1
0
mirror of https://git.yoctoproject.org/poky synced 2026-07-17 04:07:06 +00:00

python3: Fix CVE-2026-6019

This patch applies the upstream fix [1] and follow-up fix [2], as
referenced in [3] and [4], to address an http.cookies.Morsel.js_output()
flaw where inline JavaScript output escaped quotes but did not neutralize
the HTML parser-sensitive </script> sequence.

[1] https://github.com/python/cpython/commit/3c59b8b53fc75c7f9578d16fb8201ceb43e8f76c
[2] https://github.com/python/cpython/commit/e7d4c3ff421916986223690a8425d2383f6f3802
[3] https://github.com/python/cpython/issues/149144
[4] https://security-tracker.debian.org/tracker/CVE-2026-6019

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2026-6019

(From OE-Core rev: e17af14ae72e21f7f63407ba5c88da160c73bea9)

Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
This commit is contained in:
Sudhir Dumbhare
2026-06-13 03:11:39 -07:00
committed by Paul Barker
parent 1401e6e003
commit 7731db5592
3 changed files with 264 additions and 0 deletions
@@ -40,6 +40,8 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
file://CVE-2026-4519_p1.patch \
file://CVE-2026-4519_p2.patch \
file://CVE-2026-4519_CVE-2026-4786.patch \
file://CVE-2026-6019_p1.patch \
file://CVE-2026-6019_p2.patch \
"
SRC_URI:append:class-native = " \