Age | Commit message (Collapse) | Author |
|
The python3-unittest-automake-output is not supported [1], so drop
"pytest --automake".
[1] https://lore.kernel.org/all/20240327072236.2221619-1-mingli.yu@windriver.com/T/#mda91919809cf156aba24f099bef65142067cd318
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
To fix crash due to missing module:
File "/usr/lib/python3.11/site-packages/twisted/internet/defer.py", line 42, in <module>
from typing_extensions import Literal, ParamSpec, Protocol
ModuleNotFoundError: No module named 'typing_extensions'
Signed-off-by: Hains van den Bosch <hainsvdbosch@ziggo.nl>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Guðni Már Gilbert <gudnimar@noxmedical.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
To fix crash due to missing module:
from twisted.internet import defer
File "/usr/lib/python3.11/site-packages/twisted/internet/defer.py", line 14, in <module>
from asyncio import AbstractEventLoop, Future, iscoroutine
ModuleNotFoundError: No module named 'asyncio'
Signed-off-by: Hains van den Bosch <hainsvdbosch@ziggo.nl>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Guðni Már Gilbert <gudnimar@noxmedical.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
aiohttp is an asynchronous HTTP client/server framework
for asyncio and Python.When using aiohttp as a web server
and configuring static routes, it is necessary to specify
the root path for static files. Additionally, the option
'follow_symlinks' can be used to determine whether to
follow symbolic links outside the static root directory.
When 'follow_symlinks' is set to True, there is no
validation to check if reading a file is within the root
directory. This can lead to directory traversal
vulnerabilities, resulting in unauthorized access to
arbitrary files on the system, even when symlinks are not
present. Disabling follow_symlinks and using a reverse proxy
are encouraged mitigations. Version 3.9.2 fixes this issue.
References:
https://security-tracker.debian.org/tracker/CVE-2024-23334
https://github.com/aio-libs/aiohttp/releases/tag/v3.9.2
Signed-off-by: Rahul Janani Pandi <RahulJanani.Pandi@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10,
and Django 5.0 before 5.0.2. The intcomma template filter was subject
to a potential denial-of-service attack when used with very long strings.
Since, there is no ptest available for python3-django so have not
tested the patch changes at runtime.
References:
https://security-tracker.debian.org/tracker/CVE-2024-24680
https://docs.djangoproject.com/en/dev/releases/4.2.10/
Signed-off-by: Rahul Janani Pandi <RahulJanani.Pandi@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code
Execution via the environment parameter, a different vulnerability
than CVE-2022-22817 (which was about the expression parameter).
References:
https://security-tracker.debian.org/tracker/CVE-2023-50447
https://github.com/python-pillow/Pillow/blob/10.2.0/CHANGES.rst
Signed-off-by: Rahul Janani Pandi <RahulJanani.Pandi@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
* Upgrade to 1.4.1 to make it work with setuptools 59.x as it doesn't
support pep 621 [1], so remove pyproject.toml and add setup.cfg back [2].
* Add python3-toml to RDEPENDS to fix below error:
self = <yamlinclude.readers.TomlReader object at 0x7faceccdbd30>
def __call__(self):
if sys.version_info >= (3, 11):
with open(self._path, "rb") as fp:
return tomllib.load(fp)
else:
try:
import toml
except ImportError as err: # pragma: no cover
> raise ImportError(f'Un-supported file "{self._path}".\n`pip install toml` should solve the problem.\n\n{err}')
E ImportError: Un-supported file "tests/data/include.d/1.toml".
E `pip install toml` should solve the problem.
E
E No module named 'toml'
../../python3.10/site-packages/yamlinclude/readers.py:69: ImportError
[1] https://setuptools.pypa.io/en/latest/userguide/pyproject_config.html
[2] https://github.com/tanbro/pyyaml-include/issues/43
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
* Also replace ${PYTHON_PN} with python3
Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 182f31a182f6572a3538b875cec7ee761e2da1e6)
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Add a recipe for the pyyaml-include package that extends PyYAML to include
YAML files within YAML files. Add a ptest to run the unit tests and include
the tests as part of the package lists in meta-python
Signed-off-by: Derek Straka <derek@asterius.io>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit bf011a9f5e89186b338b6a335d10ef84929be0ce)
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Upgrade to the latest 4.x LTS release.
Bugs fixes only. Fix CVE:
CVE-2024-24680: Potential denial-of-service in intcomma template filter
Signed-off-by: Fathi Boudra <fathi.boudra@linaro.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
The delta between 3.8.5 & 3.8.6 contains the CVE-2023-47627 fix and other bugfixes.
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-gfw2-4jvh-wgfg
Changelog:
----------
https://docs.aiohttp.org/en/stable/changes.html#id72
The git log --oneline v3.8.5..v3.8.6 shows:
996de262 (tag: v3.8.6) Release v3.8.6 (#7668)
8c128d4f [PR #7651/45f98b7d backport][3.8] Fix BadStatusLine message (#7666)
89b7df15 Allow lax response parsing on Py parser (#7663) (#7664)
d5c12ba8 [PR #7661/85713a48 backport][3.8] Update Python parser for RFCs 9110/9112 (#7662)
8a3977ac [PR #7272/b2a7983a backport][3.8] Fix Read The Docs config (#7650)
bcc416e5 [PR #7647/1303350e backport][3.8] Upgrade to llhttp 9.1.3 (#7648)
b30c0cd2 Remove chardet/charset-normalizer. (#7589)
5946c743 CookieJar - return 'best-match' and not LIFO (#7577) (#7588)
8c4ec62f [PR #7518/8bd42e74 backport][3.8] Fix GunicornWebWorker max_requests_jitter not work (#7519)
a0d234df Use lenient headers for response parser (#7490) (#7492)
f92b27b0 Update to LLHTTP 9 (#7485) (#7487)
8129d26f [PR #7480/1fb06bbc backport][3.8] Fix error pointer on linebreaks (#7482)
8d701c3d Fix PermissionError when loading .netrc (#7237) (#7378) (#7395)
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Add patch to fix CVE-2023-44271
Reference:
https://github.com/python-pillow/Pillow/commit/1fe1bb49c452b0318cad12ea9d97c3bef188e9a7
Signed-off-by: Dnyandev Padalkar <padalkards17082001@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
The delta between 4.2.5 and 4.2.7 contains the fixes for
CVE-2023-43665, CVE-2023-46695 and other bugfixes.
git log --oneline 4.2.5..4.2.7 shows:
d254a54e7f (tag: 4.2.7) [4.2.x] Bumped version for 4.2.7 release.
048a9ebb6e [4.2.x] Fixed CVE-2023-46695 -- Fixed potential DoS in UsernameField on Windows.
3fae5d92da [4.2.x] Refs #30601 -- Fixed typos in docs/topics/db/transactions.txt.
a8aa94062b [4.2.x] Refs #15578 -- Made cosmetic edits to fixtures docs.
109f39a38b [4.2.x] Fixed #34932 -- Restored varchar_pattern_ops/text_pattern_ops index creation when deterministic collaction is set.
61612990d8 [4.2.x] Fixed typos in docs/ref/models/expressions.txt.
696fbc32d6 [4.2.x] Fixed #30601 -- Doc'd the need to manually revert all app state on transaction rollbacks.
ffba63180c [4.2.x] Fixed typo in docs/ref/contrib/gis/geos.txt.
43a3646070 [4.2.x] Fixed #15578 -- Stated the processing order of fixtures in the fixtures docs.
0cd8b867a0 [4.2.x] Added stub release notes and release date for 4.2.7, 4.1.13, and 3.2.23.
510a512119 [4.2.x] Fixed typo in docs/releases/4.2.txt.
b644f8bc1f [4.2.x] Corrected note about using accents in writing documentation contributing guide.
a576ef98ae [4.2.x] Refs #34900, Refs #34118 -- Updated assertion in test_skip_class_unless_db_feature() test on Python 3.12.1+.
803caec60b [4.2.x] Fixed #34798 -- Fixed QuerySet.aggregate() crash when referencing expressions containing subqueries.
caec4f4a6f [4.2.x] Refs #34840 -- Improved release note describing index regression.
b6bb2f8099 [4.2.x] Refs #34840 -- Fixed test_validate_nullable_textfield_with_isnull_true() on databases that don's support table check constraints.
e8fe48d3a0 [4.2.x] Fixed #34808 -- Doc'd aggregate function's default argument.
830990fa6c [4.2.x] Reorganized tutorial's part 4 to better understand changes needed in URLConf.
0cbc92bc3a [4.2.x] Refs #26029 -- Improved get_storage_class() deprecation warning with stacklevel=2.
9c7627da30 [4.2.x] Refs #34043 -- Clarified how to test UI changes.
0bd53ab86a [4.2.x] Added backticks to setuptools in docs.
99dcba90b4 [4.2.x] Refs #32275 -- Added scrypt password hasher to PASSWORD_HASHERS setting docs.
6697880219 [4.2.x] Refs #31435 -- Doc'd potential infinite recursion when accessing model fields in __init__.
a9a3317a95 [4.2.x] Corrected wrap_socket() reference in docs/ref/settings.txt.
9962f94a97 [4.2.x] Added CVE-2023-43665 to security archive.
b2d95bb301 [4.2.x] Added stub release notes for 4.2.7.
08d54f83a9 [4.2.x] Post release version bump.
c22017bd1d (tag: 4.2.6) [4.2.x] Bumped version for 4.2.6 release.
be9c27c4d1 [4.2.x] Fixed CVE-2023-43665 -- Mitigated potential DoS in django.utils.text.Truncator when truncating HTML text.
39fc3f46a8 [4.2.x] Added stub release notes and release date for 4.2.6, 4.1.12, and 3.2.22.
dd0bf63d3e [4.2.x] Added warning about flatpages and untrusted users.
fec4ed0a25 [4.2.x] Refs #34320 -- Skipped SchemaTests.test_rename_field_with_check_to_truncated_name on MariaBD 10.5.2+.
a148461f1f [4.2.x] Fixed #34840 -- Avoided casting string base fields on PostgreSQL.
b08f53ff46 [4.2.x] Refs #34808 -- Doc'd that aggregation functions on empty groups can return None.
c70f08c4aa [4.2.x] Added updating the Django release process on Trac to release steps.
d485aa2732 [4.2.x] Fixed typo in docs/howto/custom-file-storage.txt.
ff26e6ad84 [4.2.x] Corrected QuerySet.prefetch_related() note about GenericRelation().
866122690d [4.2.x] Doc'd HttpResponse.cookies.
97e8a2afb1 [4.2.x] Fixed #34821 -- Prevented DEFAULT_FILE_STORAGE/STATICFILES_STORAGE settings from mutating the main STORAGES.
39cb3b08bc [4.2.x] Bumped checkout version in Github actions configuration.
592ebd8920 [4.2.x] Added stub release notes for 4.2.6.
a1dd785139 [4.2.x] Added CVE-2023-41164 to security archive.
a9686cb871 [4.2.x] Post-release version bump.
Release Notes: https://docs.djangoproject.com/en/dev/releases/4.2.7/
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
The delta between 3.2.21 and 3.2.23 contains the fixes for
CVE-2023-43665, CVE-2023-46695 and other bugfixes.
git log --oneline 3.2.21..3.2.23 shows:
60e648a7ae (tag: 3.2.23) [3.2.x] Bumped version for 3.2.23 release.
f9a7fb8466 [3.2.x] Fixed CVE-2023-46695 -- Fixed potential DoS in UsernameField on Windows.
e6d2591d9e [3.2.x] Added stub release notes for 3.2.23.
3c04b74293 [3.2.x] Added CVE-2023-43665 to security archive.
86a14d653f [3.2.x] Post release version bump.
3106e94e52 (tag: 3.2.22) [3.2.x] Bumped version for 3.2.22 release.
ccdade1a02 [3.2.x] Fixed CVE-2023-43665 -- Mitigated potential DoS in django.utils.text.Truncator when truncating HTML text.
6caf7b313d [3.2.x] Added stub release notes for 3.2.22.
9e814c3a5e [3.2.x] Added CVE-2023-41164 to security archive.
4b439dcd05 [3.2.x] Post-release version bump.
Release Notes: https://docs.djangoproject.com/en/dev/releases/3.2.23/
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
CVE-2023-43665:
In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the
django.utils.text.Truncator chars() and words() methods (when used with
html=True) are subject to a potential DoS (denial of service) attack via
certain inputs with very long, potentially malformed HTML text. The chars()
and words() methods are used to implement the truncatechars_html and
truncatewords_html template filters, which are thus also vulnerable.
NOTE: this issue exists because of an incomplete fix for CVE-2019-14232.
CVE-2023-46695:
An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and
4.2 before 4.2.7. The NFKC normalization is slow on Windows. As a consequence,
django.contrib.auth.forms.UsernameField is subject to a potential DoS (denial of
service) attack via certain inputs with a very large number of Unicode characters.
References:
https://www.djangoproject.com/weblog/2023/oct/04/security-releases/
https://www.djangoproject.com/weblog/2023/nov/01/security-releases/
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Branch "master" has been renamed to "main".
Signed-off-by: Christian Eggers <ceggers@arri.de>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
The command "bitbake universe -c fetch" currently throws a ton of warnings
as there are many 'impossible' dependencies.
In some cases these variants may never have worked and were just added by copy
and paste of recipes. In some cases they once clearly did work but became
broken somewhere along the way. Users may also be carrying local bbappend files
which add further BBCLASSEXTEND.
Having universe fetch work without warnings is desireable so clean up the broken
variants. Anyone actually needing something dropped here can propose adding it
and the correct functional dependencies back quite easily. This also then
ensures we're not carrying or fixing things nobody uses.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit d4aa17dc436beb96a804860bc6d18cf72283709e)
Backport:
* Adapted paths to follow PV changes
* Adapted modified recipes to the ones generating warnings
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
python3-beautifulsoup4 does depend on python3-soupsieve but
python3-soupsieve does not depend on python3-beautifulsoup4.
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
An issue in Gevent Gevent before version 23.9.1 allows a remote attacker
to escalate privileges via a crafted script to the WSGIServer component.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-41419
https://github.com/advisories/GHSA-x7m3-jprg-wc5g
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
The delta between 4.2.3 and 4.2.5 contains the CVE-2023-41164 fix
and other bugfixes. git log --oneline 4.2.3..4.2.5 shows:
b8b2f74512 (tag: 4.2.5) [4.2.x] Bumped version for 4.2.5 release.
9c51b4dcfa [4.2.x] Fixed CVE-2023-41164 -- Fixed potential DoS in django.utils.encoding.uri_to_iri().
acfb427522 [4.2.x] Fixed #34803 -- Fixed queryset crash when filtering againts deeply nested OuterRef annotations.
55a0b9c32e [4.2.x] Added stub release notes and release date for 4.2.5, 4.1.11, and 3.2.21.
8e8c318449 [4.2.x] Avoided counting exceptions in AsyncClient docs.
dcb9d7a0e4 [4.2.x] Improved formset docs by using a set instead of a list in the custom validation example.
f55b420277 [4.2.x] Fixed #34781 -- Updated logging ref docs for django.server's request extra context value.
46b2b08e45 [4.2.x] Fixed #34779 -- Avoided unnecessary selection of non-nullable m2m fields without natural keys during serialization.
d34db6602e [4.2.x] Fixed #34773 -- Fixed syncing DEFAULT_FILE_STORAGE/STATICFILES_STORAGE settings with STORAGES.
a22aeef555 [4.2.x] Fixed #15799 -- Doc'd that Storage._open() should raise FileNotFoundError when file doesn't exist.
936afc2deb [4.2.x] Refs #34754 -- Added missing FullResultSet import.
3a1863319c [4.2.x] Fixed #34754 -- Fixed JSONField check constraints validation on NULL values.
951dcbb2e6 [4.2.x] Fixed #34756 -- Fixed docs HTML build on Sphinx 7.1+.
a750fd0d7f [4.2.x] Added stub release notes for 4.2.5.
a56c46642d [4.2.x] Post-release version bump.
6f4c7c124a (tag: 4.2.4) [4.2.x] Bumped version for 4.2.4 release.
e53d6239df [4.2.x] Added release date for 4.2.4.
8808d9da6b [4.2.x] Fixed #34750 -- Fixed QuerySet.count() when grouping by unused multi-valued annotations.
2ef2b2ffc0 [4.2.x] Corrected pycon formatting in some docs.
8db9a0b5a0 [4.2.x] Fixed warnings per flake8 6.1.0.
739da73164 [4.2.x] Fixed #34748 -- Fixed queryset crash when grouping by a reference in a subquery.
a52a2b6678 [4.2.x] Fixed #34749 -- Corrected QuerySet.acreate() signature in docs.
12ebd9a1ac [4.2.x] Refs #34712 -- Doc'd that defining STORAGES overrides the default configuration.
1f9d00ef9f [4.2.x] Added missing backticks in docs.
c99d935600 [4.2.x] Fixed typo in docs/ref/models/querysets.txt.
da92a971a0 [4.2.x] Refs #30052 -- Clarified that defer() and only() do not work with aggregated fields.
7a67b065d7 [4.2.x] Fixed #34717 -- Fixed QuerySet.aggregate() crash when referencing window functions.
c646412a75 Added reference to TypedChoiceField in ChoiceField docs.
f474ba4cb5 [4.2.x] Fixed #34309 -- Doc'd how to fully delete an app.
e54f711d42 [4.2.x] Fixed #33405, Refs #7177 -- Clarified docs for filter escapejs regarding safe and unsafe usages.
047844270b [4.2.x] Added stub release notes for 4.2.4.
Release Notes: https://docs.djangoproject.com/en/dev/releases/4.2.5/
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
The delta between 3.2.20 and 3.2.21 contains the CVE-2023-41164 fix
and other bugfixes. git log --oneline 3.2.20..3.2.21 shows:
fd0ccd7fb3 (tag: 3.2.21) [3.2.x] Bumped version for 3.2.21 release.
6f030b1149 [3.2.x] Fixed CVE-2023-41164 -- Fixed potential DoS in django.utils.encoding.uri_to_iri().
73350a6369 [3.2.x] Added stub release notes for 3.2.21.
75418f8c0e [3.2.x] Fixed #34756 -- Fixed docs HTML build on Sphinx 7.1+.
848fe70f3e [3.2.x] Added CVE-2023-36053 to security archive.
4012a87a58 [3.2.x] Post-release version bump.
Release Notes: https://docs.djangoproject.com/en/dev/releases/3.2.21/
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
In Django 3.2 before 3.2.21, 4 before 4.1.11, and 4.2 before 4.2.5,
``django.utils.encoding.uri_to_iri()`` was subject to potential denial
of service attack via certain inputs with a very large number of Unicode
characters.
Since, there is no ptest available for python3-django so have not
tested the patch changes at runtime.
References:
https://security-tracker.debian.org/tracker/CVE-2023-41164
https://www.djangoproject.com/weblog/2023/sep/04/security-releases/
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
The delta between 3.8.1 & 3.8.5 contains the CVE-2023-37276 fix and other bugfixes.
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-45c4-8wx5-qw6w
Changelog:
https://docs.aiohttp.org/en/stable/changes.html
- Increased the upper boundary of the multidict dependency to allow for the version 6
- License-Update: Update copyright year from 2020 to 2022
- Fixed incorrectly overwriting cookies with the same name and domain, but different path
- Fixed ConnectionResetError not being raised after client disconnection in SSL environments
- Upgraded the vendored copy of llhttp_ to v8.1.1
- Added information to C parser exceptions to show which character caused the error
- Fixed a transport is :data:None error
Upstream master patches:
3.8.1 -> 3.8.3 : https://git.openembedded.org/meta-openembedded/commit/?id=c0d2a5bcc87ee8564a5b9be35f3e2b930e384a59
3.8.3 -> 3.8.4 : https://git.openembedded.org/meta-openembedded/commit/?id=1fc465466cd138e1fcc87de18e84f88e2c5f1b4f
3.8.4 -> 3.8.5 : https://git.openembedded.org/meta-openembedded/commit/?id=ba5d26d1d8b30d71cb648f95b6431c16134e82e9
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
At least one of the following DISTRO_FEATURES needs to be present: X11
or Wayland. The recipe now work with pure Wayland.
Signed-off-by: Marine Vovard <m.vovard@phytec.de>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3,
EmailValidator and URLValidator are subject to a potential ReDoS
(regular expression denial of service) attack via a very large
number of domain name labels of emails and URLs.
Since, there is no ptest available for python3-django so have not
tested the patch changes at runtime.
References:
https://github.com/advisories/GHSA-jh3w-4vvf-mjgr
https://github.com/django/django/commit/454f2fb93437f98917283336201b4048293f7582
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
According to the setup.py of v4.0.0 [1] the following runtime
dependencies are currently missing. Add them.
* packaging
* setuptools
* typing_extensions
While at it, also reorder the list alphabetically.
[1] https://github.com/hardbyte/python-can/blob/4.0.0/setup.py
Signed-off-by: Frieder Schrempf <frieder.schrempf@kontron.de>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
The delta between 4.2.1 and 4.2.3 contains the CVE-2023-36053 fix
and other bugfixes. git log --oneline 4.2.1..4.2.3 shows:
1651351386 (tag: 4.2.3) [4.2.x] Bumped version for 4.2.3 release.
b7c5feb35a [4.2.x] Fixed CVE-2023-36053 -- Prevented potential ReDoS in EmailValidator and URLValidator.
1ea11365f6 [4.2.x] Fixed typo in docs/intro/tutorial08.txt.
7b45fe01ab [4.2.x] Added dedicated section for output_field in query expressions docs.
67fe092a85 [4.2.x] Fixed typo in docs/ref/models/querysets.txt.
9ab56e64de [4.2.x] Added stub release notes and release date for 4.2.3, 4.1.10, and 3.2.20.
a18e0f44d5 [4.2.x] Corrected admin.E013 check message in docs.
fabd0510a0 [4.2.x] Fixed typo in docs/topics/db/fixtures.txt.
4b433ef236 [4.2.x] Refs #30220 -- Bumped required version of Selenium to 3.8.0.
9e9a286bed [4.2.x] Fixed #34638 -- Fixed admin change list selected row highlight on editable boolean fields.
31d1fc36b3 [4.2.x] Fixed #34645 -- Restored alignment for admin date/time timezone warnings.
eb84c068ed [4.2.x] Fixed #30355 -- Doc'd interaction between custom managers and prefetch_related().
b2355a8df3 [4.2.x] Added stub release notes for 4.2.3.
10de214055 [4.2.x] Post-release version bump.
6218ed3454 (tag: 4.2.2) [4.2.x] Bumped version for 4.2.2 release.
e84d38ab36 [4.2.x] Added release date for 4.2.2.
87a4cd559b [4.2.x] Fixed #34620 -- Fixed serialization crash on m2m fields without natural keys when base querysets use select_related().
66d9fa4371 [4.2.x] Refs #23528 -- Made cosmetic edits to swappable_dependency() docs.
92ad551afd [4.2.x] Fixed #23528 -- Doc'd django.db.migrations.swappable_dependency().
738386470d [4.2.x] Fixed #34612 -- Fixed QuerySet.only() crash on reverse relationships.
dae052d823 [4.2.x] Fixed #34595 -- Doc'd that format_string arg of format_html() is not escaped.
dca5f5d58a [4.2.x] Fixed #34600 -- Removed references to bleach in docs.
25bd9faf32 [4.2.x] Fixed #34574 -- Noted unexpected outcomes in autoescape/escape docs.
91f8df5c2e [4.2.x] Fixed #34590 -- Reverted "Refs #33308 -- Improved adapting DecimalField values to decimal."
a44e974412 [4.2.x] Corrected documentation of Log database function.
bf5249fc8e [4.2.x] Refs #34118 -- Fixed FunctionalTests.test_cached_property_reuse_different_names() on Python 3.12+.
c78a4421de [4.2.x] Fixed #34551 -- Fixed QuerySet.aggregate() crash when referencing subqueries.
57f499e412 [4.2.x] Refs #34551 -- Fixed QuerySet.aggregate() crash on precending aggregation reference.
b4563cdd23 [4.2.x] Fixed #34579 -- Added Django Forum to contributing guides.
37ba4c3a94 [4.2.x] Fixed references to django.core.cache in docs.
6b76481fb9 [4.2.x] Fixed #34588 -- Removed usage of nonexistent stylesheet in the 'Congrats' page.
e1c00f8b36 [4.2.x] Fixed #34580 -- Avoided unnecessary computation of selected expressions in SQLCompiler.
cdd970ae22 [4.2.x] Fixed #34568 -- Made makemigrations --update respect --name option.
2b5c5e54de [4.2.x] Updated broken links in docs.
201d29b371 [4.2.x] Fixed #34570 -- Silenced noop deferral of many-to-many and GFK.
9c301814b0 [4.2.x] Fixed #34539 -- Restored get_prep_value() call when adapting JSONFields.
ddccecee91 [4.2.x] Fixed #34556 -- Doc'd that StreamingHttpResponse accepts memoryviews and strings iterators.
dbe263751c [4.2.x] Clarified database connections lifetime outside HTTP requests.
e50fe33e13 [4.2.x] Made explicit the location of locally-built HTML docs.
e0d8981139 [4.2.x] Fixed #34544 -- Avoided DBMS_LOB.SUBSTR() wrapping with IS NULL condition on Oracle.
dc3b8190ed [4.2.x] Fixed #34545 -- Corrected the number of months in installation FAQ.
bcf66f1355 [4.2.x] Corrected code-block directive in docs/ref/templates/builtins.txt.
4eaed191b6 [4.2.x] Corrected code-block directives in docs.
9ec1ff7879 [4.2.x] Fixed MultipleFileFieldTest.test_file_multiple_validation() test if Pillow isn't installed.
2756c69601 [4.2.x] Added CVE-2023-31047 to security archive.
110919987b [4.2.x] Added stub release notes for 4.2.2.
00152276e9 [4.2.x] Post-release version bump.
Release Notes: https://docs.djangoproject.com/en/dev/releases/4.2.3/
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
The delta between 3.2.19 and 3.2.20 contains the CVE-2023-36053 fix
and other bugfixes. git log --oneline 3.2.19..3.2.20 shows:
19bc11f636 (tag: 3.2.20) [3.2.x] Bumped version for 3.2.20 release.
454f2fb934 [3.2.x] Fixed CVE-2023-36053 -- Prevented potential ReDoS in EmailValidator and URLValidator.
07cc014cb3 [3.2.x] Added stub release notes for 3.2.20.
e1bbbbe6ac [3.2.x] Fixed MultipleFileFieldTest.test_file_multiple_validation() test if Pillow isn't installed.
47ef12e69c [3.2.x] Added CVE-2023-31047 to security archive.
15f90ebff3 [3.2.x] Post-release version bump.
Release Notes: https://docs.djangoproject.com/en/dev/releases/3.2.20/
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
gcc-11 has metadata line "-: 0:Source is newer than graph" which throws an
error.
Backported from gcovr 5.2, as kirkstone release uses gcc-11.
Signed-off-by: Jasper Orschulko <jasper@fancydomain.eu>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Modified the CVE-2023-23934.patch to fix the patch-fuzz.
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
sqlparse is a non-validating SQL parser module for Python. In affected
versions the SQL parser contains a regular expression that is vulnerable
to ReDoS (Regular Expression Denial of Service). This issue was introduced
by commit `e75e358`. The vulnerability may lead to Denial of Service (DoS).
This issues has been fixed in sqlparse 0.4.4 by commit `c457abd5f`. Users
are advised to upgrade. There are no known workarounds for this issue.
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
The delta between 3.2.12 and 3.2.19 contain numerous CVEs and other
bugfixes. git log --oneline 3.2.12..3.2.19 shows:
fc42edd2e6 (tag: 3.2.19) [3.2.x] Bumped version for 3.2.19 release.
eed53d0011 [3.2.x] Fixed CVE-2023-31047, Fixed #31710 -- Prevented potential bypass of validation when uploading multiple files using one form field.
007e46d815 [3.2.x] Added missing backticks in docs/releases/1.7.txt.
a37e4d5d6e [3.2.x] Added stub release notes for 3.2.19.
963f24cff2 [3.2.x] Added CVE-2023-24580 to security archive.
e34a2283f2 [3.2.x] Post-release version bump.
722e9f8a38 (tag: 3.2.18) [3.2.x] Bumped version for 3.2.18 release.
a665ed5179 [3.2.x] Fixed CVE-2023-24580 -- Prevented DoS with too many uploaded files.
932b5bd52d [3.2.x] Added stub release notes for 3.2.18.
c35a5788f4 [3.2.x] Added CVE-2023-23969 to security archive.
9bd8db3940 [3.2.x] Post-release version bump.
aed1bb56d1 (tag: 3.2.17) [3.2.x] Bumped version for 3.2.17 release.
c7e0151fdf [3.2.x] Fixed CVE-2023-23969 -- Prevented DoS with pathological values for Accept-Language.
9da46345d8 [3.2.x] Fixed inspectdb.tests.InspectDBTestCase.test_custom_fields() on SQLite 3.37+.
4c2b26174f [3.2.x] Removed 'tests' path prefix in a couple tests.
d21543182d [3.2.x] Adjusted release notes for 3.2.17.
4e31d3ea55 [3.2.x] Added stub release notes for 3.2.17.
238e8898ac [3.2.x] Corrected passenv value for tox 4.0.6+.
b381ab4906 [3.2.x] Disabled auto-created table of contents entries on Sphinx 5.2+.
f6f0699d01 [3.2.x] Removed obsolete doc reference to asyncio.iscoroutinefunction.
accdd0576d [3.2.x] Added CVE-2022-36359 to security archive.
7190b38b8d [3.2.x] Post-release version bump.
4c85beca9d (tag: 3.2.16) [3.2.x] Bumped version for 3.2.16 release.
5b6b257fa7 [3.2.x] Fixed CVE-2022-41323 -- Prevented locales being interpreted as regular expressions.
33affaf0b6 [3.2.x] Added stub notes 3.2.16 release.
777362d74a [3.2.x] Added CVE-2022-36359 to security archive.
eb5bdb461e [3.2.x] Post-release version bump.
653a7bd7b7 (tag: 3.2.15) [3.2.x] Bumped version for 3.2.15 release.
b3e4494d75 [3.2.x] Fixed CVE-2022-36359 -- Escaped filename in Content-Disposition header.
cb7fbac9f8 [3.2.x] Fixed collation tests on MySQL 8.0.30+.
840d009c06 [3.2.x] Fixed inspectdb and schema tests on MariaDB 10.6+.
a5eba20f40 Adjusted release notes for 3.2.15.
ad104fb50f [3.2.x] Added stub release notes for 3.2.15 release.
22916c8c1f [3.2.x] Fixed RelatedGeoModelTest.test08_defer_only() on MySQL 8+ with MyISAM storage engine.
e1cfbe58b7 [3.2.x] Added CVE-2022-34265 to security archive.
605cf0d3f6 [3.2.x] Post-release version bump.
746e88cc63 (tag: 3.2.14) [3.2.x] Bumped version for 3.2.14 release.
a9010fe555 [3.2.x] Fixed CVE-2022-34265 -- Protected Trunc(kind)/Extract(lookup_name) against SQL injection.
3acf156be3 [3.2.x] Fixed GEOSTest.test_emptyCollections() on GEOS 3.8.0.
4a5d98ee0a [3.2.x] Bumped minimum Sphinx version to 4.5.0.
1a9098166e [3.2.x] Fixed docs build with sphinxcontrib-spelling 7.5.0+.
37f4de2deb [3.2.x] Added stub release notes for 3.2.14.
7595f763a9 [3.2.x] Fixed test_request_lifecycle_signals_dispatched_with_thread_sensitive with asgiref 3.5.1+.
2dc85ecf3e [3.2.x] Fixed CoveringIndexTests.test_covering_partial_index() when DEFAULT_INDEX_TABLESPACE is set.
a23c25d84a [3.2.x] Fixed #33753 -- Fixed docs build on Sphinx 5+.
e01b383e02 [3.2.x] Added CVE-2022-28346 and CVE-2022-28347 to security archive.
ac2fb5ccb6 [3.2.x] Post-release version bump.
08e6073f87 (tag: 3.2.13) [3.2.x] Bumped version for 3.2.13 release.
9e19accb6e [3.2.x] Fixed CVE-2022-28347 -- Protected QuerySet.explain(**options) against SQL injection on PostgreSQL.
2044dac5c6 [3.2.x] Fixed CVE-2022-28346 -- Protected QuerySet.annotate(), aggregate(), and extra() against SQL injection in column aliases.
bdb92dba0b [3.2.x] Fixed #33628 -- Ignored directories with empty names in autoreloader check for template changes.
70035fb044 [3.2.x] Added stub release notes for 3.2.13 and 2.2.28.
7e7ea71a8d [3.2.x] Reverted "Fixed forms_tests.tests.test_renderers with Jinja 3.1.0+."
610ecc9053 [3.2.x] Fixed forms_tests.tests.test_renderers with Jinja 3.1.0+.
754af45773 [3.2.x] Fixed typo in release notes.
6f309165e5 [3.2.x] Added CVE-2022-22818 and CVE-2022-23833 to security archive.
1e6b555c92 [3.2.x] Post-release version bump.
Release Notes: https://docs.djangoproject.com/en/3.2/releases/
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1,
it was possible to bypass validation when using one form field to
upload multiple files. This multiple upload has never been supported
by forms.FileField or forms.ImageField (only the last uploaded file was
validated). However, Django's "Uploading multiple files" documentation
suggested otherwise.
Since, there is no ptest available for python3-django so have not tested
the patch changes at runtime.
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Werkzeug is a comprehensive WSGI web application library. Browsers may allow
"nameless" cookies that look like `=value` instead of `key=value`. A vulnerable
browser may allow a compromised application on an adjacent subdomain to exploit
this to set a cookie like `=__Host-test=bad` for another subdomain. Werkzeug
prior to 2.2.3 will parse the cookie `=__Host-test=bad` as __Host-test=bad`.
If a Werkzeug application is running next to a vulnerable or malicious subdomain
which sets such a cookie using a vulnerable browser, the Werkzeug application
will see the bad cookie value but the valid cookie key. The issue is fixed in
Werkzeug 2.2.3.
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
A flaw was found in all released versions of m2crypto, where they are
vulnerable to Bleichenbacher timing attacks in the RSA decryption API
via the timed processing of valid PKCS#1 v1.5 Ciphertext. The highest
threat from this vulnerability is to confidentiality.
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Django 4.2* is designated as a long-term support release. It will receive
security updates for at least three years after its release (From April-2023
to April-2026).
The delta between 4.0.2 and 4.2.1 contain numerous CVEs and other
bugfixes.
Changelog: https://docs.djangoproject.com/en/dev/releases/4.2.1/
Signed-off-by: Randy MacLeod <randy.macleod@windriver.com>
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
python3-gcovr requires standard python module multiprocessing as runtime
dependency.
Upstream-Status: Inappropriate [configuration]
Signed-off-by: Jasper Orschulko <jasper@fancydomain.eu>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(Cherry-picked from commit 5564dbb8ff22d9ca4296a68f92f3c9d05fbdf99f)
Signed-off-by: Jasper Orschulko <jasper@fancydomain.eu>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Werkzeug is a comprehensive WSGI web application library. Prior to
version 2.2.3, Werkzeug's multipart form data parser will parse an
unlimited number of parts, including file parts. Parts can be a
small amount of bytes, but each requires CPU time to parse and may
use more memory as Python data. If a request can be made to an
endpoint that accesses `request.data`, `request.form`, `request.files`,
or `request.get_data(parse_form_data=False)`, it can cause unexpectedly
high resource usage. This allows an attacker to cause a denial of
service by sending crafted multipart data to an endpoint that will
parse it. The amount of CPU time required can block worker processes
from handling legitimate requests. The amount of RAM required can
trigger an out of memory kill of the process. Unlimited file parts
can use up memory and file handles. If many concurrent requests are
sent continuously, this can exhaust or kill all available workers.
Version 2.2.3 contains a patch for this issue.
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
commit 7b0e71e00 ("python3-pillow: add ptest support", 2023-01-31)
added tk to RDEPENDS:${PN}-ptest. Which cause this error on non x11
builds:
ERROR: Nothing RPROVIDES 'tk' (but meta-openembedded/meta-python/recipes-devtools/python/python3-pillow_9.4.0.bb
RDEPENDS on or otherwise requires it) tk was skipped: missing required
distro feature 'x11' (not in DISTRO_FEATURES)
NOTE: Runtime target 'tk' is unbuildable, removing...
Missing or unbuildable dependency chain was: ['tk']
NOTE: Runtime target 'iotmanager' is unbuildable, removing...
Missing or unbuildable dependency chain was: ['iotmanager', 'python3-pillow', 'tk']
ERROR: Required build target 'update-runtime' has no buildable providers.
Missing or unbuildable dependency chain was:
['update-runtime', 'runtime-image', 'iotmanager', 'python3-pillow', 'tk']
Add tk dependency only if DISTRO_FEATURES includes x11
(cherry picked from commit 6e8c90560e0aa8fe2ebfb791985cb75fd7490527)
Signed-off-by: Geoff Parker <geoffrey.parker@arthrex.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
ptest results:
====== 3600 passed, 324 skipped, 2 xfailed, 1 xpassed in 74.41s (0:01:14) ======
for qemux86-64 with 2 GB RAM which is the same as seen on master.
Signed-off-by: Randy MacLeod <Randy.MacLeod@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Add initial pillow ptest support.
The ptest result is:
====== 3600 passed 324 skipped, 2 xfailed, 1 xpassed in 62.41s (0:01:02) ======
for qemux86-64 with 2 GB RAM.
The skipped tests as summarized with:
# ptest-runner python3-pillow | tee log
# grep SKIPP log | cut -d"(" -f2- | cut -d")" -f1 | cut -d" " -f1 | sort | uniq -c| sort -n | tail -4
12 webp
13 Tk
14 Qt
84 raqm
Webp was explicityly disabled in 2018 in:
6cb4e90fc python3-pillow: add 5.4.1
I didn't test Tk or Qt and there isn't yet a recipe for libraqm:
https://github.com/HOST-Oman/libraqm
a library that encapsulates the logic for complex text layout.
Signed-off-by: Randy MacLeod <Randy.MacLeod@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 7b0e71e00ce1b003c96ef38ead72a9e02555afbe)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
License-Updated: copyright year updated to 2023
Changelog:
==========
Fixed null pointer dereference crash with malformed font #6846
Return from ImagingFill early if image has a zero dimension #6842
Reversed deprecations for Image constants, except for duplicate Resampling attributes #6830
Improve exception traceback readability #6836
Do not attempt to read IFD1 if absent #6840
Fixed writing int as ASCII tag #6800
If available, use wl-paste or xclip for grabclipboard() on Linux #6783
Added signed option when saving JPEG2000 images #6709
Patch OpenJPEG to include ARM64 fix #6718
Added support for I;16 modes in putdata() #6825
Added conversion from RGBa to RGB #6708
Added DDS support for uncompressed L and LA images #6820
Added LightSource tag values to ExifTags #6749
Fixed PyAccess after changing ICO size #6821
Do not use EXIF from info when saving PNG images #6819
Fixed saving EXIF data to MPO #6817
Added Exif hide_offsets() #6762
Only compare to previous frame when checking for duplicate GIF frames while saving #6787
Always initialize all plugins in registered_extensions() #6811
Ignore non-opaque WebP background when saving as GIF #6792
Only set tile in ImageFile __setstate__ #6793
When reading BLP, do not trust JPEG decoder to determine image is CMYK #6767
Added IFD enum to ExifTags #6748
Fixed bug combining GIF frame durations #6779
Support saving JPEG comments #6774
Added getxmp() to WebPImagePlugin #6758
Added "exact" option when saving WebP #6747
Use fractional coordinates when drawing text #6722
Fixed writing int as BYTE tag #6740
Added MP Format Version when saving MPO #6735
Added Interop to ExifTags #6724
CVE-2007-4559 patch when building on Windows #6704
Fix compiler warning: accessing 64 bytes in a region of size 48 #6714
Use verbose flag for pip install #6713
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit b73867b9d77e8050c20dc28ec449572f2185cb2a)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Changelog:
=========
Limit SAMPLESPERPIXEL to avoid runtime DOS #6700 [wiredfool]
Initialize libtiff buffer when saving #6699 [radarhere]
Inline fname2char to fix memory leak #6329 [nulano]
Fix memory leaks related to text features #6330 [nulano]
Use double quotes for version check on old CPython on Windows #6695 [hugovk]
Remove backup implementation of Round for Windows platforms #6693 [cgohlke]
Fixed set_variation_by_name offset #6445 [radarhere]
Fix malloc in _imagingft.c:font_setvaraxes #6690 [cgohlke]
Release Python GIL when converting images using matrix operations #6418 [hmaarrfk]
Added ExifTags enums #6630 [radarhere]
Do not modify previous frame when calculating delta in PNG #6683 [radarhere]
Added support for reading BMP images with RLE4 compression #6674 [npjg, radarhere]
Decode JPEG compressed BLP1 data in original mode #6678 [radarhere]
Added GPS TIFF tag info #6661 [radarhere]
Added conversion between RGB/RGBA/RGBX and LAB #6647 [radarhere]
Do not attempt normalization if mode is already normal #6644 [radarhere]
Fixed seeking to an L frame in a GIF #6576 [radarhere]
Consider all frames when selecting mode for PNG save_all #6610 [radarhere]
Don't reassign crc on ChunkStream close #6627 [wiredfool, radarhere]
Raise a warning if NumPy failed to raise an error during conversion #6594 [radarhere]
Show all frames in ImageShow #6611 [radarhere]
Allow FLI palette chunk to not be first #6626 [radarhere]
If first GIF frame has transparency for RGB_ALWAYS loading strategy, use RGBA mode #6592 [radarhere]
Round box position to integer when pasting embedded color #6517 [radarhere, nulano]
Removed EXIF prefix when saving WebP #6582 [radarhere]
Pad IM palette to 768 bytes when saving #6579 [radarhere]
Added DDS BC6H reading #6449 [ShadelessFox, REDxEYE, radarhere]
Added support for opening WhiteIsZero 16-bit integer TIFF images #6642 [JayWiz, radarhere]
Raise an error when allocating translucent color to RGB palette #6654 [jsbueno, radarhere]
Added reading of TIFF child images #6569 [radarhere]
Improved ImageOps palette handling #6596 [PososikTeam, radarhere]
Defer parsing of palette into colors #6567 [radarhere]
Apply transparency to P images in ImageTk.PhotoImage #6559 [radarhere]
Use rounding in ImageOps contain() and pad() #6522 [bibinhashley, radarhere]
Fixed GIF remapping to palette with duplicate entries #6548 [radarhere]
Allow remap_palette() to return an image with less than 256 palette entries #6543 [radarhere]
Corrected BMP and TGA palette size when saving #6500 [radarhere]
Do not call load() before draft() in Image.thumbnail #6539 [radarhere]
Copy palette when converting from P to PA #6497 [radarhere]
Allow RGB and RGBA values for PA image putpixel #6504 [radarhere]
Removed support for tkinter in PyPy before Python 3.6 #6551 [nulano]
Do not use CCITTFaxDecode filter if libtiff is not available #6518 [radarhere]
Fallback to not using mmap if buffer is not large enough #6510 [radarhere]
Fixed writing bytes as ASCII tag #6493 [radarhere]
Open 1 bit EPS in mode 1 #6499 [radarhere]
Removed support for tkinter before Python 1.5.2 #6549 [radarhere]
Allow default ImageDraw font to be set #6484 [radarhere, hugovk]
Save 1 mode PDF using CCITTFaxDecode filter #6470 [radarhere]
Added support for RGBA PSD images #6481 [radarhere]
Parse orientation from XMP tag contents #6463 [bigcat88, radarhere]
Added support for reading ATI1/ATI2 (BC4/BC5) DDS images #6457 [REDxEYE, radarhere]
Do not clear GIF tile when checking number of frames #6455 [radarhere]
Support saving multiple MPO frames #6444 [radarhere]
Do not double quote Pillow version for setuptools >= 60 #6450 [radarhere]
Added ABGR BMP mask mode #6436 [radarhere]
Fixed PSDraw rectangle #6429 [radarhere]
Raise ValueError if PNG sRGB chunk is truncated #6431 [radarhere]
Handle missing Python executable in ImageShow on macOS #6416 [bryant1410, radarhere]
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 4e075c7dc81c4d2824094f9d3523cf16719be9a7)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Changelog:
=========
Fixed null check for fribidi_version_info in FriBiDi shim
Added GIF decompression bomb check
Handle PCF fonts files with less than 256 characters
Improved GIF optimize condition
Reverted to array_interface with the release of NumPy 1.23
Pad PCX palette to 768 bytes when saving
Fixed bug with rounding pixels to palette colors
Use gnome-screenshot on Linux if available
Fixed loading L mode BMP RLE8 images
Fixed incorrect operator in ImageCms error
Limit FPX tile size to avoid extending outside image
Added support for decoding plain PPM formats
Added apply_transparency()
Fixed behaviour change from endian fix
Use python3
Allow remapping P images with RGBA palettes
Revert "Skip test_realloc_overflow unless libtiff 4.0.4 or higher"
[pre-commit.ci] pre-commit autoupdate
Only import ImageFont in ImageDraw when necessary
Fixed drawing translucent 1px high polygons
Pad COLORMAP to 768 items when saving TIFF
Fix P -> PA conversion
Once exif data is parsed, do not reload unless it changes
Only try to connect discontiguous corners at the end of edges
Improve transparency handling when saving GIF images
Do not update GIF frame position until local image is found
Netscape GIF extension belongs after the global color table
Only write GIF comments at the beginning of the file
Separate multiple GIF comment blocks with newlines
Always use GIF89a for comments
Ignore compression value from BMP info dictionary when saving as TIFF
If font is file-like object, do not re-read from object to get variant
Raise ValueError when trying to access internal fp after close
Support more affine expression forms in im.point()
Include 'twine check' in 'make sdist'
Ensure that furthest v is set in quantize2
Signed-off-by: Zheng Ruoqin <zhengrq.fnst@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Signed-off-by: Xu Huan <xuhuan.fnst@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
tests/test_downloadutils.py::test_stream_response_to_specific_filename
requests_toolbelt/downloadutils/stream.py:161: DeprecationWarning: Using or importing the ABCs from 'collections' instead of from 'collections.abc' is deprecated, and in 3.8 it will stop working
if path and isinstance(getattr(path, 'write', None), collections.Callable):
Upstream-Status: Backport [https://github.com/requests/toolbelt/commit/7188b06330e5260be20bce8cbcf0d5ae44e34eaf]
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Signed-off-by: He Zhe <zhe.he@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
As per CVE reference, version 3.2.1 fixes the CVE-2022-36087 issue. But after upgrading the python3-oauthlib version
to 3.2.1, observed that the vulnerable code lines are still available. The same observations were reported here in github at
https://github.com/oauthlib/oauthlib/issues/837 and found that it was a mistake during 3.2.1 release preparation and due to
which vulnerable code was still existing in 3.2.1 source code.
To fix CVE-2022-36087 issue, we need to upgrade python3-oauthlib to 3.2.2 version and here are the changelog of version 3.2.2
https://github.com/oauthlib/oauthlib/blob/v3.2.2/CHANGELOG.rst
Reference :
https://nvd.nist.gov/vuln/detail/CVE-2022-36087
Upstream fix :
https://github.com/oauthlib/oauthlib/commit/2e40b412c844ecc4673c3fa3f72181f228bdbacd
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
CVE-2022-0934:
lxml: NULL Pointer Dereference in lxml
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2022-2309
Patch from:
https://github.com/lxml/lxml/commit/86368e9cf70a0ad23cccd5ee32de847149af0c6f
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
|
|
Add an upstream patch that's not part of any release yet that addresses
an issue with python 3.10 (related to a missing macro).
Link: https://github.com/pybluez/pybluez/issues/426
Signed-off-by: Bartosz Golaszewski <brgl@bgdev.pl>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|