[kirkstone,09/30] python3: upgrade 3.10.9 -> 3.10.12

Message ID	4df594dbc1b391afbe703f663fb2d5c9e9d35078.1690739937.git.steve@sakoman.com
State	Accepted, archived
Commit	4df594dbc1b391afbe703f663fb2d5c9e9d35078
Headers	show Return-Path: <steve@sakoman.com> ip: 209.85.210.172, mailfrom: steve@sakoman.com) From: Steve Sakoman <steve@sakoman.com> To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 09/30] python3: upgrade 3.10.9 -> 3.10.12 Date: Sun, 30 Jul 2023 08:00:32 -1000 Message-Id: <4df594dbc1b391afbe703f663fb2d5c9e9d35078.1690739937.git.steve@sakoman.com> In-Reply-To: <cover.1690739937.git.steve@sakoman.com> References: <cover.1690739937.git.steve@sakoman.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[kirkstone,01/30] libjpeg-turbo: patch CVE-2023-2804 \| expand [kirkstone,01/30] libjpeg-turbo: patch CVE-2023-2804 [kirkstone,02/30] python3: ignore CVE-2023-36632 [kirkstone,03/30] tiff: fix multiple CVEs [kirkstone,04/30] go: fix CVE-2023-29406 net/http insufficient sanitization of Host header [kirkstone,05/30] tiff: fix multiple CVEs [kirkstone,06/30] libtiff: fix CVE-2023-26965 heap-based use after free [kirkstone,07/30] openssh: fix CVE-2023-38408 [kirkstone,08/30] dmidecode: fix CVE-2023-30630 [kirkstone,09/30] python3: upgrade 3.10.9 -> 3.10.12 [kirkstone,10/30] diffutils: update 3.9 -> 3.10 [kirkstone,11/30] libassuan: upgrade 2.5.5 -> 2.5.6 [kirkstone,12/30] libksba: upgrade 1.6.3 -> 1.6.4 [kirkstone,13/30] lttng-ust: upgrade 2.13.5 -> 2.13.6 [kirkstone,14/30] gcc : upgrade to v11.4 [kirkstone,15/30] libxcrypt: fix build with perl-5.38 and use master branch [kirkstone,16/30] kernel: add missing path to search for debug files [kirkstone,17/30] recipetool: Fix inherit in created -native* recipes [kirkstone,18/30] systemd-systemctl: fix errors in instance name expansion [kirkstone,19/30] uboot-extlinux-config.bbclass: fix old override syntax in comment [kirkstone,20/30] mdadm: fix util-linux ptest dependency [kirkstone,21/30] mdadm: fix 07revert-inplace ptest [kirkstone,22/30] mdadm: fix segfaults when running ptests [kirkstone,23/30] mdadm: skip running known broken ptests [kirkstone,24/30] python3: fix missing comma in get_module_deps3.py [kirkstone,25/30] meson.bbclass: Point to llvm-config from native sysroot [kirkstone,26/30] oeqa/runtime/cases/rpm: fix wait_for_no_process_for_user failure case [kirkstone,27/30] oeqa/selftest/devtool: add unit test for "devtool add -b" [kirkstone,28/30] openssl: add PERLEXTERNAL path to test its existence [kirkstone,29/30] openssl: use a glob on the PERLEXTERNAL to track updates on the path [kirkstone,30/30] util-linux: add alternative links for ipcs,ipcrm

Message ID

4df594dbc1b391afbe703f663fb2d5c9e9d35078.1690739937.git.steve@sakoman.com

State

Accepted, archived

Commit

4df594dbc1b391afbe703f663fb2d5c9e9d35078

Headers

From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 09/30] python3: upgrade 3.10.9 -> 3.10.12
Date: Sun, 30 Jul 2023 08:00:32 -1000
Message-Id: 
 <4df594dbc1b391afbe703f663fb2d5c9e9d35078.1690739937.git.steve@sakoman.com>
In-Reply-To: <cover.1690739937.git.steve@sakoman.com>
References: <cover.1690739937.git.steve@sakoman.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[kirkstone,01/30] libjpeg-turbo: patch CVE-2023-2804 | expand

Commit Message

Steve Sakoman July 30, 2023, 6 p.m. UTC

From: Tim Orling <ticotimo@gmail.com>

Security and bugfix updates.

* Drop cve-2023-24329.patch as it is merged in 3.10.12

CVE: CVE-2023-24329

Includes openssl 1.1.1u which addresses:
CVE: CVE-2023-0286
CVE: CVE-2022-4304
CVE: CVE-2022-4203

https://docs.python.org/release/3.10.12/whatsnew/changelog.html#python-3-10-12-final
https://docs.python.org/release/3.10.12/whatsnew/changelog.html#python-3-10-11-final
https://docs.python.org/release/3.10.12/whatsnew/changelog.html#python-3-10-10-final

License-Update: Update Copyright years to include 2023

Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../python/python3/cve-2023-24329.patch       | 50 -------------------
 .../{python3_3.10.9.bb => python3_3.10.12.bb} |  5 +-
 2 files changed, 2 insertions(+), 53 deletions(-)
 delete mode 100644 meta/recipes-devtools/python/python3/cve-2023-24329.patch
 rename meta/recipes-devtools/python/{python3_3.10.9.bb => python3_3.10.12.bb} (98%)

diff --git a/meta/recipes-devtools/python/python3/cve-2023-24329.patch b/meta/recipes-devtools/python/python3/cve-2023-24329.patch
deleted file mode 100644
index d47425d239..0000000000
--- a/meta/recipes-devtools/python/python3/cve-2023-24329.patch
+++ /dev/null
@@ -1,50 +0,0 @@ 
-From 72d356e3584ebfb8e813a8e9f2cd3dccf233c0d9 Mon Sep 17 00:00:00 2001
-From: "Miss Islington (bot)"
- <31488909+miss-islington@users.noreply.github.com>
-Date: Sun, 13 Nov 2022 11:00:25 -0800
-Subject: [PATCH] gh-99418: Make urllib.parse.urlparse enforce that a scheme
- must begin with an alphabetical ASCII character. (GH-99421)
-
-Prevent urllib.parse.urlparse from accepting schemes that don't begin with an alphabetical ASCII character.
-
-RFC 3986 defines a scheme like this: `scheme = ALPHA *( ALPHA / DIGIT / "+" / "-" / "." )`
-RFC 2234 defines an ALPHA like this: `ALPHA = %x41-5A / %x61-7A`
-
-The WHATWG URL spec defines a scheme like this:
-`"A URL-scheme string must be one ASCII alpha, followed by zero or more of ASCII alphanumeric, U+002B (+), U+002D (-), and U+002E (.)."`
-(cherry picked from commit 439b9cfaf43080e91c4ad69f312f21fa098befc7)
-
-Co-authored-by: Ben Kallus <49924171+kenballus@users.noreply.github.com>
---- end original header ---
-
-CVE: CVE-2023-24329
-
-Upstream-Status: Backport [see below]
-
-Taken from https://github.com/python/cpython.git
-commit 72d356e3584ebfb8e813a8e9f2cd3dccf233c0d9
-
-CVE fix extracted; test case and update to NEWS abandoned.
-Defuzzed.
-
-Signed-off-by: Joe Slater <joe.slater@windriver.com>
----
- Lib/urllib/parse.py | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py
-index 26ddf30..1c53acb 100644
---- a/Lib/urllib/parse.py
-+++ b/Lib/urllib/parse.py
-@@ -469,7 +469,7 @@ def urlsplit(url, scheme='', allow_fragments=True):
-         clear_cache()
-     netloc = query = fragment = ''
-     i = url.find(':')
--    if i > 0:
-+    if i > 0 and url[0].isascii() and url[0].isalpha():
-         for c in url[:i]:
-             if c not in scheme_chars:
-                 break
--- 
-2.25.1
-
diff --git a/meta/recipes-devtools/python/python3_3.10.9.bb b/meta/recipes-devtools/python/python3_3.10.12.bb
similarity index 98%
rename from meta/recipes-devtools/python/python3_3.10.9.bb
rename to meta/recipes-devtools/python/python3_3.10.12.bb
index 4ecc7614bb..74f1defc95 100644
--- a/meta/recipes-devtools/python/python3_3.10.9.bb
+++ b/meta/recipes-devtools/python/python3_3.10.12.bb
@@ -4,7 +4,7 @@  DESCRIPTION = "Python is a programming language that lets you work more quickly
 LICENSE = "PSF-2.0"
 SECTION = "devel/python"
 
-LIC_FILES_CHKSUM = "file://LICENSE;md5=a1822df8d0f068628ca6090aedc5bfc8"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=fcf6b249c2641540219a727f35d8d2c2"
 
 SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
            file://run-ptest \
@@ -35,7 +35,6 @@  SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
            file://0001-setup.py-Do-not-detect-multiarch-paths-when-cross-co.patch \
            file://deterministic_imports.patch \
            file://0001-Avoid-shebang-overflow-on-python-config.py.patch \
-           file://cve-2023-24329.patch \
            "
 
 SRC_URI:append:class-native = " \
@@ -44,7 +43,7 @@  SRC_URI:append:class-native = " \
            file://12-distutils-prefix-is-inside-staging-area.patch \
            file://0001-Don-t-search-system-for-headers-libraries.patch \
            "
-SRC_URI[sha256sum] = "5ae03e308260164baba39921fdb4dbf8e6d03d8235a939d4582b33f0b5e46a83"
+SRC_URI[sha256sum] = "afb74bf19130e7a47d10312c8f5e784f24e0527981eab68e20546cfb865830b8"
 
 # exclude pre-releases for both python 2.x and 3.x
 UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar"

[kirkstone,09/30] python3: upgrade 3.10.9 -> 3.10.12

Commit Message

Patch