meta-openembedded

mirror of https://github.com/openembedded/meta-openembedded.git synced 2026-06-14 05:49:57 +00:00

Author	SHA1	Message	Date
Gyorgy Sarvari	9fcdfa8b22	python3-pillow: patch CVE-2026-25990 Details: https://nvd.nist.gov/vuln/detail/CVE-2026-25990 Backport the patch referenced by the NVD advisory. Note that the patch contain some new binary test data, which requires "git" PATCHTOOL - other tools fail to apply binary patches. All ptests passed successfully: Testsuite summary TOTAL: 5011 PASS: 4577 SKIP: 431 XFAIL: 3 FAIL: 0 XPASS: 0 ERROR: 0 DURATION: 59 END: /usr/lib/python3-pillow/ptest 2026-03-06T17:58 STOP: ptest-runner TOTAL: 1 FAIL: 0 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-03-09 07:49:31 +05:30
Gyorgy Sarvari	a892f6cfc9	python3-nltk: upgrade 3.9.2 -> 3.9.3 Contains fix for CVE-2026-14009. Changelog: * Fix CVE-2025-14009: secure ZIP extraction in nltk.downloader * Block path traversal/arbitrary reads in nltk.data for protocol-less refs * Block path traversal/abs paths in corpus readers and FS pointers * Validate external StanfordSegmenter JARs using SHA256 * Add optional sandbox enforcement for filestring() * Maintenance: downloader/zipped models, CI/tooling updates Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit `14d464c150`) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-03-09 07:49:30 +05:30
Leon Anavi	d925b85aee	python3-flask: Upgrade 3.1.2 -> 3.1.3 Upgrade to release 3.1.3: - The session is marked as accessed for operations that only access the keys but not the values, such as in and len. Signed-off-by: Leon Anavi <leon.anavi@konsulko.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit `0badc6de53`) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-03-06 10:09:14 +05:30
Gyorgy Sarvari	b75a502874	python3-werkzeug: upgrade 3.1.5 -> 3.1.6 Contains fix for CVE-2026-27199 Changelog: safe_join on Windows does not allow special devices names in multi-segment paths Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit `9cbc4befe5`) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-03-06 10:09:14 +05:30
Wang Mingyu	34c62e2edf	python3-sqlparse: upgrade 0.5.4 -> 0.5.5 Changelog: ========== * Fix DoS protection to raise SQLParseError instead of silently returning None when grouping limits are exceeded * Fix splitting of BEGIN TRANSACTION statements Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit `48617f7032`) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-03-06 10:09:13 +05:30
Ankur Tyagi	f21e5cdea1	python3-greenlet: upgrade 3.2.4 -> 3.2.5 Fix a crash on Python 3.9 if there are active greenlets during interpreter shutdown https://greenlet.readthedocs.io/en/latest/changes.html#id4 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-03-06 10:09:13 +05:30
Leon Anavi	6928c475f2	python3-filelock: Upgrade 3.20.2 -> 3.20.3 Upgrade to release 3.20.3: - Fix TOCTOU symlink vulnerability in SoftFileLock Signed-off-by: Leon Anavi <leon.anavi@konsulko.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-03-06 10:09:12 +05:30
Leon Anavi	21f3c64e8e	python3-filelock: Upgrade 3.20.1 -> 3.20.2 Upgrade to release 3.20.2: - Support Unix systems without O_NOFOLLOW - [pre-commit.ci] pre-commit autoupdate Signed-off-by: Leon Anavi <leon.anavi@konsulko.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit `8b5e1f5dbf`) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-03-06 10:09:12 +05:30
Wang Mingyu	6829eda4e2	python3-filelock: upgrade 3.20.0 -> 3.20.1 Changelog: CVE-2025-68146: Fix TOCTOU symlink vulnerability in lock file creation Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit `c2710a2df9`) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-03-06 10:09:11 +05:30
Tafil Avdyli	a82f3ae1f3	python3-pybind11-json: fix Targets.cmake trying to reference host The resulting pybind11_jsonTargets.cmake in the dev-package adds an absolute path to python include directories in the target properties: set_target_properties(pybind11_json PROPERTIES INTERFACE_INCLUDE_DIRECTORIES "/usr/include/python3.13;${_IMPORT_PREFIX}/include" ) The patch removes ${PYTHON_INCLUDE_DIRS} which is set by pybind11 from set_target_properties to remove the poisonous host path. Signed-off-by: Tafil Avdyli <tafil@tafhub.de> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit `0332dae9bb`) Signed-off-by: Tafil Avdyli <tafil@tafhub.de> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-03-06 10:09:01 +05:30
Gyorgy Sarvari	a876a9549e	python3-django: upgrade 4.2.27 -> 4.2.28 Contains fixes for CVE-2025-13473, CVE-2025-14550, CVE-2026-1207, CVE-2026-1285, CVE-2026-1287 and CVE-2026-1312 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-02-19 08:20:31 +05:30
Gyorgy Sarvari	52ad98a187	python3-django: upgrade 5.2.9 -> 5.2.11 Changelog: 5.2.11: Contains fixes for CVE-2025-13473, CVE-2025-14550, CVE-2026-1207, CVE-2026-1285, CVE-2026-1287 and CVE-2026-1312 5.2.10: * Fixed a bug in Django 5.2 where data exceeding max_length was silently truncated by QuerySet.bulk_create on PostgreSQL. * Fixed a bug where management command colorized help (introduced in Python 3.14) ignored the --no-color option and the DJANGO_COLORS setting. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-02-19 08:20:31 +05:30
Tero Kinnunen	5329a32c57	python3-watchdog: Remove obsolete dependencies Python watchdog has removed all dependencies except optional `pyyaml` dependency for `watchmedo` utility, like follows [1]: * pathtools dependency was removed in 1.0.0 * python-argh dependency removed in 2.1.6 * requests was never a dependency * pyyaml only needed for extras (`watchmedo`) and may not be strictly necessary [1] https://github.com/gorakhargosh/watchdog/blob/master/changelog.rst Signed-off-by: Tero Kinnunen <tero.kinnunen@vaisala.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-02-19 08:20:30 +05:30
Gyorgy Sarvari	b6fe5458db	python3-python-multipart: patch CVE-2026-24486 Details: https://nvd.nist.gov/vuln/detail/CVE-2026-24486 Pick the patch that is referenced by the NVD advisory. Ptests passed successfully: Testsuite summary TOTAL: 121 PASS: 121 SKIP: 0 XFAIL: 0 FAIL: 0 XPASS: 0 ERROR: 0 DURATION: 2 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-02-19 08:20:29 +05:30
Gyorgy Sarvari	5cae540dd4	python3-werkzeug: upgrade 3.1.4 -> 3.1.5 Contains fix for CVE-2026-21860 Changelog: - safe_join on Windows does not allow more special device names, regardless of extension or surrounding spaces. - The multipart form parser handles a \r\n sequence at a chunk boundary. This fixes the previous attempt, which caused incorrect content lengths. - Fix AttributeError when initializing DebuggedApplication with pin_security=False. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit `ecf359d256`) From the release notes: This is the Werkzeug 3.1.5 security fix release, which fixes security issues and bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-02-19 08:20:27 +05:30
Wang Mingyu	5604ce6479	python3-werkzeug: upgrade 3.1.3 -> 3.1.4 Changelog: ============== - safe_join on Windows does not allow special device names. This prevents reading from these when using send_from_directory. secure_filename already prevented writing to these. - The debugger pin fails after 10 attempts instead of 11. - The multipart form parser handles a \r\n sequence at a chunk boundary. - Improve CPU usage during Watchdog reloader. - Request.json annotation is more accurate. - Traceback rendering handles when the line number is beyond the available source lines. - HTTPException.get_response annotation and doc better conveys the distinction between WSGI and sans-IO responses. Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit `74aa2bdac6`) Contains fix for CVE-2025-66221. From the release notes: This is the Werkzeug 3.1.4 fix release, which fixes bugs but does not otherwise change behavior and should not result in breaking changes compared to the latest feature release. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-02-19 08:20:27 +05:30
Gyorgy Sarvari	87ce1e904b	python3-virtualenv: patch CVE-2026-22702 Details: https://nvd.nist.gov/vuln/detail/CVE-2026-22702 Backport the patch that is referenced by the NVD advisory. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-02-19 08:20:26 +05:30
Gyorgy Sarvari	ea9fb97f53	python3-uvicorn: mark CVE-2020-7694 patched Details: https://nvd.nist.gov/vuln/detail/CVE-2020-7694 The vulnerability was reported to the project[1], and the commit[2] that resolved the issue has been part of the project since version 0.11.7. Mark the CVE as patched due to this. [1]: https://github.com/Kludex/uvicorn/issues/723 [2]: https://github.com/Kludex/uvicorn/commit/895807f94ea9a8e588605c12076b7d7517cda503 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit `a5ee234b8c`) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-02-19 08:20:26 +05:30
Gyorgy Sarvari	4ea2403439	python3-twitter: mark CVE-2012-5825 patched Details: https://nvd.nist.gov/vuln/detail/CVE-2012-5825 The Debian bugtracker[1] indicated that the issue is tracked by upstream in github[2] (with a difference CVE ID, but same issue), where the vulnerability was confirmed. Later in the same github issue the solution is confirmed: the project switched to use the requests library, which doesn't suffer from this vulnerability. Due to this mark the CVE as patched. [1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692444 [2]: https://github.com/tweepy/tweepy/issues/279 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit `3ee544e759`) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-02-19 08:20:26 +05:30
Wang Mingyu	8742c9fac0	python3-tornado: upgrade 6.5.3 -> 6.5.4 Bug fixes ~~~~~~~~~ - The "in" operator for "HTTPHeaders" was incorrectly case-sensitive, causing lookups to fail for headers with different casing than the original header name. This was a regression in version 6.5.3 and has been fixed to restore the intended case-insensitive behavior from version 6.5.2 and earlier. Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit `ebca0ae79d`) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-02-19 08:20:25 +05:30
Wang Mingyu	2b143a275a	python3-tornado: upgrade 6.5.2 -> 6.5.3 Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit `8ba97b6646`) Changelog: https://github.com/tornadoweb/tornado/blob/master/docs/releases/v6.5.3.rst - Fix CVE-2025-67724, CVE-2025-67725 and CVE-2025-67726 - Fix open redirect vulnerabilities in demos - Fix path traversal vulnerabilites in demos Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-02-19 08:20:25 +05:30
Gyorgy Sarvari	7049927e65	python3-pyjwt: ignore CVE-2025-45768 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-45768 The CVE is disputed: though the vulnerability is there, but it comes from incorrect configuration of the library by the main application. Due to this, ignore this CVE. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-02-19 08:20:24 +05:30
Gyorgy Sarvari	f17cb75cac	python3-py: ignore CVE-2022-42969 Details: https://nvd.nist.gov/vuln/detail/CVE-2022-42969 Upstream could not reproduce the issue. The vulnerability has currently the "disputed" flag in the NVD database, and Github has revoked their related advisory[1]. Ignore this CVE due to this. [1]: https://github.com/advisories/GHSA-w596-4wvx-j9j6 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit `91f6b85b36`) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-02-19 08:20:24 +05:30
Gyorgy Sarvari	67474b0bdc	python3-orjson: upgrade 3.10.17 -> 3.10.18 Changelog: Fix incorrect escaping of the vertical tabulation character. This was introduced in 3.10.17. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-02-19 08:20:23 +05:30
Wang Mingyu	a1538075cf	python3-marshmallow: upgrade 4.1.1 -> 4.1.2 Changelog: Merge error store messages without rebuilding collections. Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit `54691ea40a`) Contains fix for CVE-2025-68480 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-02-19 08:20:23 +05:30
Wang Mingyu	b67599470c	python3-marshmallow: upgrade 4.1.0 -> 4.1.1 Bug fix: Ensure URL validator is case-insensitive when using custom schemes Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit `3933501591`) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-02-19 08:20:22 +05:30
Gyorgy Sarvari	341e1204be	python3-m2crypto: mark CVE-2020-25657 as patched Details: https://nvd.nist.gov/vuln/detail/CVE-2020-25657 The commit[1] that fixes the vulnerability has been part of the package since version 0.39.0 [1]: https://git.sr.ht/~mcepl/m2crypto/commit/84c53958def0f510e92119fca14d74f94215827a Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit `ba6468f7a0`) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-02-19 08:20:22 +05:30
Gyorgy Sarvari	49cf55619b	python3-m2crypto: ignore CVE-2009-0127 Details: https://nvd.nist.gov/vuln/detail/CVE-2009-0127 The vulnerability is disputed[1] by upstream: "There is no vulnerability in M2Crypto. Nowhere in the functions are the return values of OpenSSL functions interpreted incorrectly. The functions provide an interface to their users that may be considered confusing, but is not incorrect, nor it is a vulnerability." [1]: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-0127 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit `b46a5452a1`) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-02-19 08:20:21 +05:30
Gyorgy Sarvari	8cbb786347	python3-lief: upgrade 0.17.1 -> 0.17.2 Contains fix for CVE-2025-15504 Changelog: - Differentiate Mach-O FAT magic bytes and Java class - Fix MinGW compilation for some configuration - Fix alignment issue when rebuilding PE relocations - Fix infinite loop when processing v2 dynamic relocation - Ensure that added DYN ELF sections are properly aligned - Fix GnuHash null dereference - Fix strong performance issue when parsing certain Mach-O Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit `cc4aa9b9d0`) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-02-19 08:20:21 +05:30
Gyorgy Sarvari	ea22ad26ba	python3-flask-cors: upgrade 4.0.0 -> 4.0.2 Contains a fix for CVE-2024-6221 (related patch dropped) and CVE-2024-1681 Changelog: 4.0.1: - Fix Read the Docs builds - Update extension.py to clean request.path before logging it - Update CI to include Python 3.12 and flask 3.0.3 4.0.2: - Bump requests from 2.31.0 to 2.32.0 in /docs - Backwards Compatible Fix for CVE-2024-6221 - Add unit tests for Private-Network Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com> (cherry picked from commit `fbe5524dc8`) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-02-19 08:20:20 +05:30
Gyorgy Sarvari	891e25f9bf	python3-cbor2: patch CVE-2025-68131 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-68131 The NVD report mentions a PR as the solution, however in the discussion of that PR it turned out that this is incorrect, and another patch is the solution. That patch was picked. Ptests passed successfully. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-02-19 08:20:16 +05:30
Gyorgy Sarvari	9bc066079f	python3-aiohttp: patch CVE-2025-69230 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-69230 Backport the patch referenced by the NVD advisory. The tests were only partially backported, as the original patch touched some tests that don't exist in this version. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-02-05 06:59:42 +05:30
Gyorgy Sarvari	4814f0631c	python3-aiohttp: patch CVE-2025-69229 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-69229 Backport the patches referenced by the NVD advisory. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-02-05 06:59:41 +05:30
Gyorgy Sarvari	6ac033a227	python3-aiohttp: patch CVE-2025-69228 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-69228 Backport the patch that is referenced by the NVD advisory. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-02-05 06:59:41 +05:30
Gyorgy Sarvari	0ea6c04dde	python3-aiohttp: patch CVE-2025-69227 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-69227 Backport the patch that is referenced by teh NVD advisory. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-02-05 06:59:40 +05:30
Gyorgy Sarvari	4ac10b5dbb	python3-aiohttp: patch CVE-2025-69226 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-69226 Backport the patch that is referenced by the NVD advisory. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-02-05 06:59:40 +05:30
Gyorgy Sarvari	0b467f2380	python3-aiohttp: patch CVE-2025-69225 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-69225 Backport the patch that is referenced by the NVD report. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-02-05 06:59:39 +05:30
Gyorgy Sarvari	c24b8f9ced	python3-aiohttp: patch CVE-2025-69224 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-69224 Backport the patch indicated by the NVD advisory. Only a part of the tests were backported, because some of the new tests require a compression method that is not supported yet by this version. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-02-05 06:59:36 +05:30
Peter Marko	060d098b4f	python3-protobuf: upgrade 6.33.2 -> 6.33.5 Solves CVE-2026-0994. Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-02-02 08:13:01 +05:30
Liu Yiding	7529c8a3bd	python3-protobuf: upgrade 6.33.1 -> 6.33.2 Change log: https://github.com/protocolbuffers/protobuf/releases/tag/v33.2 Signed-off-by: Liu Yiding <liuyd.fnst@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-02-02 08:13:01 +05:30
Gyorgy Sarvari	c6849e7529	python3-django: upgrade 5.2.8 -> 5.2.9 Includes fix for CVE-2025-13372 and CVE-2025-64460 Changelog: https://github.com/django/django/blob/5.2.9/docs/releases/5.2.9.txt Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit `2538918df1`) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-01-06 18:07:59 +05:30
Gyorgy Sarvari	9a6b60af3e	python3-django: upgrade 4.2.26 -> 4.2.27 Contains fix for CVE-2025-13372 and CVE-2025-64460 Changelog: https://github.com/django/django/blob/4.2.27/docs/releases/4.2.27.txt Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit `fae6fe9b41`) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-01-06 18:07:58 +05:30
Gyorgy Sarvari	b964b9858b	python3-configobj: ignore CVE-2023-26112 Details: https://nvd.nist.gov/vuln/detail/CVE-2023-26112 The used version (5.0.9) contains the fix[1] already - ignore the CVE. [1]: https://github.com/DiffSK/configobj/commit/7c618b0bbaff6ecaca51a6f05b29795d1377a4a5 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-01-06 18:07:58 +05:30
Leon Anavi	16316689b0	python3-huey: Upgrade 2.5.4 -> 2.5.5 Upgrade to release 2.5.5: - Fix for pypi Signed-off-by: Leon Anavi <leon.anavi@konsulko.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit `7954f37b3c`) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2025-12-17 14:00:27 +05:30
Leon Anavi	afeafe9ac3	python3-cloudpickle: Upgrade 3.1.1 -> 3.1.2 Upgrade to release 3.1.2: - Fix pickling of abstract base classes containing type annotations for Python 3.14. License-Update: Use file LICENSE Signed-off-by: Leon Anavi <leon.anavi@konsulko.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit `b428f67575`) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2025-12-17 14:00:27 +05:30
Leon Anavi	2ded78c56b	python3-polyline: Upgrade 2.0.3 -> 2.0.4 Upgrade to release 2.0.4: - Add py.typed marker Signed-off-by: Leon Anavi <leon.anavi@konsulko.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit `71055538b5`) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2025-12-17 14:00:27 +05:30
Wang Mingyu	1f836596b9	python3-sqlparse: upgrade 0.5.3 -> 0.5.4 Changelog: ============= Enhancements --------------- * Add support for Python 3.14. * Add type annotations to top-level API functions and include py.typed marker for PEP 561 compliance, enabling type checking with mypy and other tools * Add pre-commit hook support. sqlparse can now be used as a pre-commit hook to automatically format SQL files. The CLI now supports multiple files and an '--in-place' flag for in-place editing * Add 'ATTACH' and 'DETACH' to PostgreSQL keywords * Add 'INTERSECT' to close keywords in WHERE clause * Support 'REGEXP BINARY' comparison operator Bug Fixes ---------- * Add additional protection against denial of service attacks when parsing very large lists of tuples. This enhances the existing recursion protections with configurable limits for token processing to prevent DoS through algorithmic complexity attacks. The new limits (MAX_GROUPING_DEPTH=100, MAX_GROUPING_TOKENS=10000) can be adjusted or disabled (by setting to None) if needed for legitimate large SQL statements. * Remove shebang from cli.py and remove executable flag * Fix strip_comments not removing all comments when input contains only comments * Fix splitting statements with IF EXISTS/IF NOT EXISTS inside BEGIN...END blocks * Fix splitting on semicolons inside BEGIN...END blocks Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit `705abb20c1`) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2025-12-17 14:00:26 +05:30
Wang Mingyu	5f28ef7349	python3-pymodbus: upgrade 3.11.3 -> 3.11.4 Changelog: full support for python 3.14 and a number of packages (like mypy) have been updated. Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit `b745baf478`) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2025-12-17 14:00:26 +05:30
Wang Mingyu	6e0c4cd1a5	python3-pybcj: upgrade 1.0.6 -> 1.0.7 Changelog: ============ - Support for python 3.14 - ci: fix test and release workflows Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit `797e29ed42`) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2025-12-17 14:00:25 +05:30
Wang Mingyu	0912147bde	python3-gmpy2: upgrade 2.2.1 -> 2.2.2 Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit `e274146fa4`) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2025-12-17 14:00:25 +05:30

1 2 3 4 5 ...

8795 Commits