not carrying or fixing things nobody uses.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit d4aa17dc43)
Backport:
* Adapted paths to follow PV changes
* Adapted modified recipes to the ones generating warnings
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
python3-beautifulsoup4 does depend on python3-soupsieve but
python3-soupsieve does not depend on python3-beautifulsoup4.
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
The delta between 4.2.3 and 4.2.5 contains the CVE-2023-41164 fix
and other bugfixes. git log --oneline 4.2.3..4.2.5 shows:
b8b2f74512 (tag: 4.2.5) [4.2.x] Bumped version for 4.2.5 release.
9c51b4dcfa [4.2.x] Fixed CVE-2023-41164 -- Fixed potential DoS in django.utils.encoding.uri_to_iri().
acfb427522 [4.2.x] Fixed#34803 -- Fixed queryset crash when filtering againts deeply nested OuterRef annotations.
55a0b9c32e [4.2.x] Added stub release notes and release date for 4.2.5, 4.1.11, and 3.2.21.
8e8c318449 [4.2.x] Avoided counting exceptions in AsyncClient docs.
dcb9d7a0e4 [4.2.x] Improved formset docs by using a set instead of a list in the custom validation example.
f55b420277 [4.2.x] Fixed#34781 -- Updated logging ref docs for django.server's request extra context value.
46b2b08e45 [4.2.x] Fixed#34779 -- Avoided unnecessary selection of non-nullable m2m fields without natural keys during serialization.
d34db6602e [4.2.x] Fixed#34773 -- Fixed syncing DEFAULT_FILE_STORAGE/STATICFILES_STORAGE settings with STORAGES.
a22aeef555 [4.2.x] Fixed#15799 -- Doc'd that Storage._open() should raise FileNotFoundError when file doesn't exist.
936afc2deb [4.2.x] Refs #34754 -- Added missing FullResultSet import.
3a1863319c [4.2.x] Fixed#34754 -- Fixed JSONField check constraints validation on NULL values.
951dcbb2e6 [4.2.x] Fixed#34756 -- Fixed docs HTML build on Sphinx 7.1+.
a750fd0d7f [4.2.x] Added stub release notes for 4.2.5.
a56c46642d [4.2.x] Post-release version bump.
6f4c7c124a (tag: 4.2.4) [4.2.x] Bumped version for 4.2.4 release.
e53d6239df [4.2.x] Added release date for 4.2.4.
8808d9da6b [4.2.x] Fixed#34750 -- Fixed QuerySet.count() when grouping by unused multi-valued annotations.
2ef2b2ffc0 [4.2.x] Corrected pycon formatting in some docs.
8db9a0b5a0 [4.2.x] Fixed warnings per flake8 6.1.0.
739da73164 [4.2.x] Fixed#34748 -- Fixed queryset crash when grouping by a reference in a subquery.
a52a2b6678 [4.2.x] Fixed#34749 -- Corrected QuerySet.acreate() signature in docs.
12ebd9a1ac [4.2.x] Refs #34712 -- Doc'd that defining STORAGES overrides the default configuration.
1f9d00ef9f [4.2.x] Added missing backticks in docs.
c99d935600 [4.2.x] Fixed typo in docs/ref/models/querysets.txt.
da92a971a0 [4.2.x] Refs #30052 -- Clarified that defer() and only() do not work with aggregated fields.
7a67b065d7 [4.2.x] Fixed#34717 -- Fixed QuerySet.aggregate() crash when referencing window functions.
c646412a75 Added reference to TypedChoiceField in ChoiceField docs.
f474ba4cb5 [4.2.x] Fixed#34309 -- Doc'd how to fully delete an app.
e54f711d42 [4.2.x] Fixed#33405, Refs #7177 -- Clarified docs for filter escapejs regarding safe and unsafe usages.
047844270b [4.2.x] Added stub release notes for 4.2.4.
Release Notes: https://docs.djangoproject.com/en/dev/releases/4.2.5/
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
The delta between 3.2.20 and 3.2.21 contains the CVE-2023-41164 fix
and other bugfixes. git log --oneline 3.2.20..3.2.21 shows:
fd0ccd7fb3 (tag: 3.2.21) [3.2.x] Bumped version for 3.2.21 release.
6f030b1149 [3.2.x] Fixed CVE-2023-41164 -- Fixed potential DoS in django.utils.encoding.uri_to_iri().
73350a6369 [3.2.x] Added stub release notes for 3.2.21.
75418f8c0e [3.2.x] Fixed#34756 -- Fixed docs HTML build on Sphinx 7.1+.
848fe70f3e [3.2.x] Added CVE-2023-36053 to security archive.
4012a87a58 [3.2.x] Post-release version bump.
Release Notes: https://docs.djangoproject.com/en/dev/releases/3.2.21/
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
At least one of the following DISTRO_FEATURES needs to be present: X11
or Wayland. The recipe now work with pure Wayland.
Signed-off-by: Marine Vovard <m.vovard@phytec.de>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3,
EmailValidator and URLValidator are subject to a potential ReDoS
(regular expression denial of service) attack via a very large
number of domain name labels of emails and URLs.
Since, there is no ptest available for python3-django so have not
tested the patch changes at runtime.
References:
https://github.com/advisories/GHSA-jh3w-4vvf-mjgr454f2fb934
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
The delta between 3.2.19 and 3.2.20 contains the CVE-2023-36053 fix
and other bugfixes. git log --oneline 3.2.19..3.2.20 shows:
19bc11f636 (tag: 3.2.20) [3.2.x] Bumped version for 3.2.20 release.
454f2fb934 [3.2.x] Fixed CVE-2023-36053 -- Prevented potential ReDoS in EmailValidator and URLValidator.
07cc014cb3 [3.2.x] Added stub release notes for 3.2.20.
e1bbbbe6ac [3.2.x] Fixed MultipleFileFieldTest.test_file_multiple_validation() test if Pillow isn't installed.
47ef12e69c [3.2.x] Added CVE-2023-31047 to security archive.
15f90ebff3 [3.2.x] Post-release version bump.
Release Notes: https://docs.djangoproject.com/en/dev/releases/3.2.20/
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
gcc-11 has metadata line "-: 0:Source is newer than graph" which throws an
error.
Backported from gcovr 5.2, as kirkstone release uses gcc-11.
Signed-off-by: Jasper Orschulko <jasper@fancydomain.eu>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
