[OE-core][mickledore][PATCH 1/1] python3-cryptography: fix CVE-2023-49083

From: Narpat Mali cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling `load_pem_pkcs7_certificates` or `load_der_pkcs7_certificates` could lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a

[OE-core][kirkstone][PATCH 1/1] python3-cryptography: fix CVE-2023-49083

From: Narpat Mali cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling `load_pem_pkcs7_certificates` or `load_der_pkcs7_certificates` could lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a

[OE-core][kirkstone][PATCH 1/1] python3-jinja2: Fixed ptest result output as per the standard

From: Narpat Mali There was an extra space between the result and ':'. After removing extra space, the ptest result will be: result : testname -> result: testname Signed-off-by: Narpat Mali --- meta/recipes-devtools/python/python3-jinja2/run-ptest | 2 +- 1 file changed, 1 insertion(+), 1

Re: [OE-core][kirkstone][PATCH 1/1] python3-jinja2: fix for the ptest result format

On 02-10-2023 20:04, Steve Sakoman wrote: CAUTION: This email comes from a non Wind River email account! Do not click links or open attachments unless you recognize the sender and know the content is safe. On Thu, Sep 28, 2023 at 10:24 PM Narpat Mali via lists.openembedded.org wrote: From

[OE-core][kirkstone][PATCH 1/1] python3-jinja2: fix for the ptest result format

From: Narpat Mali The output of python3-jinja2 ptest should follow a unified format as below result: testname Reference: https://wiki.yoctoproject.org/wiki/Ptest Signed-off-by: Narpat Mali --- meta/recipes-devtools/python/python3-jinja2/run-ptest | 2 +- 1 file changed, 1 insertion(+), 1

[OE-core][mickledore][PATCH 1/1] python3-git: upgrade 3.1.32 -> 3.1.37

From: Narpat Mali The delta between 3.1.32 & 3.1.37 contains the CVE-2023-40590 and CVE-2023-41040 fixes and other bugfixes. Changelog: == - WIP Quick doc by @LeoDaCoda in #1608 - Partial clean up wrt mypy and black by @bodograumann in #1617 - Disable merge_includes in config writers by

[OE-core][kirkstone][PATCH 1/1] python3-git: upgrade 3.1.32 -> 3.1.37

From: Narpat Mali The delta between 3.1.32 & 3.1.37 contains the CVE-2023-40590 and CVE-2023-41040 fixes and other bugfixes. Changelog: == - WIP Quick doc by @LeoDaCoda in #1608 - Partial clean up wrt mypy and black by @bodograumann in #1617 - Disable merge_includes in config writers by

[OE-core][kirkstone][PATCH 1/1] python3-pygments: Fix CVE-2022-40896

From: Narpat Mali CVE-2022-40896: A ReDoS issue was discovered in pygments/lexers/smithy.py in pygments through 2.15.0 via SmithyLexer. The CVE issue is fixed by 3 different commits between the releases 2.14.0 (for Smithy lexer), 2.15.0 (for SQL+Jinja lexers) and 2.15.1 (for Java properties) as

[OE-core][mickledore][PATCH 1/1] python3-pygments: fix for CVE-2022-40896

From: Narpat Mali A ReDoS issue was discovered in pygments/lexers/smithy.py in pygments through 2.15.0 via SmithyLexer. The CVE issue is fixed by these 3 different commits in different version: 1. Improve the Smithy metadata matcher (These changes are already available as part of current

[OE-core][kirkstone][PATCH 1/1] python3-git: upgrade 3.1.27 -> 3.1.32

From: Narpat Mali The delta between 3.1.27 & 3.1.32 contains the CVE-2022-24439 & CVE-2023-40267 fixes and other bugfixes. Changelog: https://github.com/gitpython-developers/GitPython/releases/tag/3.1.32 https://gitpython.readthedocs.io/en/stable/changes.html#id5 - Bump

[OE-core][mickledore][PATCH 1/1] ffmpeg: add CVE_CHECK_IGNORE for CVE-2023-39018

From: Narpat Mali CVE-2023-39018 belongs to ffmpeg-cli-wrapper (Java wrapper around the FFmpeg CLI) and not ffmpeg itself. As per CVE description, it is mentioned as FFmpeg 0.7.0 which is the version for ffmpeg-cli-wrapper and ffmpeg don't have 0.7.0 version at all. Debian & Bugzilla

[OE-core][kirkstone][PATCH 1/1] ffmpeg: add CVE_CHECK_IGNORE for CVE-2023-39018

From: Narpat Mali CVE-2023-39018 belongs to ffmpeg-cli-wrapper (Java wrapper around the FFmpeg CLI) and not ffmpeg itself. As per CVE description, it is mentioned as FFmpeg 0.7.0 which is the version for ffmpeg-cli-wrapper and ffmpeg don't have 0.7.0 version at all. Debian & Bugzilla

[OE-core][mickledore][PATCH 1/1] python3-git: upgrade 3.1.31 -> 3.1.32

From: Narpat Mali The delta between 3.1.31 & 3.1.32 contains the CVE-2023-40267 fix and other bugfixes. Changelog: https://github.com/gitpython-developers/GitPython/releases/tag/3.1.32 - Bump cygwin/cygwin-install-action from 3 to 4 by @dependabot in #1572 - Fix up the commit trailers

[OE-core][PATCH 1/1] ffmpeg: add CVE_STATUS for CVE-2023-39018

From: Narpat Mali CVE-2023-39018 belongs to ffmpeg-cli-wrapper (Java wrapper around the FFmpeg CLI) and not ffmpeg itself. As per CVE description, it is mentioned as FFmpeg 0.7.0 which is the version for ffmpeg-cli-wrapper and ffmpeg don't have 0.7.0 version at all. Debian & Bugzilla

[OE-core][mickledore][PATCH 1/1] python3-pygments: upgrade 2.14.0 -> 2.15.1

From: Narpat Mali * Upstream has dropped setup.py * Inherit python_setuptools_build_meta instead of setuptools3 * Add self as maintainer, as this is a dependency for python3-sphinx Adds some new lexers, updates a few others. A handful of bug fixes.

[OE-core][mickledore][PATCH 1/1] python3-certifi: upgrade 2022.12.7 -> 2023.7.22

From: Narpat Mali python3-certifi 2023.7.22 contains the CVE-2023-37920 fix. No changelog provided. Commits: 8fb96ed (tag: 2023.07.22) 2023.07.22 afe7722 Bump actions/setup-python from 4.6.1 to 4.7.0 (#230) 2038739 Bump dessant/lock-threads from 3.0.0 to 4.0.1 (#229) 44df761 Hash pin Actions

Re: [OE-core][kirkstone][PATCH 1/1] python3-certifi: fix CVE-2023-37920

pat Thanks, Anuj On Wed, 2023-08-02 at 17:57 +0000, Narpat Mali via lists.openembedded.org wrote: From: Narpat Mali Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi prior to vers

[OE-core][kirkstone][PATCH 1/1] python3-certifi: fix CVE-2023-37920

From: Narpat Mali Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes "e-Tugra" root certificates. e-Tugra's root certificates were subject to an

[OE-core][kirkstone][PATCH 1/1] openssl: fix for CVE-2023-2975 & CVE-2023-3446

From: Narpat Mali CVE-2023-2975: AES-SIV implementation ignores empty associated data entries https://nvd.nist.gov/vuln/detail/CVE-2023-2975 CVE-2023-3446: Excessive time spent checking DH keys and parameters https://nvd.nist.gov/vuln/detail/CVE-2023-3446 Have also tested openssl ptest with

[OE-core][kirkstone][PATCH 1/1] python3-requests: fix for CVE-2023-32681

From: Narpat Mali Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use `rebuild_proxies` to reattach the `Proxy-Authorization` header to requests. For

[OE-core][kirkstone][PATCH 1/1] python3-cryptography: fix for CVE-2023-23931

From: Narpat Mali cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions `Cipher.update_into` would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable

[OE-core][kirkstone][PATCH 1/1] ffmpeg: fix for CVE-2022-48434

From: Narpat Mali libavcodec/pthread_frame.c in FFmpeg before 5.1.2, as used in VLC and other products, leaves stale hwaccel state in worker threads, which allows attackers to trigger a use-after-free and execute arbitrary code in some circumstances (e.g., hardware re-initialization upon a