Every dot release in the 3.8.y series is by definition a bugfix release. We have been individually patching individual CVEs, when they could instead have been handled by bumping the dot release.
The only CVE currently known to not be patched by this series is CVE-2021-29921 which does not yet have an upstream fix in the 3.8.y branch. References: https://nvd.nist.gov/vuln/detail/CVE-2021-29921 https://bugs.python.org/issue36384 Tested on qemux86-64 core-image-minimal with: IMAGE_INSTALL_append = " python3" # enable_gtk_in_qemu: | DISTRO_FEATURES_append = "opengl" PACKAGECONFIG_pn-qemu-system-native = "fdt alsa kvm virglrenderer glx gtk+" # enable_ptest_and_testimage: | IMAGE_CLASSES += " testimage" DISTRO_FEAURES_append = " ptest" EXTRA_IMAGE_FEATURES = "debug-tweaks ssh-server-dropbear" TESTIMAGE_AUTO = "1" TEST_SUITES = " ping ssh python ptest" TEST_QEMUPARAMS += "-smp 4 -m 8192" TEST_RUNQEMUPARAMS = "kvm gl-es gtk" IMAGE_ROOTFS_SIZE ?= "8192" IMAGE_ROOTFS_EXTRA_SPACE_append = "${@bb.utils.contains("DISTRO_FEATURES", "systemd", " + 4096", "", d)}" IMAGE_INSTALL_append = " ptest-runner procps coreutils iproute2 sysstat python3-ptest" The following changes since commit ac8181d9b9ad8360f7dba03aba8b00f008c6ebb4: Revert "python3: fix CVE-2021-23336" (2021-06-19 13:11:58 -1000) are available in the Git repository at: git://push.openembedded.org/openembedded-core-contrib timo/dunfell/python3-3.8.10 Tim Orling (10): python3: upgrade 3.8.2 -> 3.8.3 python3: upgrade 3.8.3 -> 3.8.4 python3: upgrade 3.8.4 -> 3.8.5 python3: upgrade 3.8.5 -> 3.8.6 python3: upgrade 3.8.6 -> 3.8.7 python3: upgrade 3.8.7 -> 3.8.8 python3: skip tests requiring tools-sdk python3: upgrade 3.8.8 -> 3.8.9 python3: upgrade 3.8.9 -> 3.8.10 python3-ptest: add newly discovered missing rdeps ...20-8492-Fix-AbstractBasicAuthHandler.patch | 248 ------------------ ...pes.test_find-skip-without-tools-sdk.patch | 33 +++ ...le.py-correct-the-test-output-format.patch | 24 +- .../python/python3/CVE-2019-20907.patch | 44 ---- .../python/python3/CVE-2020-14422.patch | 77 ------ .../python/python3/CVE-2020-26116.patch | 104 -------- .../python/python3/CVE-2020-27619.patch | 70 ----- .../python/python3/CVE-2021-3177.patch | 191 -------------- .../{python3_3.8.2.bb => python3_3.8.10.bb} | 20 +- 9 files changed, 54 insertions(+), 757 deletions(-) delete mode 100644 meta/recipes-devtools/python/python3/0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch create mode 100644 meta/recipes-devtools/python/python3/0001-test_ctypes.test_find-skip-without-tools-sdk.patch delete mode 100644 meta/recipes-devtools/python/python3/CVE-2019-20907.patch delete mode 100644 meta/recipes-devtools/python/python3/CVE-2020-14422.patch delete mode 100644 meta/recipes-devtools/python/python3/CVE-2020-26116.patch delete mode 100644 meta/recipes-devtools/python/python3/CVE-2020-27619.patch delete mode 100644 meta/recipes-devtools/python/python3/CVE-2021-3177.patch rename meta/recipes-devtools/python/{python3_3.8.2.bb => python3_3.8.10.bb} (95%) -- 2.30.2
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#153141): https://lists.openembedded.org/g/openembedded-core/message/153141 Mute This Topic: https://lists.openembedded.org/mt/83693618/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
