1
0
mirror of https://git.yoctoproject.org/poky synced 2026-07-17 04:07:06 +00:00
Commit Graph

9 Commits

Author SHA1 Message Date
Amaury Couderc f47c0cb3bf python3: fix CVE-2026-4224
Backport patch to fix CVE-2026-4224.
https://nvd.nist.gov/vuln/detail/CVE-2026-4224

Upstream fix:
  https://github.com/python/cpython/commit/642865ddf4b232da1f3b1f7abcfa3254c4bfe785

Tested with ptest:
Before: PASSED: 40007, FAILED: 0, SKIPPED: 1877
After: PASSED: 40006, FAILED: 0, SKIPPED: 1877

(From OE-Core rev: 736dd8c8f90d43e4bcdb0954a99764a62fccc20e)

Signed-off-by: Amaury Couderc <amaury.couderc@est.tech>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-07-02 13:42:26 +01:00
Adarsh Jagadish Kamini c0d690e103 python3: CVE-2026-3087 not applicable
CVE link: https://nvd.nist.gov/vuln/detail/CVE-2026-3087

The CVE is only applicable to Windows OS

(From OE-Core rev: 96efecfbb2d1eaa24e1c96fbd6593a7087464844)

Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-26 16:55:54 +01:00
Sudhir Dumbhare e61bf028a6 python3: Fix CVE-2025-13462
Apply the upstream v3.12 fix [1], aligned with the original v3.13 fix [2],
to address incorrect tarfile handling where GNU long name follow-up headers
could be normalized as directories, as referenced in [3].

[1] https://github.com/python/cpython/commit/d10950739a78f54d0718d88fb5a868374603c084
[2] https://github.com/python/cpython/commit/ae99fe3a33b43e303a05f012815cef60b611a9c7
[3] https://security-tracker.debian.org/tracker/CVE-2025-13462

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-13462

(From OE-Core rev: 0b990a354ef858d903d4bed937b1233537c2c478)

Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-26 16:55:53 +01:00
Sudhir Dumbhare 7731db5592 python3: Fix CVE-2026-6019
This patch applies the upstream fix [1] and follow-up fix [2], as
referenced in [3] and [4], to address an http.cookies.Morsel.js_output()
flaw where inline JavaScript output escaped quotes but did not neutralize
the HTML parser-sensitive </script> sequence.

[1] https://github.com/python/cpython/commit/3c59b8b53fc75c7f9578d16fb8201ceb43e8f76c
[2] https://github.com/python/cpython/commit/e7d4c3ff421916986223690a8425d2383f6f3802
[3] https://github.com/python/cpython/issues/149144
[4] https://security-tracker.debian.org/tracker/CVE-2026-6019

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2026-6019

(From OE-Core rev: e17af14ae72e21f7f63407ba5c88da160c73bea9)

Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-26 16:55:53 +01:00
Sudhir Dumbhare 1401e6e003 python3: Fix CVE-2026-4519 and CVE-2026-4786
Apply the upstream v3.12 fix [1], aligned with the original v3.11 fix [2],
and follow-up fix [3] to address CVE-2026-4519 by disallowing URLs with
leading dashes when invoking browser commands, as referenced in [5].

CVE-2026-4786 [6] revealed the CVE-2026-4519 fix was incomplete, as %action
in URLs could bypass dash-prefix checks. Apply follow-up fix [4], noted in
[5], to revalidate the URL after %action expansion.

[1] https://github.com/python/cpython/commit/cbba6119391112aba9c5aebf7b94aea447922c48
[2] https://github.com/python/cpython/commit/ceac1efc66516ac387eef2c9a0ce671895b44f03
[3] https://github.com/python/cpython/commit/96fc5048605863c7b6fd6289643feb0e97edd96c
[4] https://github.com/python/cpython/commit/f4654824ae0850ac87227fb270f9057477946769
[5] https://security-tracker.debian.org/tracker/CVE-2026-4519
[6] https://security-tracker.debian.org/tracker/CVE-2026-4786

References:
https://nvd.nist.gov/vuln/detail/CVE-2026-4519
https://nvd.nist.gov/vuln/detail/CVE-2026-4786

(From OE-Core rev: e6d81b3be531e97058366c81056a38c0b6fa7380)

Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-26 16:55:53 +01:00
Sudhir Dumbhare 703b680089 python3: Fix CVE-2026-3644 and CVE-2026-0672
Apply the upstream v3.13 fix [1], as referenced in [2], to address
CVE-2026-3644 by rejecting control characters in http.cookies.Morsel.update(),
the |= operator, and unpickling paths.

CVE-2026-3644 [2] revealed the CVE-2026-0672 fix was incomplete, as
Morsel.update(), |=, and unpickling could bypass input validation. The fix
also adds output validation to BaseCookie.js_output(), matching the
control-character safeguards already present in BaseCookie.output().

[1] https://github.com/python/cpython/commit/d16ecc6c3626f0e2cc8f08c309c83934e8a979dd
[2] https://security-tracker.debian.org/tracker/CVE-2026-3644

References:
https://security-tracker.debian.org/tracker/CVE-2026-3644
https://security-tracker.debian.org/tracker/CVE-2026-0672
https://nvd.nist.gov/vuln/detail/CVE-2026-3644
https://nvd.nist.gov/vuln/detail/CVE-2026-0672

(From OE-Core rev: ac763f139ba7f836d0fa9377295ef7d3b10f2238)

Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-26 16:55:53 +01:00
Hitendra Prajapati 0c205679dd python3: fix CVE-2026-6100
Pick patch from [1] also mentioned at NVD report in [2]

[1] https://github.com/python/cpython/commit/c3cf71c3366fe49acb776a639405c0eea6169c20
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-6100
[3] https://security-tracker.debian.org/tracker/CVE-2026-6100

(From OE-Core rev: 0bc9ba624b2fbeff3bf7e2ee4d2858b9c702fca1)

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-19 12:49:08 +01:00
Hitendra Prajapati d30ed7ed1b python3: fix for CVE-2026-1502
Pick patch from [1] also mentioned at NVD report in [2]

[1] https://github.com/python/cpython/commit/05ed7ce7ae9e17c23a04085b2539fe6d6d3cef69
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-1502
[3] https://security-tracker.debian.org/tracker/CVE-2026-1502

(From OE-Core rev: fe96d5bee9c45344e98cda9bac85c9bd853d5a7e)

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-06-19 12:49:08 +01:00
Vijay Anusuri 2820a673f1 python3: upgrade 3.12.12 -> 3.12.13
Drop upstreamed patches.

Release information:
* https://www.python.org/downloads/release/python-31213/
* The release you're looking at is Python 3.12.13, a security bugfix
  release for the legacy 3.12 series.

Handles CVE-2024-6923 CVE-2025-12084 CVE-2025-13836 CVE-2025-13837
CVE-2025-15282 CVE-2025-59375 CVE-2026-0865 CVE-2026-24515 CVE-2026-25210

(From OE-Core rev: 8b0c626633a1e443cfb6e5f73c6120bff5f6a5ef)

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
[YC: Full changelog: https://docs.python.org/release/3.12.13/whatsnew/changelog.html#python-3-12-13]
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
2026-05-04 13:57:31 +01:00