{"id":2226470,"url":"http://patchwork.ozlabs.org/api/patches/2226470/?format=json","web_url":"http://patchwork.ozlabs.org/project/buildroot/patch/20260422125721.3193186-1-peter@korsgaard.com/","project":{"id":27,"url":"http://patchwork.ozlabs.org/api/projects/27/?format=json","name":"Buildroot development","link_name":"buildroot","list_id":"buildroot.buildroot.org","list_email":"buildroot@buildroot.org","web_url":"","scm_url":"","webscm_url":"","list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20260422125721.3193186-1-peter@korsgaard.com>","list_archive_url":null,"date":"2026-04-22T12:57:20","name":"[PATCH-2025.02.x] package/python3: security bump to version 3.12.13","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"471f80130bf7a89f5f36f550be4cd667ecfb0bdb","submitter":{"id":42365,"url":"http://patchwork.ozlabs.org/api/people/42365/?format=json","name":"Peter Korsgaard","email":"peter@korsgaard.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/buildroot/patch/20260422125721.3193186-1-peter@korsgaard.com/mbox/","series":[{"id":501009,"url":"http://patchwork.ozlabs.org/api/series/501009/?format=json","web_url":"http://patchwork.ozlabs.org/project/buildroot/list/?series=501009","date":"2026-04-22T12:57:20","name":"[PATCH-2025.02.x] package/python3: security bump to version 3.12.13","version":1,"mbox":"http://patchwork.ozlabs.org/series/501009/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2226470/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2226470/checks/","tags":{},"related":[],"headers":{"Return-Path":"<buildroot-bounces@buildroot.org>","X-Original-To":["incoming-buildroot@patchwork.ozlabs.org","buildroot@buildroot.org"],"Delivered-To":["patchwork-incoming-buildroot@legolas.ozlabs.org","buildroot@buildroot.org"],"Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=buildroot.org header.i=@buildroot.org\n header.a=rsa-sha256 header.s=default header.b=Ou7/3AIs;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=buildroot.org\n (client-ip=140.211.166.138; helo=smtp1.osuosl.org;\n envelope-from=buildroot-bounces@buildroot.org; receiver=patchwork.ozlabs.org)"],"Received":["from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g0zm84mVPz1yCv\n\tfor <incoming-buildroot@patchwork.ozlabs.org>;\n Wed, 22 Apr 2026 22:58:00 +1000 (AEST)","from localhost (localhost [127.0.0.1])\n\tby smtp1.osuosl.org (Postfix) with ESMTP id 06DCB848A8;\n\tWed, 22 Apr 2026 12:57:58 +0000 (UTC)","from smtp1.osuosl.org ([127.0.0.1])\n by localhost (smtp1.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id uAo4D4kgnjt4; Wed, 22 Apr 2026 12:57:54 +0000 (UTC)","from lists1.osuosl.org (lists1.osuosl.org [140.211.166.142])\n\tby smtp1.osuosl.org (Postfix) with ESMTP id DCEE4848BE;\n\tWed, 22 Apr 2026 12:57:53 +0000 (UTC)","from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137])\n by lists1.osuosl.org (Postfix) with ESMTP id B56E4183\n for <buildroot@buildroot.org>; Wed, 22 Apr 2026 12:57:52 +0000 (UTC)","from localhost (localhost [127.0.0.1])\n by smtp4.osuosl.org (Postfix) with ESMTP id B2CE342746\n for <buildroot@buildroot.org>; Wed, 22 Apr 2026 12:57:52 +0000 (UTC)","from smtp4.osuosl.org ([127.0.0.1])\n by localhost (smtp4.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id Qu92rYfsHRyJ for <buildroot@buildroot.org>;\n Wed, 22 Apr 2026 12:57:48 +0000 (UTC)","from sendmail.purelymail.com (sendmail.purelymail.com\n [34.202.193.197])\n by smtp4.osuosl.org (Postfix) with ESMTPS id D4FCD42745\n for <buildroot@buildroot.org>; Wed, 22 Apr 2026 12:57:47 +0000 (UTC)","by smtp.purelymail.com (Purelymail SMTP) with ESMTPSA id -530940237;\n (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384);\n Wed, 22 Apr 2026 12:57:45 +0000 (UTC)","from peko by dell.be.48ers.dk with local (Exim 4.98.2)\n (envelope-from <peko@dell.be.48ers.dk>) id 1wFX9E-0000000DOj5-01pR;\n Wed, 22 Apr 2026 14:57:44 +0200"],"X-Virus-Scanned":["amavis at osuosl.org","amavis at osuosl.org"],"X-Comment":"SPF check N/A for local connections - client-ip=140.211.166.142;\n helo=lists1.osuosl.org; envelope-from=buildroot-bounces@buildroot.org;\n receiver=<UNKNOWN> ","DKIM-Filter":["OpenDKIM Filter v2.11.0 smtp1.osuosl.org DCEE4848BE","OpenDKIM Filter v2.11.0 smtp4.osuosl.org D4FCD42745"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=buildroot.org;\n\ts=default; t=1776862674;\n\tbh=eI6SKD6ZMMzOtGaozT4T50sBGIZ0z8L6P06uj/aLq/4=;\n\th=From:To:Date:Subject:List-Id:List-Unsubscribe:List-Archive:\n\t List-Post:List-Help:List-Subscribe:Cc:From;\n\tb=Ou7/3AIsGytNJrI3xuhRbxq+NFyf11kupgvh+n5vUdSA5pube6wjNow6bW454S0FS\n\t XyWIyJeY6WNoJeQSHk0SOozl9TTleDvC0sYwAIoyjrrD6l9R9Be3sIXpIwFgTcXseV\n\t are2e/SnPfJVKQMV7XuCLuF/p5Jjzo6mLcDzEyipuLlQzlnGsxwwyqRCw6gaVoCjKh\n\t nPuzLTs7TnUtjJJUIDsqbomEWau3Le6CSM/FM4NfRlcaM2rZMg0eN7+qmDDUTwfG2u\n\t S6YKuV5f32ielF4z9n+ZHwQTzJdtHdSqejR5XEIrXlkegvgF6uH1ouDu9GKB1qWkBp\n\t w0wcYmC+Z9eXg==","Received-SPF":"Pass (mailfrom) identity=mailfrom; client-ip=34.202.193.197;\n helo=sendmail.purelymail.com; envelope-from=peko@korsgaard.com;\n receiver=<UNKNOWN>","DMARC-Filter":"OpenDMARC Filter v1.4.2 smtp4.osuosl.org D4FCD42745","Feedback-ID":"21632:4007:null:purelymail","X-Pm-Original-To":"buildroot@buildroot.org","From":"Peter Korsgaard <peter@korsgaard.com>","To":"buildroot@buildroot.org","Date":"Wed, 22 Apr 2026 14:57:20 +0200","Message-ID":"<20260422125721.3193186-1-peter@korsgaard.com>","X-Mailer":"git-send-email 2.47.3","MIME-Version":"1.0","X-MIME-Autoconverted":"from 8bit to quoted-printable by Purelymail","X-Mailman-Original-DKIM-Signature":"a=rsa-sha256;\n b=GRt22PDp+YD5Q8LYzLky5+YQBXoSAYknsrd4HVu4kK0cTK43DCbxfoCop+rQQwfEjIrUfG/0+vo4dhXXTiBbUyHsIxWgUUT6ZUBwy7iH68pIZDu6tpCmD9WsPlauGxr73VVzZNuavPIOCZKLcQqsef1pm88eML2okdq9XeoHpwFF0wJSvgE598iuxWJTtsvhWJTxc2T4eNMIQWCaiaK3dtJDUTgzEIHDMOlL6l5d6o71IsyQNH0i9QkAC4VmtuWkwylc9vnhNICEN1XPYLZpfgCVpVW81TVVtRRzmk8lUkSy0QdIUtFXC4NGYfdOormbXQmSBhIbH9pY3LdW7eiEkQ==;\n s=purelymail2; d=purelymail.com; v=1;\n bh=EN/SG3zmfL8qHIFNoMFldCnEhS1wWm9SNa1/CFBEeB0=;\n h=Feedback-ID:Received:Received:From:To:Subject:Date;","X-Mailman-Original-Authentication-Results":["smtp4.osuosl.org;\n dmarc=none (p=none dis=none)\n header.from=korsgaard.com","smtp4.osuosl.org;\n dkim=pass (2048-bit key,\n unprotected) header.d=purelymail.com header.i=@purelymail.com\n header.a=rsa-sha256 header.s=purelymail2 header.b=GRt22PDp","purelymail.com; auth=pass"],"Subject":"[Buildroot] [PATCH-2025.02.x] package/python3: security bump to\n version 3.12.13","X-BeenThere":"buildroot@buildroot.org","X-Mailman-Version":"2.1.30","Precedence":"list","List-Id":"Discussion and development of buildroot <buildroot.buildroot.org>","List-Unsubscribe":"<https://lists.buildroot.org/mailman/options/buildroot>,\n <mailto:buildroot-request@buildroot.org?subject=unsubscribe>","List-Archive":"<http://lists.buildroot.org/pipermail/buildroot/>","List-Post":"<mailto:buildroot@buildroot.org>","List-Help":"<mailto:buildroot-request@buildroot.org?subject=help>","List-Subscribe":"<https://lists.buildroot.org/mailman/listinfo/buildroot>,\n <mailto:buildroot-request@buildroot.org?subject=subscribe>","Cc":"James Hilliard <james.hilliard1@gmail.com>,\n Thomas Petazzoni <thomas.petazzoni@bootlin.com>","Content-Type":"text/plain; charset=\"us-ascii\"","Content-Transfer-Encoding":"7bit","Errors-To":"buildroot-bounces@buildroot.org","Sender":"\"buildroot\" <buildroot-bounces@buildroot.org>"},"content":"Fixes a number of security issues:\n\nEmail and header-related:\n\ngh-144125: email.generator.BytesGenerator now refuses to serialize headers\nthat are unsafely folded or delimited (see\nemail.policy.Policy.verify_generated_headers); addressing CVE-2024-6923.\n\ngh-143935: Fixed comment folding in modern email policies to prevent header\ninjection when very long non-foldable comment text is wrapped.\n\ngh-136063: email.message now ensures linear complexity for legacy HTTP\nparameter parsing.\n\nHTTP, cookies, and URL parsing-related:\n\ngh-143916: wsgiref.headers.Headers now rejects C0 control characters in\nfields, values, and parameters.\n\ngh-143919: http.cookies.Morsel now rejects control characters in fields and\nvalues.\n\ngh-143925: data: URL media types now reject control characters.\n\nXML-related:\n\ngh-144363: Upgraded bundled libexpat to 2.7.4 to fix CVE-2026-24515 and\nCVE-2026-25210.\n\ngh-90949: Added Expat allocation-tracker APIs to xml.parsers.expat parser\nobjects to limit memory amplification from malicious XML input; includes\nmitigation for CVE-2025-59375.\n\ngh-142145: Removed quadratic behavior in xml.dom.minidom node ID cache\nclearing.\n\nDenial-of-service hardening:\n\ngh-119342: Fixed a potential memory denial of service in plistlib.\n\ngh-119451: Fixed a potential memory denial of service in http.client.\n\ngh-119452: Fixed a potential memory denial of service in http.server (CGI\nserver on Windows).\n\ngh-136065: Fixed quadratic complexity in os.path.expandvars().\n\nHTML parsing-related:\n\ngh-137836: Hardened html.parser.HTMLParser with support for additional\nRAWTEXT/PLAINTEXT elements (plaintext, xmp, iframe, noembed, noframes,\noptional noscript), improving robust handling of hostile markup.\n\nSSL memory-safety fixes:\n\ngh-144833: Fixed a use-after-free in ssl when SSL_new() fails.\n\nFor details, see the announcement:\nhttps://www.python.org/downloads/release/python-31213/\n\nUpstream now provides a sha256 hash, so use that instead of md5.\n\nSigned-off-by: Peter Korsgaard <peter@korsgaard.com>\n---\n package/python3/python3.hash | 5 ++---\n package/python3/python3.mk   | 2 +-\n 2 files changed, 3 insertions(+), 4 deletions(-)","diff":"diff --git a/package/python3/python3.hash b/package/python3/python3.hash\nindex ed0d879f11..6964789262 100644\n--- a/package/python3/python3.hash\n+++ b/package/python3/python3.hash\n@@ -1,5 +1,4 @@\n-# From https://www.python.org/downloads/release/python-31211/\n-md5  04feb01316c7bb1b448001adbc63dd23  Python-3.12.12.tar.xz\n+# From https://www.python.org/downloads/release/python-31213/\n+sha256  c08bc65a81971c1dd5783182826503369466c7e67374d1646519adf05207b684  Python-3.12.13.tar.xz\n # Locally computed\n-sha256  fb85a13414b028c49ba18bbd523c2d055a30b56b18b92ce454ea2c51edc656c4  Python-3.12.12.tar.xz\n sha256  3b2f81fe21d181c499c59a256c8e1968455d6689d269aa85373bfb6af41da3bf  LICENSE\ndiff --git a/package/python3/python3.mk b/package/python3/python3.mk\nindex 4ace4d8573..60ab5b0cbc 100644\n--- a/package/python3/python3.mk\n+++ b/package/python3/python3.mk\n@@ -5,7 +5,7 @@\n ################################################################################\n \n PYTHON3_VERSION_MAJOR = 3.12\n-PYTHON3_VERSION = $(PYTHON3_VERSION_MAJOR).12\n+PYTHON3_VERSION = $(PYTHON3_VERSION_MAJOR).13\n PYTHON3_SOURCE = Python-$(PYTHON3_VERSION).tar.xz\n PYTHON3_SITE = https://python.org/ftp/python/$(PYTHON3_VERSION)\n PYTHON3_LICENSE = Python-2.0, others\n","prefixes":["PATCH-2025.02.x"]}