Changelog:
==========
- parse_list_header preserves partially quoted items, discards empty items, and
returns empty for unclosed quoted values.
- WWWAuthenticate.to_header does not produce a trailing space when there are no
parameters.
- Transfer-Encoding is parsed as a set.
- Request.host, get_host, and host_is_trusted validate the characters of the
value. An empty value is no longer allowed. A Unix socket server address is
ignored. The trusted_list argument to host_is_trusted is optional.
- Fix multipart form parser handling of newline at boundary.
- Response.make_conditional sets the Accept-Ranges header even if it is not a
satisfiable range request.
- merge_slashes merges any number of consecutive slashes.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
(cherry picked from commit db8bd24b0d)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Bug-fix release addressing a memory leak and a couple minor issues.
We now ship the license file with the dist tarball so update the recipe
to take this into account. While at it: trim the LICENSE value to only
include LGPL-v2.1-or-later as the other two licenses cover tests and
text files.
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit f75f4164fd)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
The resulting pybind11_jsonTargets.cmake in the dev-package adds an
absolute path to python include directories in the target properties:
set_target_properties(pybind11_json PROPERTIES
INTERFACE_INCLUDE_DIRECTORIES "/usr/include/python3.13;${_IMPORT_PREFIX}/include"
)
The patch removes ${PYTHON_INCLUDE_DIRS} which is set by pybind11 from
set_target_properties to remove the poisonous host path.
Signed-off-by: Tafil Avdyli <tafil@tafhub.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 0332dae9bb)
Signed-off-by: Tafil Avdyli <tafil@tafhub.de>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Changelog:
5.2.11:
Contains fixes for CVE-2025-13473, CVE-2025-14550, CVE-2026-1207, CVE-2026-1285,
CVE-2026-1287 and CVE-2026-1312
5.2.10:
* Fixed a bug in Django 5.2 where data exceeding max_length was silently
truncated by QuerySet.bulk_create on PostgreSQL.
* Fixed a bug where management command colorized help (introduced in
Python 3.14) ignored the --no-color option and the DJANGO_COLORS setting.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Python watchdog has removed all dependencies except optional `pyyaml`
dependency for `watchmedo` utility, like follows [1]:
* pathtools dependency was removed in 1.0.0
* python-argh dependency removed in 2.1.6
* requests was never a dependency
* pyyaml only needed for extras (`watchmedo`) and may not be strictly necessary
[1] https://github.com/gorakhargosh/watchdog/blob/master/changelog.rst
Signed-off-by: Tero Kinnunen <tero.kinnunen@vaisala.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Contains fix for CVE-2026-21860
Changelog:
- safe_join on Windows does not allow more special device names,
regardless of extension or surrounding spaces.
- The multipart form parser handles a \r\n sequence at a chunk boundary.
This fixes the previous attempt, which caused incorrect content lengths.
- Fix AttributeError when initializing DebuggedApplication with pin_security=False.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit ecf359d256)
From the release notes:
This is the Werkzeug 3.1.5 security fix release, which fixes security issues
and bugs but does not otherwise change behavior and should not result in
breaking changes compared to the latest feature release.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Changelog:
==============
- safe_join on Windows does not allow special device names. This prevents
reading from these when using send_from_directory. secure_filename already
prevented writing to these.
- The debugger pin fails after 10 attempts instead of 11.
- The multipart form parser handles a \r\n sequence at a chunk boundary.
- Improve CPU usage during Watchdog reloader.
- Request.json annotation is more accurate.
- Traceback rendering handles when the line number is beyond the available
source lines.
- HTTPException.get_response annotation and doc better conveys the distinction
between WSGI and sans-IO responses.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 74aa2bdac6)
Contains fix for CVE-2025-66221.
From the release notes:
This is the Werkzeug 3.1.4 fix release, which fixes bugs but does not otherwise
change behavior and should not result in breaking changes compared to the latest
feature release.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Bug fixes
~~~~~~~~~
- The "in" operator for "HTTPHeaders" was incorrectly case-sensitive, causing
lookups to fail for headers with different casing than the original header name.
This was a regression in version 6.5.3 and has been fixed to restore the intended
case-insensitive behavior from version 6.5.2 and earlier.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit ebca0ae79d)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Changelog:
Fix incorrect escaping of the vertical tabulation character.
This was introduced in 3.10.17.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Contains a fix for CVE-2024-6221 (related patch dropped) and CVE-2024-1681
Changelog:
4.0.1:
- Fix Read the Docs builds
- Update extension.py to clean request.path before logging it
- Update CI to include Python 3.12 and flask 3.0.3
4.0.2:
- Bump requests from 2.31.0 to 2.32.0 in /docs
- Backwards Compatible Fix for CVE-2024-6221
- Add unit tests for Private-Network
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
(cherry picked from commit fbe5524dc8)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Wang Mingyu
Mingli Yu
Gyorgy Sarvari
Ankur Tyagi
Bartosz Golaszewski
Leon Anavi
Tafil Avdyli
Tero Kinnunen