Python 2.7.x ≤ 2.7.13, 3.3.x ≤ 3.3.6, 3.4.x ≤ 3.4.6, 3.5.x ≤ 3.5.3, 3.6.x ≤ 3.6.1 - Multiple Vulnerabilities

Hello,

our Apalis TK1 board is equipped with a Linux image using the default Python 3.5.2.
But it has been discovered that this version has vulnerabilities that block the use of it:

Description:

Multiple Vulnerabilities have been found in the dictionary object in Python. Four of them are use-after-frees and one is an array-out-of-bounds indexing bug. In the worst case, an remote attacker could use these flaws to cause a denial of service condition or a remote code execution.

Vendor Affected Components:

Python 2.7.x < 2.7.14
Python 3.3.x < 3.3.7
Python 3.4.x < 3.4.7
Python 3.5.x < 3.5.4
Python 3.6.x < 3.6.2

Is it possible to upgrade to Python 3.5.4?

Kind regards

Dirk

Sure, the Python recipe comes from the openembedded-core layer which at its current master state features both version 2.7.14 as well as 3.5.4 recipes. While the morty branch which is used in our BSP 2.7 is still at version 2.7.12 resp. 3.5.2 it already contains e.g. a fix for CVE-2016-1000110. BSP 2.8 on the other hand is based on rocko which currently features 2.7.13 resp. 3.5.3. Either way you may have to forward port the latest master recipe changes.

So I can use:
repo init -u http://git.toradex.com/toradex-bsp-platform.git -b LinuxImageV2.8 for Python 3.5.3, right?

How can I access the master branch which supports Python 3.5.4?
repo init -u http://git.toradex.com/toradex-bsp-platform.git -b LinuxImageV2.9 ?

So I can use: repo init -u http://git.toradex.com/toradex-bsp-platform.git -b LinuxImageV2.8 for Python 3.5.3, right?

Yes.

How can I access the master branch which supports Python 3.5.4? repo init -u http://git.toradex.com/toradex-bsp-platform.git -b LinuxImageV2.9 ?

No, no such integration has been done as of yet. Usually we only update this about once a year and we just did so. However in theory you can of course use an all master layers configuration.

Thank you very much for your support!

How can I access the master layers configuration?

I’m aware that this kind of configuration might lead to daily surprises.

But isn’t it possible to easily draw a proprietary branch of it - let’s say LinuxImageV2.9pre?

Thank you very much for your support!

You are very welcome.

How can I access the master layers configuration?

At your own discretion you may of course update any layer to whatever version you desire e.g. as explained in the Yocto Project Development Tasks Manual.

I’m aware that this kind of configuration might lead to daily surprises.

Very well, good luck with that then!

But isn’t it possible to easily draw a proprietary branch of it - let’s say LinuxImageV2.9pre?

Sure, but our repo manifest is about the highest level of integration one may expect which as mentioned before no such integration has been done as of yet. So in clear speak no such LinuxImageV2.9pre or anything the like does exist. If you truly feel like going down this route I’m afraid you will have to stick to your own custom layer configuration.