mirror of
https://git.yoctoproject.org/poky
synced 2026-07-17 04:07:06 +00:00
python3: Fix CVE-2026-3644 and CVE-2026-0672
Apply the upstream v3.13 fix [1], as referenced in [2], to address CVE-2026-3644 by rejecting control characters in http.cookies.Morsel.update(), the |= operator, and unpickling paths. CVE-2026-3644 [2] revealed the CVE-2026-0672 fix was incomplete, as Morsel.update(), |=, and unpickling could bypass input validation. The fix also adds output validation to BaseCookie.js_output(), matching the control-character safeguards already present in BaseCookie.output(). [1] https://github.com/python/cpython/commit/d16ecc6c3626f0e2cc8f08c309c83934e8a979dd [2] https://security-tracker.debian.org/tracker/CVE-2026-3644 References: https://security-tracker.debian.org/tracker/CVE-2026-3644 https://security-tracker.debian.org/tracker/CVE-2026-0672 https://nvd.nist.gov/vuln/detail/CVE-2026-3644 https://nvd.nist.gov/vuln/detail/CVE-2026-0672 (From OE-Core rev: ac763f139ba7f836d0fa9377295ef7d3b10f2238) Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev>
This commit is contained in:
committed by
Paul Barker
parent
327a87fffb
commit
703b680089
@@ -36,6 +36,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
|
||||
file://0001-test_readline-skip-limited-history-test.patch \
|
||||
file://CVE-2026-1502.patch \
|
||||
file://CVE-2026-6100.patch \
|
||||
file://CVE-2026-3644_CVE-2026-0672.patch \
|
||||
"
|
||||
|
||||
SRC_URI:append:class-native = " \
|
||||
|
||||
Reference in New Issue
Block a user