* [Buildroot] [PATCH 1/1] package/python3: security bump version to 3.11.4
@ 2023-06-08 16:53 Bernd Kuhls
2023-06-18 11:41 ` Peter Korsgaard
0 siblings, 1 reply; 3+ messages in thread
From: Bernd Kuhls @ 2023-06-08 16:53 UTC (permalink / raw)
To: buildroot; +Cc: Thomas Petazzoni, Asaf Kahlon
Rebased two patches.
Changelog:
https://docs.python.org/release/3.11.4/whatsnew/changelog.html#python-3-11-4
Fixes the following security problems:
- gh-99889: Fixed a security in flaw in uu.decode() that could allow for
directory traversal based on the input if no out_file was specified.
- gh-104049: Do not expose the local on-disk location in directory
indexes produced by http.client.SimpleHTTPRequestHandler.
- gh-102153: urllib.parse.urlsplit() now strips leading C0 control and
space characters following the specification for URLs defined by WHATWG
in response to CVE-2023-24329. Patch by Illia Volochii.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
---
.../0012-Add-an-option-to-disable-lib2to3.patch | 8 +++++---
...4-Add-an-option-to-disable-the-tk-module.patch | 15 +++++++++------
package/python3/python3.hash | 2 +-
package/python3/python3.mk | 2 +-
4 files changed, 16 insertions(+), 11 deletions(-)
diff --git a/package/python3/0012-Add-an-option-to-disable-lib2to3.patch b/package/python3/0012-Add-an-option-to-disable-lib2to3.patch
index 0085d5a63f..228b86a90b 100644
--- a/package/python3/0012-Add-an-option-to-disable-lib2to3.patch
+++ b/package/python3/0012-Add-an-option-to-disable-lib2to3.patch
@@ -12,6 +12,8 @@ Signed-off-by: Samuel Martin <s.martin49@gmail.com>
Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
[ Adam Duskett: ported to Python 3.10.0 ]
Signed-off-by: Adam Duskett <aduskett@gmail.com>
+[ Bernd Kuhls: ported to Python 3.11.4]
+Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
---
Makefile.pre.in | 17 ++++++++++++-----
configure.ac | 6 ++++++
@@ -48,9 +50,9 @@ index 403380e181..f5d0573067 100644
- lib2to3/tests/data \
- lib2to3/tests/data/fixers \
- lib2to3/tests/data/fixers/myfixes \
- test test/audiodata \
- test/capath test/cjkencodings \
- test/data test/decimaltestdata \
+ test \
+ test/audiodata \
+ test/capath \
@@ -2013,6 +2010,14 @@ ifeq (@PYDOC@,yes)
LIBSUBDIRS += pydoc_data
endif
diff --git a/package/python3/0014-Add-an-option-to-disable-the-tk-module.patch b/package/python3/0014-Add-an-option-to-disable-the-tk-module.patch
index 04f7e34435..b89e1d27bc 100644
--- a/package/python3/0014-Add-an-option-to-disable-the-tk-module.patch
+++ b/package/python3/0014-Add-an-option-to-disable-the-tk-module.patch
@@ -9,6 +9,8 @@ Signed-off-by: Samuel Martin <s.martin49@gmail.com>
Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
[ Adam Duskett: ported to Python 3.10.0 ]
Signed-off-by: Adam Duskett <aduskett@gmail.com>
+[ Bernd Kuhls: ported to Python 3.11.4]
+Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
---
Makefile.pre.in | 10 +++++++---
configure.ac | 9 +++++++++
@@ -26,14 +28,15 @@ index 9f4cdf14cf..4f83911200 100644
tomllib \
turtledemo \
unittest \
-@@ -2001,8 +2000,6 @@ TESTSUBDIRS= ctypes/test \
- test/tracedmodules \
- test/xmltestdata test/xmltestdata/c14n-20 \
+@@ -2038,9 +2038,6 @@
+ test/xmltestdata \
+ test/xmltestdata/c14n-20 \
test/ziptestdata \
-- tkinter/test tkinter/test/test_tkinter \
+- tkinter/test \
+- tkinter/test/test_tkinter \
- tkinter/test/test_ttk \
- unittest/test unittest/test/testmock
-
+ unittest/test \
+ unittest/test/testmock
ifeq (@PYDOC@,yes)
@@ -2021,6 +2018,13 @@ ifeq (@SQLITE3@,yes)
LIBSUBDIRS += sqlite3
diff --git a/package/python3/python3.hash b/package/python3/python3.hash
index b04ee7fa2c..6c43e01a44 100644
--- a/package/python3/python3.hash
+++ b/package/python3/python3.hash
@@ -1,3 +1,3 @@
# Locally computed
-sha256 8a5db99c961a7ecf27c75956189c9602c968751f11dbeae2b900dbff1c085b5e Python-3.11.3.tar.xz
+sha256 2f0e409df2ab57aa9fc4cbddfb976af44e4e55bf6f619eee6bc5c2297264a7f6 Python-3.11.4.tar.xz
sha256 3b2f81fe21d181c499c59a256c8e1968455d6689d269aa85373bfb6af41da3bf LICENSE
diff --git a/package/python3/python3.mk b/package/python3/python3.mk
index ece5cad93e..bdb7cfd22f 100644
--- a/package/python3/python3.mk
+++ b/package/python3/python3.mk
@@ -5,7 +5,7 @@
################################################################################
PYTHON3_VERSION_MAJOR = 3.11
-PYTHON3_VERSION = $(PYTHON3_VERSION_MAJOR).3
+PYTHON3_VERSION = $(PYTHON3_VERSION_MAJOR).4
PYTHON3_SOURCE = Python-$(PYTHON3_VERSION).tar.xz
PYTHON3_SITE = https://python.org/ftp/python/$(PYTHON3_VERSION)
PYTHON3_LICENSE = Python-2.0, others
--
2.39.2
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/python3: security bump version to 3.11.4
2023-06-08 16:53 [Buildroot] [PATCH 1/1] package/python3: security bump version to 3.11.4 Bernd Kuhls
@ 2023-06-18 11:41 ` Peter Korsgaard
2023-07-06 9:24 ` Peter Korsgaard
0 siblings, 1 reply; 3+ messages in thread
From: Peter Korsgaard @ 2023-06-18 11:41 UTC (permalink / raw)
To: Bernd Kuhls; +Cc: Asaf Kahlon, Thomas Petazzoni, buildroot
>>>>> "Bernd" == Bernd Kuhls <bernd.kuhls@t-online.de> writes:
> Rebased two patches.
> Changelog:
> https://docs.python.org/release/3.11.4/whatsnew/changelog.html#python-3-11-4
> Fixes the following security problems:
> - gh-99889: Fixed a security in flaw in uu.decode() that could allow for
> directory traversal based on the input if no out_file was specified.
> - gh-104049: Do not expose the local on-disk location in directory
> indexes produced by http.client.SimpleHTTPRequestHandler.
> - gh-102153: urllib.parse.urlsplit() now strips leading C0 control and
> space characters following the specification for URLs defined by WHATWG
> in response to CVE-2023-24329. Patch by Illia Volochii.
> Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Committed, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/python3: security bump version to 3.11.4
2023-06-18 11:41 ` Peter Korsgaard
@ 2023-07-06 9:24 ` Peter Korsgaard
0 siblings, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2023-07-06 9:24 UTC (permalink / raw)
To: Bernd Kuhls; +Cc: Thomas Petazzoni, Asaf Kahlon, buildroot
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
>>>>> "Bernd" == Bernd Kuhls <bernd.kuhls@t-online.de> writes:
>> Rebased two patches.
>> Changelog:
>> https://docs.python.org/release/3.11.4/whatsnew/changelog.html#python-3-11-4
>> Fixes the following security problems:
>> - gh-99889: Fixed a security in flaw in uu.decode() that could allow for
>> directory traversal based on the input if no out_file was specified.
>> - gh-104049: Do not expose the local on-disk location in directory
>> indexes produced by http.client.SimpleHTTPRequestHandler.
>> - gh-102153: urllib.parse.urlsplit() now strips leading C0 control and
>> space characters following the specification for URLs defined by WHATWG
>> in response to CVE-2023-24329. Patch by Illia Volochii.
>> Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
> Committed, thanks.
Committed to 2023.02.x and 2023.05.x, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-07-06 9:25 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-06-08 16:53 [Buildroot] [PATCH 1/1] package/python3: security bump version to 3.11.4 Bernd Kuhls
2023-06-18 11:41 ` Peter Korsgaard
2023-07-06 9:24 ` Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.