summaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools/python/python3_3.8.2.bb
AgeCommit message (Collapse)Author
2021-06-19Revert "python3: fix CVE-2021-23336"yocto-3.1.92020-04.9-dunfell2020-04.9Steve Sakoman
Causes build failures on autobuilder This reverts commit 8a59c47ce4c101b2470a06ecf101ca5ab7d1f82e.
2021-06-15python3: fix CVE-2021-23336Lee Chee Yang
The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter. References: https://nvd.nist.gov/vuln/detail/CVE-2021-23336 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23336 Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Tim Orling <timothy.t.orling@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
2021-03-05meta/recipes-devtools: Add HOMEPAGE / DESCRIPTIONDorinda
Added HOMEPAGE and DESCRIPTION for recipes with missing decriptions or homepage [YOCTO #13471] Signed-off-by: Dorinda Bassey <dorindabassey@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit bb05814335e7101bfd8df0a11dc18a044e867bed) Signed-off-by: Steve Sakoman <steve@sakoman.com>
2021-03-05python3: fix CVE-2021-3177Anuj Mittal
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> (cherry picked from commit 25d1cae49e56797c4c9e91c01697c4de02dee046) Signed-off-by: Steve Sakoman <steve@sakoman.com>
2021-02-04python3: Use addtask statement instead of task dependenciesTomasz Dziendzielski
The externalsrc class deletes do_patch task which results with: | ERROR: Task do_create_manifest in <PATH>/python3_3.8.2.bb depends upon | non-existent task do_patch in <PATH>/python3_3.8.2.bb Use addtask to define correct order to prevent this error, since addtask mechanism accepts deleted tasks. [YOCTO #14151] Signed-off-by: Tomasz Dziendzielski <tomasz.dziendzielski@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit a746d034fa7eaad4f4876fa61c5a8c3c15e211c8) Signed-off-by: Steve Sakoman <steve@sakoman.com>
2021-01-29python3: Avoid installing test data into recipe-sysrootRichard Purdie
There are several thousand files in the test directory which we don't need. Adding these for the native and target sysroots is a crazy amount of files to be throwing around needlessly. Delete the files from the sysroot side of things to tidy up the sysroots and improve performance. Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit f6bced03011ad1663d68b0322a2f8aeb4d836646) Signed-off-by: Steve Sakoman <steve@sakoman.com>
2020-12-11python3: fix CVE-2019-20907Andrej Valek
- move fixing patch for CVE-2020-8492 to the right location Signed-off-by: Andrej Valek <andrej.valek@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
2020-11-30python3: add CVE-2007-4559 to whitelistRoss Burton
This issue describes expected behaviour, do not use tarfile with untrusted data. Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit f4c22e83f2e68ff157da5ea1303acc2931d63f5f) Signed-off-by: Steve Sakoman <steve@sakoman.com>
2020-11-19python3: fix CVE-2020-27619Lee Chee Yang
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
2020-11-19python3: whitelist CVE-2020-15523Lee Chee Yang
This CVE is issue on _Py_CheckPython3 uses uninitialized dllpath when embedder sets module path with Py_SetPath. Since it is .dll issue (on windows only), hence whitelist it. https://bugs.python.org/issue29778 Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
2020-11-17python3: add ldconfig rdepends for python3-ctypesMingli Yu
The ctypes module needs to use "ldconfig -p" to find the library path and it simply has below logic if no ldconfig installed. except OSError: pass Before the patch: >>> from ctypes.util import find_library >>> lib_path = find_library('archive') >>> print(lib_path) None After the patch: >>> from ctypes.util import find_library >>> lib_path = find_library('archive') >>> print(lib_path) libarchive.so.13 Signed-off-by: Mingli Yu <mingli.yu@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit ddb96902a124a6e1f035f0fd868b0139989bc1bc) Signed-off-by: Steve Sakoman <steve@sakoman.com>
2020-10-20python3: fix CVE-2020-26116Lee Chee Yang
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
2020-07-06python3: fix CVE-2020-14422Lee Chee Yang
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
2020-05-01python3: fix CVE-2020-8492Trevor Gamblin
CVE: CVE-2020-8492 Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Steve Sakoman <steve@sakoman.com>
2020-03-13python: upgrade 3.8.1 -> 3.8.2Trevor Gamblin
THE LICENSE checksum changed in this update due to copyright notice added for 2020. Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
generated by cgit 1.2.3-korg (git 2.39.0) at 2024-04-26 04:31:28 +0000