* [dunfell 00/11] Patch review, July 5th
@ 2021-07-06 14:53 Armin Kuster
2021-07-06 14:53 ` [dunfell 01/11] nss: Fix build on Centos 7 Armin Kuster
` (10 more replies)
0 siblings, 11 replies; 12+ messages in thread
From: Armin Kuster @ 2021-07-06 14:53 UTC (permalink / raw)
To: openembedded-devel
Please have comments back by Thursday
The following changes since commit c38d2a74f762a792046f3d3c377827b08aade513:
dnsmasq: Add fixes for CVEs reported for dnsmasq (2021-05-29 11:41:45 -0700)
are available in the Git repository at:
git://git.openembedded.org/meta-openembedded-contrib stable/dunfell-nut
http://cgit.openembedded.org/meta-openembedded-contrib/log/?h=stable/dunfell-nut
Armin Kuster (1):
dovecot: add CVE-2016-4983 to allowlist
Chen Qi (1):
python3-django: upgrade to 2.2.20
Marek Vasut (1):
nss: Fix build on Centos 7
Sekine Shigeki (1):
add CVE-2011-2411 to allowlist
Stefan Ghinea (1):
python3-django: fix CVE-2021-28658
Trevor Gamblin (5):
python3-django: upgrade 2.2.7 -> 2.2.13
python3-django: upgrade 2.2.13 -> 2.2.16
python3-django: upgrade 2.2.20 -> 2.2.22
python3-django: upgrade 2.2.22 -> 2.2.23
python3-django: upgrade 2.2.23 -> 2.2.24
ito-yuichi@fujitsu.com (1):
cyrus-sasl: add CVE-2020-8032 to allowlist
meta-networking/recipes-connectivity/samba/samba_4.10.18.bb | 4 ++++
.../recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.27.bb | 3 +++
meta-networking/recipes-support/dovecot/dovecot_2.2.36.4.bb | 3 +++
meta-oe/recipes-support/nss/nss_3.51.1.bb | 2 ++
.../{python3-django_2.2.7.bb => python3-django_2.2.24.bb} | 4 ++--
5 files changed, 14 insertions(+), 2 deletions(-)
rename meta-python/recipes-devtools/python/{python3-django_2.2.7.bb => python3-django_2.2.24.bb} (41%)
--
2.25.1
^ permalink raw reply [flat|nested] 12+ messages in thread
* [dunfell 01/11] nss: Fix build on Centos 7
2021-07-06 14:53 [dunfell 00/11] Patch review, July 5th Armin Kuster
@ 2021-07-06 14:53 ` Armin Kuster
2021-07-06 14:53 ` [dunfell 02/11] python3-django: upgrade 2.2.7 -> 2.2.13 Armin Kuster
` (9 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: Armin Kuster @ 2021-07-06 14:53 UTC (permalink / raw)
To: openembedded-devel
From: Marek Vasut <marex@denx.de>
Centos 7 has glibc 2.18 and nss-native build fails due to implicit
declaration of function putenv during build. This is because of the
Feature Test Macro Requirements for glibc (see feature_test_macros(7)):
putenv(): _XOPEN_SOURCE
|| /* Glibc since 2.19: */ _DEFAULT_SOURCE
|| /* Glibc versions <= 2.19: */ _SVID_SOURCE
and because nss coreconf/Linux.mk only defines
-D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE
So on such system with glibc 2.18, neither macro makes putenv()
available. Add -D_XOPEN_SOURCE for the Centos 7 and glibc 2.18
native build case.
Signed-off-by: Marek Vasut <marex@denx.de>
Cc: Armin Kuster <akuster808@gmail.com>
Cc: Armin Kuster <akuster@mvista.com>
Cc: Khem Raj <raj.khem@gmail.com>
Cc: Richard Purdie <richard.purdie@linuxfoundation.org>
Cc: Ross Burton <ross.burton@arm.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta-oe/recipes-support/nss/nss_3.51.1.bb | 2 ++
1 file changed, 2 insertions(+)
diff --git a/meta-oe/recipes-support/nss/nss_3.51.1.bb b/meta-oe/recipes-support/nss/nss_3.51.1.bb
index 0e127975b4..30370573d4 100644
--- a/meta-oe/recipes-support/nss/nss_3.51.1.bb
+++ b/meta-oe/recipes-support/nss/nss_3.51.1.bb
@@ -55,6 +55,8 @@ TUNE_CCARGS_remove = "-mcpu=cortex-a55+crc -mcpu=cortex-a55 -mcpu=cortex-a55+crc
TARGET_CC_ARCH += "${LDFLAGS}"
+CFLAGS_append_class-native = " -D_XOPEN_SOURCE "
+
do_configure_prepend_libc-musl () {
sed -i -e '/-DHAVE_SYS_CDEFS_H/d' ${S}/nss/lib/dbm/config/config.mk
}
--
2.25.1
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [dunfell 02/11] python3-django: upgrade 2.2.7 -> 2.2.13
2021-07-06 14:53 [dunfell 00/11] Patch review, July 5th Armin Kuster
2021-07-06 14:53 ` [dunfell 01/11] nss: Fix build on Centos 7 Armin Kuster
@ 2021-07-06 14:53 ` Armin Kuster
2021-07-06 14:53 ` [dunfell 03/11] python3-django: upgrade 2.2.13 -> 2.2.16 Armin Kuster
` (8 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: Armin Kuster @ 2021-07-06 14:53 UTC (permalink / raw)
To: openembedded-devel
From: Trevor Gamblin <trevor.gamblin@windriver.com>
Upgrade from 2.2.7 for:
- Bugfixes, including CVE-2020-13254, CVE-2020-13596, many
others;
- Official support for Python 3.8 (as of Django 2.2.8)
Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 8c4e201c6288e5fee7eef8f6eba576d4c426109c)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../{python3-django_2.2.7.bb => python3-django_2.2.13.bb} | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
rename meta-python/recipes-devtools/python/{python3-django_2.2.7.bb => python3-django_2.2.13.bb} (41%)
diff --git a/meta-python/recipes-devtools/python/python3-django_2.2.7.bb b/meta-python/recipes-devtools/python/python3-django_2.2.13.bb
similarity index 41%
rename from meta-python/recipes-devtools/python/python3-django_2.2.7.bb
rename to meta-python/recipes-devtools/python/python3-django_2.2.13.bb
index e56453abc1..55eacdff2e 100644
--- a/meta-python/recipes-devtools/python/python3-django_2.2.7.bb
+++ b/meta-python/recipes-devtools/python/python3-django_2.2.13.bb
@@ -1,8 +1,8 @@
require python-django.inc
inherit setuptools3
-SRC_URI[md5sum] = "b0833024aac4c8240467e4dc91a12e9b"
-SRC_URI[sha256sum] = "16040e1288c6c9f68c6da2fe75ebde83c0a158f6f5d54f4c5177b0c1478c5b86"
+SRC_URI[md5sum] = "30c688af9b63c4800ef9b044e0dd4145"
+SRC_URI[sha256sum] = "84f370f6acedbe1f3c41e1a02de44ac206efda3355e427139ecb785b5f596d80"
RDEPENDS_${PN} += "\
${PYTHON_PN}-sqlparse \
--
2.25.1
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [dunfell 03/11] python3-django: upgrade 2.2.13 -> 2.2.16
2021-07-06 14:53 [dunfell 00/11] Patch review, July 5th Armin Kuster
2021-07-06 14:53 ` [dunfell 01/11] nss: Fix build on Centos 7 Armin Kuster
2021-07-06 14:53 ` [dunfell 02/11] python3-django: upgrade 2.2.7 -> 2.2.13 Armin Kuster
@ 2021-07-06 14:53 ` Armin Kuster
2021-07-06 14:53 ` [dunfell 04/11] python3-django: fix CVE-2021-28658 Armin Kuster
` (7 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: Armin Kuster @ 2021-07-06 14:53 UTC (permalink / raw)
To: openembedded-devel
From: Trevor Gamblin <trevor.gamblin@windriver.com>
Summary of release notes from https://docs.djangoproject.com/en/2.2/releases/
2.2.14 release notes:
- Fixed messages of InvalidCacheKey exceptions and CacheKeyWarning warnings
raised by cache key validation (#31654).
2.2.15 release notes:
- Allowed setting the SameSite cookie flag in HttpResponse.delete_cookie()
(#31790).
- Fixed crash when sending emails to addresses with display names longer than
75 chars on Python 3.6.11+, 3.7.8+, and 3.8.4+ (#31784).
2.2.16 release notes:
- Fixed CVE-2020-24583: Incorrect permissions on intermediate-level directories
on Python 3.7+
- Fixed CVE-2020-24584: Permission escalation in intermediate-level directories
of the file system cache on Python 3.7+
- Fixed a data loss possibility in the select_for_update(). When using related
fields pointing to a proxy model in the of argument, the corresponding model
was not locked (#31866).
- Fixed a data loss possibility, following a regression in Django 2.0, when
copying model instances with a cached fields value (#31863).
Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit eb69aad33fc06f06544589ec483f9b76464f6c5f)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../{python3-django_2.2.13.bb => python3-django_2.2.16.bb} | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
rename meta-python/recipes-devtools/python/{python3-django_2.2.13.bb => python3-django_2.2.16.bb} (41%)
diff --git a/meta-python/recipes-devtools/python/python3-django_2.2.13.bb b/meta-python/recipes-devtools/python/python3-django_2.2.16.bb
similarity index 41%
rename from meta-python/recipes-devtools/python/python3-django_2.2.13.bb
rename to meta-python/recipes-devtools/python/python3-django_2.2.16.bb
index 55eacdff2e..0715abbd4c 100644
--- a/meta-python/recipes-devtools/python/python3-django_2.2.13.bb
+++ b/meta-python/recipes-devtools/python/python3-django_2.2.16.bb
@@ -1,8 +1,8 @@
require python-django.inc
inherit setuptools3
-SRC_URI[md5sum] = "30c688af9b63c4800ef9b044e0dd4145"
-SRC_URI[sha256sum] = "84f370f6acedbe1f3c41e1a02de44ac206efda3355e427139ecb785b5f596d80"
+SRC_URI[md5sum] = "93faf5bbd54a19ea49f4932a813b9758"
+SRC_URI[sha256sum] = "62cf45e5ee425c52e411c0742e641a6588b7e8af0d2c274a27940931b2786594"
RDEPENDS_${PN} += "\
${PYTHON_PN}-sqlparse \
--
2.25.1
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [dunfell 04/11] python3-django: fix CVE-2021-28658
2021-07-06 14:53 [dunfell 00/11] Patch review, July 5th Armin Kuster
` (2 preceding siblings ...)
2021-07-06 14:53 ` [dunfell 03/11] python3-django: upgrade 2.2.13 -> 2.2.16 Armin Kuster
@ 2021-07-06 14:53 ` Armin Kuster
2021-07-06 14:53 ` [dunfell 05/11] python3-django: upgrade to 2.2.20 Armin Kuster
` (6 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: Armin Kuster @ 2021-07-06 14:53 UTC (permalink / raw)
To: openembedded-devel
From: Stefan Ghinea <stefan.ghinea@windriver.com>
In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8,
MultiPartParser allowed directory traversal via uploaded files with
suitably crafted file names. Built-in upload handlers were not affected
by this vulnerability.
References:
https://nvd.nist.gov/vuln/detail/CVE-2021-28658
Upstream patches:
https://github.com/django/django/commit/4036d62bda0e9e9f6172943794b744a454ca49c2
Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit aef354a0c29a4c6aad4ace53190b5573c78d881b)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../CVE-2021-28658.patch | 289 ++++++++++++++++++
.../python/python3-django_2.2.16.bb | 2 +
2 files changed, 291 insertions(+)
create mode 100644 meta-python/recipes-devtools/python/python3-django-2.2.16/CVE-2021-28658.patch
diff --git a/meta-python/recipes-devtools/python/python3-django-2.2.16/CVE-2021-28658.patch b/meta-python/recipes-devtools/python/python3-django-2.2.16/CVE-2021-28658.patch
new file mode 100644
index 0000000000..325aa00420
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-django-2.2.16/CVE-2021-28658.patch
@@ -0,0 +1,289 @@
+From 4036d62bda0e9e9f6172943794b744a454ca49c2 Mon Sep 17 00:00:00 2001
+From: Mariusz Felisiak <felisiak.mariusz@gmail.com>
+Date: Tue, 16 Mar 2021 10:19:00 +0100
+Subject: [PATCH] Fixed CVE-2021-28658 -- Fixed potential directory-traversal
+ via uploaded files.
+
+Thanks Claude Paroz for the initial patch.
+Thanks Dennis Brinkrolf for the report.
+
+Backport of d4d800ca1addc4141e03c5440a849bb64d1582cd from main.
+
+Upstream-Status: Backport
+CVE: CVE-2021-28658
+
+Reference to upstream patch:
+[https://github.com/django/django/commit/4036d62bda0e9e9f6172943794b744a454ca49c2]
+
+[SG: Adapted stable/2.2.x patch for 2.2.16]
+Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
+---
+ django/http/multipartparser.py | 13 ++++--
+ docs/releases/2.2.16.txt | 12 +++++
+ tests/file_uploads/tests.py | 72 ++++++++++++++++++++++-------
+ tests/file_uploads/uploadhandler.py | 31 +++++++++++++
+ tests/file_uploads/urls.py | 1 +
+ tests/file_uploads/views.py | 12 ++++-
+ 6 files changed, 120 insertions(+), 21 deletions(-)
+
+diff --git a/django/http/multipartparser.py b/django/http/multipartparser.py
+index f6f12ca..5a9cca8 100644
+--- a/django/http/multipartparser.py
++++ b/django/http/multipartparser.py
+@@ -7,6 +7,7 @@ file upload handlers for processing.
+ import base64
+ import binascii
+ import cgi
++import os
+ from urllib.parse import unquote
+
+ from django.conf import settings
+@@ -205,7 +206,7 @@ class MultiPartParser:
+ file_name = disposition.get('filename')
+ if file_name:
+ file_name = force_text(file_name, encoding, errors='replace')
+- file_name = self.IE_sanitize(unescape_entities(file_name))
++ file_name = self.sanitize_file_name(file_name)
+ if not file_name:
+ continue
+
+@@ -293,9 +294,13 @@ class MultiPartParser:
+ self._files.appendlist(force_text(old_field_name, self._encoding, errors='replace'), file_obj)
+ break
+
+- def IE_sanitize(self, filename):
+- """Cleanup filename from Internet Explorer full paths."""
+- return filename and filename[filename.rfind("\\") + 1:].strip()
++ def sanitize_file_name(self, file_name):
++ file_name = unescape_entities(file_name)
++ # Cleanup Windows-style path separators.
++ file_name = file_name[file_name.rfind('\\') + 1:].strip()
++ return os.path.basename(file_name)
++
++ IE_sanitize = sanitize_file_name
+
+ def _close_files(self):
+ # Free up all file handles.
+diff --git a/docs/releases/2.2.16.txt b/docs/releases/2.2.16.txt
+index 31231fb..4b7021b 100644
+--- a/docs/releases/2.2.16.txt
++++ b/docs/releases/2.2.16.txt
+@@ -2,6 +2,18 @@
+ Django 2.2.16 release notes
+ ===========================
+
++*April 6, 2021*
++
++Backported from Django 2.2.20 a fix for a security issue.
++
++CVE-2021-28658: Potential directory-traversal via uploaded files
++================================================================
++
++``MultiPartParser`` allowed directory-traversal via uploaded files with
++suitably crafted file names.
++
++Built-in upload handlers were not affected by this vulnerability.
++
+ *September 1, 2020*
+
+ Django 2.2.16 fixes two security issues and two data loss bugs in 2.2.15.
+diff --git a/tests/file_uploads/tests.py b/tests/file_uploads/tests.py
+index ea4976d..2a08d1b 100644
+--- a/tests/file_uploads/tests.py
++++ b/tests/file_uploads/tests.py
+@@ -22,6 +22,21 @@ UNICODE_FILENAME = 'test-0123456789_中文_Orléans.jpg'
+ MEDIA_ROOT = sys_tempfile.mkdtemp()
+ UPLOAD_TO = os.path.join(MEDIA_ROOT, 'test_upload')
+
++CANDIDATE_TRAVERSAL_FILE_NAMES = [
++ '/tmp/hax0rd.txt', # Absolute path, *nix-style.
++ 'C:\\Windows\\hax0rd.txt', # Absolute path, win-style.
++ 'C:/Windows/hax0rd.txt', # Absolute path, broken-style.
++ '\\tmp\\hax0rd.txt', # Absolute path, broken in a different way.
++ '/tmp\\hax0rd.txt', # Absolute path, broken by mixing.
++ 'subdir/hax0rd.txt', # Descendant path, *nix-style.
++ 'subdir\\hax0rd.txt', # Descendant path, win-style.
++ 'sub/dir\\hax0rd.txt', # Descendant path, mixed.
++ '../../hax0rd.txt', # Relative path, *nix-style.
++ '..\\..\\hax0rd.txt', # Relative path, win-style.
++ '../..\\hax0rd.txt', # Relative path, mixed.
++ '../hax0rd.txt', # HTML entities.
++]
++
+
+ @override_settings(MEDIA_ROOT=MEDIA_ROOT, ROOT_URLCONF='file_uploads.urls', MIDDLEWARE=[])
+ class FileUploadTests(TestCase):
+@@ -205,22 +220,8 @@ class FileUploadTests(TestCase):
+ # a malicious payload with an invalid file name (containing os.sep or
+ # os.pardir). This similar to what an attacker would need to do when
+ # trying such an attack.
+- scary_file_names = [
+- "/tmp/hax0rd.txt", # Absolute path, *nix-style.
+- "C:\\Windows\\hax0rd.txt", # Absolute path, win-style.
+- "C:/Windows/hax0rd.txt", # Absolute path, broken-style.
+- "\\tmp\\hax0rd.txt", # Absolute path, broken in a different way.
+- "/tmp\\hax0rd.txt", # Absolute path, broken by mixing.
+- "subdir/hax0rd.txt", # Descendant path, *nix-style.
+- "subdir\\hax0rd.txt", # Descendant path, win-style.
+- "sub/dir\\hax0rd.txt", # Descendant path, mixed.
+- "../../hax0rd.txt", # Relative path, *nix-style.
+- "..\\..\\hax0rd.txt", # Relative path, win-style.
+- "../..\\hax0rd.txt" # Relative path, mixed.
+- ]
+-
+ payload = client.FakePayload()
+- for i, name in enumerate(scary_file_names):
++ for i, name in enumerate(CANDIDATE_TRAVERSAL_FILE_NAMES):
+ payload.write('\r\n'.join([
+ '--' + client.BOUNDARY,
+ 'Content-Disposition: form-data; name="file%s"; filename="%s"' % (i, name),
+@@ -240,7 +241,7 @@ class FileUploadTests(TestCase):
+ response = self.client.request(**r)
+ # The filenames should have been sanitized by the time it got to the view.
+ received = response.json()
+- for i, name in enumerate(scary_file_names):
++ for i, name in enumerate(CANDIDATE_TRAVERSAL_FILE_NAMES):
+ got = received["file%s" % i]
+ self.assertEqual(got, "hax0rd.txt")
+
+@@ -518,6 +519,36 @@ class FileUploadTests(TestCase):
+ # shouldn't differ.
+ self.assertEqual(os.path.basename(obj.testfile.path), 'MiXeD_cAsE.txt')
+
++ def test_filename_traversal_upload(self):
++ os.makedirs(UPLOAD_TO, exist_ok=True)
++ self.addCleanup(shutil.rmtree, MEDIA_ROOT)
++ file_name = '../test.txt',
++ payload = client.FakePayload()
++ payload.write(
++ '\r\n'.join([
++ '--' + client.BOUNDARY,
++ 'Content-Disposition: form-data; name="my_file"; '
++ 'filename="%s";' % file_name,
++ 'Content-Type: text/plain',
++ '',
++ 'file contents.\r\n',
++ '\r\n--' + client.BOUNDARY + '--\r\n',
++ ]),
++ )
++ r = {
++ 'CONTENT_LENGTH': len(payload),
++ 'CONTENT_TYPE': client.MULTIPART_CONTENT,
++ 'PATH_INFO': '/upload_traversal/',
++ 'REQUEST_METHOD': 'POST',
++ 'wsgi.input': payload,
++ }
++ response = self.client.request(**r)
++ result = response.json()
++ self.assertEqual(response.status_code, 200)
++ self.assertEqual(result['file_name'], 'test.txt')
++ self.assertIs(os.path.exists(os.path.join(MEDIA_ROOT, 'test.txt')), False)
++ self.assertIs(os.path.exists(os.path.join(UPLOAD_TO, 'test.txt')), True)
++
+
+ @override_settings(MEDIA_ROOT=MEDIA_ROOT)
+ class DirectoryCreationTests(SimpleTestCase):
+@@ -591,6 +622,15 @@ class MultiParserTests(SimpleTestCase):
+ }, StringIO('x'), [], 'utf-8')
+ self.assertEqual(multipart_parser._content_length, 0)
+
++ def test_sanitize_file_name(self):
++ parser = MultiPartParser({
++ 'CONTENT_TYPE': 'multipart/form-data; boundary=_foo',
++ 'CONTENT_LENGTH': '1'
++ }, StringIO('x'), [], 'utf-8')
++ for file_name in CANDIDATE_TRAVERSAL_FILE_NAMES:
++ with self.subTest(file_name=file_name):
++ self.assertEqual(parser.sanitize_file_name(file_name), 'hax0rd.txt')
++
+ def test_rfc2231_parsing(self):
+ test_data = (
+ (b"Content-Type: application/x-stuff; title*=us-ascii'en-us'This%20is%20%2A%2A%2Afun%2A%2A%2A",
+diff --git a/tests/file_uploads/uploadhandler.py b/tests/file_uploads/uploadhandler.py
+index 7c6199f..65d70c6 100644
+--- a/tests/file_uploads/uploadhandler.py
++++ b/tests/file_uploads/uploadhandler.py
+@@ -1,6 +1,8 @@
+ """
+ Upload handlers to test the upload API.
+ """
++import os
++from tempfile import NamedTemporaryFile
+
+ from django.core.files.uploadhandler import FileUploadHandler, StopUpload
+
+@@ -35,3 +37,32 @@ class ErroringUploadHandler(FileUploadHandler):
+ """A handler that raises an exception."""
+ def receive_data_chunk(self, raw_data, start):
+ raise CustomUploadError("Oops!")
++
++
++class TraversalUploadHandler(FileUploadHandler):
++ """A handler with potential directory-traversal vulnerability."""
++ def __init__(self, request=None):
++ from .views import UPLOAD_TO
++
++ super().__init__(request)
++ self.upload_dir = UPLOAD_TO
++
++ def file_complete(self, file_size):
++ self.file.seek(0)
++ self.file.size = file_size
++ with open(os.path.join(self.upload_dir, self.file_name), 'wb') as fp:
++ fp.write(self.file.read())
++ return self.file
++
++ def new_file(
++ self, field_name, file_name, content_type, content_length, charset=None,
++ content_type_extra=None,
++ ):
++ super().new_file(
++ file_name, file_name, content_length, content_length, charset,
++ content_type_extra,
++ )
++ self.file = NamedTemporaryFile(suffix='.upload', dir=self.upload_dir)
++
++ def receive_data_chunk(self, raw_data, start):
++ self.file.write(raw_data)
+diff --git a/tests/file_uploads/urls.py b/tests/file_uploads/urls.py
+index 3e7985d..eaac1da 100644
+--- a/tests/file_uploads/urls.py
++++ b/tests/file_uploads/urls.py
+@@ -4,6 +4,7 @@ from . import views
+
+ urlpatterns = [
+ path('upload/', views.file_upload_view),
++ path('upload_traversal/', views.file_upload_traversal_view),
+ path('verify/', views.file_upload_view_verify),
+ path('unicode_name/', views.file_upload_unicode_name),
+ path('echo/', views.file_upload_echo),
+diff --git a/tests/file_uploads/views.py b/tests/file_uploads/views.py
+index d4947e4..137c6f3 100644
+--- a/tests/file_uploads/views.py
++++ b/tests/file_uploads/views.py
+@@ -6,7 +6,9 @@ from django.http import HttpResponse, HttpResponseServerError, JsonResponse
+
+ from .models import FileModel
+ from .tests import UNICODE_FILENAME, UPLOAD_TO
+-from .uploadhandler import ErroringUploadHandler, QuotaUploadHandler
++from .uploadhandler import (
++ ErroringUploadHandler, QuotaUploadHandler, TraversalUploadHandler,
++)
+
+
+ def file_upload_view(request):
+@@ -158,3 +160,11 @@ def file_upload_fd_closing(request, access):
+ if access == 't':
+ request.FILES # Trigger file parsing.
+ return HttpResponse('')
++
++
++def file_upload_traversal_view(request):
++ request.upload_handlers.insert(0, TraversalUploadHandler())
++ request.FILES # Trigger file parsing.
++ return JsonResponse(
++ {'file_name': request.upload_handlers[0].file_name},
++ )
+--
+2.17.1
+
diff --git a/meta-python/recipes-devtools/python/python3-django_2.2.16.bb b/meta-python/recipes-devtools/python/python3-django_2.2.16.bb
index 0715abbd4c..eb626e8d3f 100644
--- a/meta-python/recipes-devtools/python/python3-django_2.2.16.bb
+++ b/meta-python/recipes-devtools/python/python3-django_2.2.16.bb
@@ -7,3 +7,5 @@ SRC_URI[sha256sum] = "62cf45e5ee425c52e411c0742e641a6588b7e8af0d2c274a27940931b2
RDEPENDS_${PN} += "\
${PYTHON_PN}-sqlparse \
"
+SRC_URI += "file://CVE-2021-28658.patch \
+"
--
2.25.1
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [dunfell 05/11] python3-django: upgrade to 2.2.20
2021-07-06 14:53 [dunfell 00/11] Patch review, July 5th Armin Kuster
` (3 preceding siblings ...)
2021-07-06 14:53 ` [dunfell 04/11] python3-django: fix CVE-2021-28658 Armin Kuster
@ 2021-07-06 14:53 ` Armin Kuster
2021-07-06 14:53 ` [dunfell 06/11] python3-django: upgrade 2.2.20 -> 2.2.22 Armin Kuster
` (5 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: Armin Kuster @ 2021-07-06 14:53 UTC (permalink / raw)
To: openembedded-devel
From: Chen Qi <Qi.Chen@windriver.com>
2.2.x is LTS, so upgrade to latest release 2.2.20.
This upgrade fixes several CVEs such as CVE-2021-3281.
Also, CVE-2021-28658.patch is dropped as it's already in 2.2.20.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit e705d4932a57d0dc3a961fed73ae5ad2e0313429)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../CVE-2021-28658.patch | 289 ------------------
.../python/python3-django_2.2.16.bb | 11 -
.../python/python3-django_2.2.20.bb | 9 +
3 files changed, 9 insertions(+), 300 deletions(-)
delete mode 100644 meta-python/recipes-devtools/python/python3-django-2.2.16/CVE-2021-28658.patch
delete mode 100644 meta-python/recipes-devtools/python/python3-django_2.2.16.bb
create mode 100644 meta-python/recipes-devtools/python/python3-django_2.2.20.bb
diff --git a/meta-python/recipes-devtools/python/python3-django-2.2.16/CVE-2021-28658.patch b/meta-python/recipes-devtools/python/python3-django-2.2.16/CVE-2021-28658.patch
deleted file mode 100644
index 325aa00420..0000000000
--- a/meta-python/recipes-devtools/python/python3-django-2.2.16/CVE-2021-28658.patch
+++ /dev/null
@@ -1,289 +0,0 @@
-From 4036d62bda0e9e9f6172943794b744a454ca49c2 Mon Sep 17 00:00:00 2001
-From: Mariusz Felisiak <felisiak.mariusz@gmail.com>
-Date: Tue, 16 Mar 2021 10:19:00 +0100
-Subject: [PATCH] Fixed CVE-2021-28658 -- Fixed potential directory-traversal
- via uploaded files.
-
-Thanks Claude Paroz for the initial patch.
-Thanks Dennis Brinkrolf for the report.
-
-Backport of d4d800ca1addc4141e03c5440a849bb64d1582cd from main.
-
-Upstream-Status: Backport
-CVE: CVE-2021-28658
-
-Reference to upstream patch:
-[https://github.com/django/django/commit/4036d62bda0e9e9f6172943794b744a454ca49c2]
-
-[SG: Adapted stable/2.2.x patch for 2.2.16]
-Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
----
- django/http/multipartparser.py | 13 ++++--
- docs/releases/2.2.16.txt | 12 +++++
- tests/file_uploads/tests.py | 72 ++++++++++++++++++++++-------
- tests/file_uploads/uploadhandler.py | 31 +++++++++++++
- tests/file_uploads/urls.py | 1 +
- tests/file_uploads/views.py | 12 ++++-
- 6 files changed, 120 insertions(+), 21 deletions(-)
-
-diff --git a/django/http/multipartparser.py b/django/http/multipartparser.py
-index f6f12ca..5a9cca8 100644
---- a/django/http/multipartparser.py
-+++ b/django/http/multipartparser.py
-@@ -7,6 +7,7 @@ file upload handlers for processing.
- import base64
- import binascii
- import cgi
-+import os
- from urllib.parse import unquote
-
- from django.conf import settings
-@@ -205,7 +206,7 @@ class MultiPartParser:
- file_name = disposition.get('filename')
- if file_name:
- file_name = force_text(file_name, encoding, errors='replace')
-- file_name = self.IE_sanitize(unescape_entities(file_name))
-+ file_name = self.sanitize_file_name(file_name)
- if not file_name:
- continue
-
-@@ -293,9 +294,13 @@ class MultiPartParser:
- self._files.appendlist(force_text(old_field_name, self._encoding, errors='replace'), file_obj)
- break
-
-- def IE_sanitize(self, filename):
-- """Cleanup filename from Internet Explorer full paths."""
-- return filename and filename[filename.rfind("\\") + 1:].strip()
-+ def sanitize_file_name(self, file_name):
-+ file_name = unescape_entities(file_name)
-+ # Cleanup Windows-style path separators.
-+ file_name = file_name[file_name.rfind('\\') + 1:].strip()
-+ return os.path.basename(file_name)
-+
-+ IE_sanitize = sanitize_file_name
-
- def _close_files(self):
- # Free up all file handles.
-diff --git a/docs/releases/2.2.16.txt b/docs/releases/2.2.16.txt
-index 31231fb..4b7021b 100644
---- a/docs/releases/2.2.16.txt
-+++ b/docs/releases/2.2.16.txt
-@@ -2,6 +2,18 @@
- Django 2.2.16 release notes
- ===========================
-
-+*April 6, 2021*
-+
-+Backported from Django 2.2.20 a fix for a security issue.
-+
-+CVE-2021-28658: Potential directory-traversal via uploaded files
-+================================================================
-+
-+``MultiPartParser`` allowed directory-traversal via uploaded files with
-+suitably crafted file names.
-+
-+Built-in upload handlers were not affected by this vulnerability.
-+
- *September 1, 2020*
-
- Django 2.2.16 fixes two security issues and two data loss bugs in 2.2.15.
-diff --git a/tests/file_uploads/tests.py b/tests/file_uploads/tests.py
-index ea4976d..2a08d1b 100644
---- a/tests/file_uploads/tests.py
-+++ b/tests/file_uploads/tests.py
-@@ -22,6 +22,21 @@ UNICODE_FILENAME = 'test-0123456789_中文_Orléans.jpg'
- MEDIA_ROOT = sys_tempfile.mkdtemp()
- UPLOAD_TO = os.path.join(MEDIA_ROOT, 'test_upload')
-
-+CANDIDATE_TRAVERSAL_FILE_NAMES = [
-+ '/tmp/hax0rd.txt', # Absolute path, *nix-style.
-+ 'C:\\Windows\\hax0rd.txt', # Absolute path, win-style.
-+ 'C:/Windows/hax0rd.txt', # Absolute path, broken-style.
-+ '\\tmp\\hax0rd.txt', # Absolute path, broken in a different way.
-+ '/tmp\\hax0rd.txt', # Absolute path, broken by mixing.
-+ 'subdir/hax0rd.txt', # Descendant path, *nix-style.
-+ 'subdir\\hax0rd.txt', # Descendant path, win-style.
-+ 'sub/dir\\hax0rd.txt', # Descendant path, mixed.
-+ '../../hax0rd.txt', # Relative path, *nix-style.
-+ '..\\..\\hax0rd.txt', # Relative path, win-style.
-+ '../..\\hax0rd.txt', # Relative path, mixed.
-+ '../hax0rd.txt', # HTML entities.
-+]
-+
-
- @override_settings(MEDIA_ROOT=MEDIA_ROOT, ROOT_URLCONF='file_uploads.urls', MIDDLEWARE=[])
- class FileUploadTests(TestCase):
-@@ -205,22 +220,8 @@ class FileUploadTests(TestCase):
- # a malicious payload with an invalid file name (containing os.sep or
- # os.pardir). This similar to what an attacker would need to do when
- # trying such an attack.
-- scary_file_names = [
-- "/tmp/hax0rd.txt", # Absolute path, *nix-style.
-- "C:\\Windows\\hax0rd.txt", # Absolute path, win-style.
-- "C:/Windows/hax0rd.txt", # Absolute path, broken-style.
-- "\\tmp\\hax0rd.txt", # Absolute path, broken in a different way.
-- "/tmp\\hax0rd.txt", # Absolute path, broken by mixing.
-- "subdir/hax0rd.txt", # Descendant path, *nix-style.
-- "subdir\\hax0rd.txt", # Descendant path, win-style.
-- "sub/dir\\hax0rd.txt", # Descendant path, mixed.
-- "../../hax0rd.txt", # Relative path, *nix-style.
-- "..\\..\\hax0rd.txt", # Relative path, win-style.
-- "../..\\hax0rd.txt" # Relative path, mixed.
-- ]
--
- payload = client.FakePayload()
-- for i, name in enumerate(scary_file_names):
-+ for i, name in enumerate(CANDIDATE_TRAVERSAL_FILE_NAMES):
- payload.write('\r\n'.join([
- '--' + client.BOUNDARY,
- 'Content-Disposition: form-data; name="file%s"; filename="%s"' % (i, name),
-@@ -240,7 +241,7 @@ class FileUploadTests(TestCase):
- response = self.client.request(**r)
- # The filenames should have been sanitized by the time it got to the view.
- received = response.json()
-- for i, name in enumerate(scary_file_names):
-+ for i, name in enumerate(CANDIDATE_TRAVERSAL_FILE_NAMES):
- got = received["file%s" % i]
- self.assertEqual(got, "hax0rd.txt")
-
-@@ -518,6 +519,36 @@ class FileUploadTests(TestCase):
- # shouldn't differ.
- self.assertEqual(os.path.basename(obj.testfile.path), 'MiXeD_cAsE.txt')
-
-+ def test_filename_traversal_upload(self):
-+ os.makedirs(UPLOAD_TO, exist_ok=True)
-+ self.addCleanup(shutil.rmtree, MEDIA_ROOT)
-+ file_name = '../test.txt',
-+ payload = client.FakePayload()
-+ payload.write(
-+ '\r\n'.join([
-+ '--' + client.BOUNDARY,
-+ 'Content-Disposition: form-data; name="my_file"; '
-+ 'filename="%s";' % file_name,
-+ 'Content-Type: text/plain',
-+ '',
-+ 'file contents.\r\n',
-+ '\r\n--' + client.BOUNDARY + '--\r\n',
-+ ]),
-+ )
-+ r = {
-+ 'CONTENT_LENGTH': len(payload),
-+ 'CONTENT_TYPE': client.MULTIPART_CONTENT,
-+ 'PATH_INFO': '/upload_traversal/',
-+ 'REQUEST_METHOD': 'POST',
-+ 'wsgi.input': payload,
-+ }
-+ response = self.client.request(**r)
-+ result = response.json()
-+ self.assertEqual(response.status_code, 200)
-+ self.assertEqual(result['file_name'], 'test.txt')
-+ self.assertIs(os.path.exists(os.path.join(MEDIA_ROOT, 'test.txt')), False)
-+ self.assertIs(os.path.exists(os.path.join(UPLOAD_TO, 'test.txt')), True)
-+
-
- @override_settings(MEDIA_ROOT=MEDIA_ROOT)
- class DirectoryCreationTests(SimpleTestCase):
-@@ -591,6 +622,15 @@ class MultiParserTests(SimpleTestCase):
- }, StringIO('x'), [], 'utf-8')
- self.assertEqual(multipart_parser._content_length, 0)
-
-+ def test_sanitize_file_name(self):
-+ parser = MultiPartParser({
-+ 'CONTENT_TYPE': 'multipart/form-data; boundary=_foo',
-+ 'CONTENT_LENGTH': '1'
-+ }, StringIO('x'), [], 'utf-8')
-+ for file_name in CANDIDATE_TRAVERSAL_FILE_NAMES:
-+ with self.subTest(file_name=file_name):
-+ self.assertEqual(parser.sanitize_file_name(file_name), 'hax0rd.txt')
-+
- def test_rfc2231_parsing(self):
- test_data = (
- (b"Content-Type: application/x-stuff; title*=us-ascii'en-us'This%20is%20%2A%2A%2Afun%2A%2A%2A",
-diff --git a/tests/file_uploads/uploadhandler.py b/tests/file_uploads/uploadhandler.py
-index 7c6199f..65d70c6 100644
---- a/tests/file_uploads/uploadhandler.py
-+++ b/tests/file_uploads/uploadhandler.py
-@@ -1,6 +1,8 @@
- """
- Upload handlers to test the upload API.
- """
-+import os
-+from tempfile import NamedTemporaryFile
-
- from django.core.files.uploadhandler import FileUploadHandler, StopUpload
-
-@@ -35,3 +37,32 @@ class ErroringUploadHandler(FileUploadHandler):
- """A handler that raises an exception."""
- def receive_data_chunk(self, raw_data, start):
- raise CustomUploadError("Oops!")
-+
-+
-+class TraversalUploadHandler(FileUploadHandler):
-+ """A handler with potential directory-traversal vulnerability."""
-+ def __init__(self, request=None):
-+ from .views import UPLOAD_TO
-+
-+ super().__init__(request)
-+ self.upload_dir = UPLOAD_TO
-+
-+ def file_complete(self, file_size):
-+ self.file.seek(0)
-+ self.file.size = file_size
-+ with open(os.path.join(self.upload_dir, self.file_name), 'wb') as fp:
-+ fp.write(self.file.read())
-+ return self.file
-+
-+ def new_file(
-+ self, field_name, file_name, content_type, content_length, charset=None,
-+ content_type_extra=None,
-+ ):
-+ super().new_file(
-+ file_name, file_name, content_length, content_length, charset,
-+ content_type_extra,
-+ )
-+ self.file = NamedTemporaryFile(suffix='.upload', dir=self.upload_dir)
-+
-+ def receive_data_chunk(self, raw_data, start):
-+ self.file.write(raw_data)
-diff --git a/tests/file_uploads/urls.py b/tests/file_uploads/urls.py
-index 3e7985d..eaac1da 100644
---- a/tests/file_uploads/urls.py
-+++ b/tests/file_uploads/urls.py
-@@ -4,6 +4,7 @@ from . import views
-
- urlpatterns = [
- path('upload/', views.file_upload_view),
-+ path('upload_traversal/', views.file_upload_traversal_view),
- path('verify/', views.file_upload_view_verify),
- path('unicode_name/', views.file_upload_unicode_name),
- path('echo/', views.file_upload_echo),
-diff --git a/tests/file_uploads/views.py b/tests/file_uploads/views.py
-index d4947e4..137c6f3 100644
---- a/tests/file_uploads/views.py
-+++ b/tests/file_uploads/views.py
-@@ -6,7 +6,9 @@ from django.http import HttpResponse, HttpResponseServerError, JsonResponse
-
- from .models import FileModel
- from .tests import UNICODE_FILENAME, UPLOAD_TO
--from .uploadhandler import ErroringUploadHandler, QuotaUploadHandler
-+from .uploadhandler import (
-+ ErroringUploadHandler, QuotaUploadHandler, TraversalUploadHandler,
-+)
-
-
- def file_upload_view(request):
-@@ -158,3 +160,11 @@ def file_upload_fd_closing(request, access):
- if access == 't':
- request.FILES # Trigger file parsing.
- return HttpResponse('')
-+
-+
-+def file_upload_traversal_view(request):
-+ request.upload_handlers.insert(0, TraversalUploadHandler())
-+ request.FILES # Trigger file parsing.
-+ return JsonResponse(
-+ {'file_name': request.upload_handlers[0].file_name},
-+ )
---
-2.17.1
-
diff --git a/meta-python/recipes-devtools/python/python3-django_2.2.16.bb b/meta-python/recipes-devtools/python/python3-django_2.2.16.bb
deleted file mode 100644
index eb626e8d3f..0000000000
--- a/meta-python/recipes-devtools/python/python3-django_2.2.16.bb
+++ /dev/null
@@ -1,11 +0,0 @@
-require python-django.inc
-inherit setuptools3
-
-SRC_URI[md5sum] = "93faf5bbd54a19ea49f4932a813b9758"
-SRC_URI[sha256sum] = "62cf45e5ee425c52e411c0742e641a6588b7e8af0d2c274a27940931b2786594"
-
-RDEPENDS_${PN} += "\
- ${PYTHON_PN}-sqlparse \
-"
-SRC_URI += "file://CVE-2021-28658.patch \
-"
diff --git a/meta-python/recipes-devtools/python/python3-django_2.2.20.bb b/meta-python/recipes-devtools/python/python3-django_2.2.20.bb
new file mode 100644
index 0000000000..905d022a4f
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-django_2.2.20.bb
@@ -0,0 +1,9 @@
+require python-django.inc
+inherit setuptools3
+
+SRC_URI[md5sum] = "947060d96ccc0a05e8049d839e541b25"
+SRC_URI[sha256sum] = "2569f9dc5f8e458a5e988b03d6b7a02bda59b006d6782f4ea0fd590ed7336a64"
+
+RDEPENDS_${PN} += "\
+ ${PYTHON_PN}-sqlparse \
+"
--
2.25.1
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [dunfell 06/11] python3-django: upgrade 2.2.20 -> 2.2.22
2021-07-06 14:53 [dunfell 00/11] Patch review, July 5th Armin Kuster
` (4 preceding siblings ...)
2021-07-06 14:53 ` [dunfell 05/11] python3-django: upgrade to 2.2.20 Armin Kuster
@ 2021-07-06 14:53 ` Armin Kuster
2021-07-06 14:53 ` [dunfell 07/11] python3-django: upgrade 2.2.22 -> 2.2.23 Armin Kuster
` (4 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: Armin Kuster @ 2021-07-06 14:53 UTC (permalink / raw)
To: openembedded-devel
From: Trevor Gamblin <trevor.gamblin@windriver.com>
Version 2.2.22 includes a fix for CVE-2021-32052.
Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
(cherry picked from commit b26099fc156961ba252c3b6281f09799e91347ba)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit f3758cb44486ce87c96b803efb2b5417a8e90708)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../{python3-django_2.2.20.bb => python3-django_2.2.22.bb} | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
rename meta-python/recipes-devtools/python/{python3-django_2.2.20.bb => python3-django_2.2.22.bb} (41%)
diff --git a/meta-python/recipes-devtools/python/python3-django_2.2.20.bb b/meta-python/recipes-devtools/python/python3-django_2.2.22.bb
similarity index 41%
rename from meta-python/recipes-devtools/python/python3-django_2.2.20.bb
rename to meta-python/recipes-devtools/python/python3-django_2.2.22.bb
index 905d022a4f..a0b8840259 100644
--- a/meta-python/recipes-devtools/python/python3-django_2.2.20.bb
+++ b/meta-python/recipes-devtools/python/python3-django_2.2.22.bb
@@ -1,8 +1,8 @@
require python-django.inc
inherit setuptools3
-SRC_URI[md5sum] = "947060d96ccc0a05e8049d839e541b25"
-SRC_URI[sha256sum] = "2569f9dc5f8e458a5e988b03d6b7a02bda59b006d6782f4ea0fd590ed7336a64"
+SRC_URI[md5sum] = "dca447b605dcabd924ac7ba17680cf73"
+SRC_URI[sha256sum] = "db2214db1c99017cbd971e58824e6f424375154fe358afc30e976f5b99fc6060"
RDEPENDS_${PN} += "\
${PYTHON_PN}-sqlparse \
--
2.25.1
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [dunfell 07/11] python3-django: upgrade 2.2.22 -> 2.2.23
2021-07-06 14:53 [dunfell 00/11] Patch review, July 5th Armin Kuster
` (5 preceding siblings ...)
2021-07-06 14:53 ` [dunfell 06/11] python3-django: upgrade 2.2.20 -> 2.2.22 Armin Kuster
@ 2021-07-06 14:53 ` Armin Kuster
2021-07-06 14:53 ` [dunfell 08/11] python3-django: upgrade 2.2.23 -> 2.2.24 Armin Kuster
` (3 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: Armin Kuster @ 2021-07-06 14:53 UTC (permalink / raw)
To: openembedded-devel
From: Trevor Gamblin <trevor.gamblin@windriver.com>
2.2.23 is a bugfix release:
- Fixed a regression in Django 2.2.21 where saving FileField would raise a
SuspiciousFileOperation even when a custom upload_to returns a valid
file path (#32718).
Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
(cherry picked from commit f07a8c1376fe9f5eb4fc0ddff8ca1a1b3c3f173b)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit b2716ef06a76854497de80c642bf7f63b07f7a6c)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../{python3-django_2.2.22.bb => python3-django_2.2.23.bb} | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
rename meta-python/recipes-devtools/python/{python3-django_2.2.22.bb => python3-django_2.2.23.bb} (41%)
diff --git a/meta-python/recipes-devtools/python/python3-django_2.2.22.bb b/meta-python/recipes-devtools/python/python3-django_2.2.23.bb
similarity index 41%
rename from meta-python/recipes-devtools/python/python3-django_2.2.22.bb
rename to meta-python/recipes-devtools/python/python3-django_2.2.23.bb
index a0b8840259..ab4b68fc87 100644
--- a/meta-python/recipes-devtools/python/python3-django_2.2.22.bb
+++ b/meta-python/recipes-devtools/python/python3-django_2.2.23.bb
@@ -1,8 +1,8 @@
require python-django.inc
inherit setuptools3
-SRC_URI[md5sum] = "dca447b605dcabd924ac7ba17680cf73"
-SRC_URI[sha256sum] = "db2214db1c99017cbd971e58824e6f424375154fe358afc30e976f5b99fc6060"
+SRC_URI[md5sum] = "d72405637143e201b745714e300bb546"
+SRC_URI[sha256sum] = "12cfc045a4ccb2348719aaaa77b17e66a26bff9fc238b4c765a3e825ef92e414"
RDEPENDS_${PN} += "\
${PYTHON_PN}-sqlparse \
--
2.25.1
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [dunfell 08/11] python3-django: upgrade 2.2.23 -> 2.2.24
2021-07-06 14:53 [dunfell 00/11] Patch review, July 5th Armin Kuster
` (6 preceding siblings ...)
2021-07-06 14:53 ` [dunfell 07/11] python3-django: upgrade 2.2.22 -> 2.2.23 Armin Kuster
@ 2021-07-06 14:53 ` Armin Kuster
2021-07-06 14:53 ` [dunfell 09/11] add CVE-2011-2411 to allowlist Armin Kuster
` (2 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: Armin Kuster @ 2021-07-06 14:53 UTC (permalink / raw)
To: openembedded-devel
From: Trevor Gamblin <trevor.gamblin@windriver.com>
Version 2.2.24 contains a fix for CVE-2021-33571 and is the latest LTS
release.
Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit fa2d3338fb87a38a66d11735b876ce2320045b0d)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit c51e79dd854460c6f6949a187970d05362152e84)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../{python3-django_2.2.23.bb => python3-django_2.2.24.bb} | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
rename meta-python/recipes-devtools/python/{python3-django_2.2.23.bb => python3-django_2.2.24.bb} (41%)
diff --git a/meta-python/recipes-devtools/python/python3-django_2.2.23.bb b/meta-python/recipes-devtools/python/python3-django_2.2.24.bb
similarity index 41%
rename from meta-python/recipes-devtools/python/python3-django_2.2.23.bb
rename to meta-python/recipes-devtools/python/python3-django_2.2.24.bb
index ab4b68fc87..964ca6ba03 100644
--- a/meta-python/recipes-devtools/python/python3-django_2.2.23.bb
+++ b/meta-python/recipes-devtools/python/python3-django_2.2.24.bb
@@ -1,8 +1,8 @@
require python-django.inc
inherit setuptools3
-SRC_URI[md5sum] = "d72405637143e201b745714e300bb546"
-SRC_URI[sha256sum] = "12cfc045a4ccb2348719aaaa77b17e66a26bff9fc238b4c765a3e825ef92e414"
+SRC_URI[md5sum] = "ebf3bbb7716a7b11029e860475b9a122"
+SRC_URI[sha256sum] = "3339ff0e03dee13045aef6ae7b523edff75b6d726adf7a7a48f53d5a501f7db7"
RDEPENDS_${PN} += "\
${PYTHON_PN}-sqlparse \
--
2.25.1
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [dunfell 09/11] add CVE-2011-2411 to allowlist
2021-07-06 14:53 [dunfell 00/11] Patch review, July 5th Armin Kuster
` (7 preceding siblings ...)
2021-07-06 14:53 ` [dunfell 08/11] python3-django: upgrade 2.2.23 -> 2.2.24 Armin Kuster
@ 2021-07-06 14:53 ` Armin Kuster
2021-07-06 14:53 ` [dunfell 10/11] cyrus-sasl: add CVE-2020-8032 " Armin Kuster
2021-07-06 14:53 ` [dunfell 11/11] dovecot: add CVE-2016-4983 " Armin Kuster
10 siblings, 0 replies; 12+ messages in thread
From: Armin Kuster @ 2021-07-06 14:53 UTC (permalink / raw)
To: openembedded-devel
From: Sekine Shigeki <sekine.shigeki@fujitsu.com>
This affects only on HP NonStop Server, so add it to allowlist.
Signed-off-by: Sekine Shigeki <sekine.shigeki@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit bb4a4f0ff8d9926137cb152fd3f2808bd9f961ce)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit d614d160a10b3c5ac36702fbd433f98925a9aa8e)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta-networking/recipes-connectivity/samba/samba_4.10.18.bb | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/meta-networking/recipes-connectivity/samba/samba_4.10.18.bb b/meta-networking/recipes-connectivity/samba/samba_4.10.18.bb
index 1a982368ec..d7b5864715 100644
--- a/meta-networking/recipes-connectivity/samba/samba_4.10.18.bb
+++ b/meta-networking/recipes-connectivity/samba/samba_4.10.18.bb
@@ -44,6 +44,10 @@ SRC_URI[sha256sum] = "7dcfc2aaaac565b959068788e6a43fc79ce2a03e7d523f5843f7a9fddf
UPSTREAM_CHECK_REGEX = "samba\-(?P<pver>4\.10(\.\d+)+).tar.gz"
inherit systemd waf-samba cpan-base perlnative update-rc.d
+
+# CVE-2011-2411 is valnerble only on HP NonStop Servers.
+CVE_CHECK_WHITELIST += "CVE-2011-2411"
+
# remove default added RDEPENDS on perl
RDEPENDS_${PN}_remove = "perl"
--
2.25.1
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [dunfell 10/11] cyrus-sasl: add CVE-2020-8032 to allowlist
2021-07-06 14:53 [dunfell 00/11] Patch review, July 5th Armin Kuster
` (8 preceding siblings ...)
2021-07-06 14:53 ` [dunfell 09/11] add CVE-2011-2411 to allowlist Armin Kuster
@ 2021-07-06 14:53 ` Armin Kuster
2021-07-06 14:53 ` [dunfell 11/11] dovecot: add CVE-2016-4983 " Armin Kuster
10 siblings, 0 replies; 12+ messages in thread
From: Armin Kuster @ 2021-07-06 14:53 UTC (permalink / raw)
To: openembedded-devel
From: "ito-yuichi@fujitsu.com" <ito-yuichi@fujitsu.com>
This affects only openSUSE, so add it to allowlist.
Signed-off-by: Yuichi Ito <ito-yuichi@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 711e932b14de57a5f341124470b2f3f131615a25)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 26819375448077265cd4c9dbb88b6be08b899e3f)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.27.bb | 3 +++
1 file changed, 3 insertions(+)
diff --git a/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.27.bb b/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.27.bb
index d55dc4ab7e..d3983eb1ae 100644
--- a/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.27.bb
+++ b/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.27.bb
@@ -96,3 +96,6 @@ FILES_${PN}-dbg += "${libdir}/sasl2/.debug"
FILES_${PN}-staticdev += "${libdir}/sasl2/*.a"
INSANE_SKIP_${PN} += "dev-so"
+
+# CVE-2020-8032 affects only openSUSE
+CVE_CHECK_WHITELIST += "CVE-2020-8032"
--
2.25.1
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [dunfell 11/11] dovecot: add CVE-2016-4983 to allowlist
2021-07-06 14:53 [dunfell 00/11] Patch review, July 5th Armin Kuster
` (9 preceding siblings ...)
2021-07-06 14:53 ` [dunfell 10/11] cyrus-sasl: add CVE-2020-8032 " Armin Kuster
@ 2021-07-06 14:53 ` Armin Kuster
10 siblings, 0 replies; 12+ messages in thread
From: Armin Kuster @ 2021-07-06 14:53 UTC (permalink / raw)
To: openembedded-devel
CVE-2016-4983 affects only postinstall script on specific distribution, so add it to allowlist.
Signed-off-by: Yuichi Ito <ito-yuichi@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 3613b50a84559ce771866cd1eef1141fa3e6d238)
[mkcert.sh does mask 077 first]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit d1fb027f894921ea02c984eb581ee1500c613470)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta-networking/recipes-support/dovecot/dovecot_2.2.36.4.bb | 3 +++
1 file changed, 3 insertions(+)
diff --git a/meta-networking/recipes-support/dovecot/dovecot_2.2.36.4.bb b/meta-networking/recipes-support/dovecot/dovecot_2.2.36.4.bb
index 0f7fad2b24..e21a94ad64 100644
--- a/meta-networking/recipes-support/dovecot/dovecot_2.2.36.4.bb
+++ b/meta-networking/recipes-support/dovecot/dovecot_2.2.36.4.bb
@@ -67,3 +67,6 @@ FILES_${PN} += "${libdir}/dovecot/*plugin.so \
FILES_${PN}-staticdev += "${libdir}/dovecot/*/*.a"
FILES_${PN}-dev += "${libdir}/dovecot/libdovecot*.so"
FILES_${PN}-dbg += "${libdir}/dovecot/*/.debug"
+
+# CVE-2016-4983 affects only postinstall script on specific distribution
+CVE_CHECK_WHITELIST += "CVE-2016-4983"
--
2.25.1
^ permalink raw reply related [flat|nested] 12+ messages in thread
end of thread, other threads:[~2021-07-06 14:53 UTC | newest]
Thread overview: 12+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-07-06 14:53 [dunfell 00/11] Patch review, July 5th Armin Kuster
2021-07-06 14:53 ` [dunfell 01/11] nss: Fix build on Centos 7 Armin Kuster
2021-07-06 14:53 ` [dunfell 02/11] python3-django: upgrade 2.2.7 -> 2.2.13 Armin Kuster
2021-07-06 14:53 ` [dunfell 03/11] python3-django: upgrade 2.2.13 -> 2.2.16 Armin Kuster
2021-07-06 14:53 ` [dunfell 04/11] python3-django: fix CVE-2021-28658 Armin Kuster
2021-07-06 14:53 ` [dunfell 05/11] python3-django: upgrade to 2.2.20 Armin Kuster
2021-07-06 14:53 ` [dunfell 06/11] python3-django: upgrade 2.2.20 -> 2.2.22 Armin Kuster
2021-07-06 14:53 ` [dunfell 07/11] python3-django: upgrade 2.2.22 -> 2.2.23 Armin Kuster
2021-07-06 14:53 ` [dunfell 08/11] python3-django: upgrade 2.2.23 -> 2.2.24 Armin Kuster
2021-07-06 14:53 ` [dunfell 09/11] add CVE-2011-2411 to allowlist Armin Kuster
2021-07-06 14:53 ` [dunfell 10/11] cyrus-sasl: add CVE-2020-8032 " Armin Kuster
2021-07-06 14:53 ` [dunfell 11/11] dovecot: add CVE-2016-4983 " Armin Kuster
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.