pkgsrc-Changes archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

CVS commit: pkgsrc/print/py-octoprint



Module Name:    pkgsrc
Committed By:   adam
Date:           Fri Jul  3 07:30:05 UTC 2026

Modified Files:
        pkgsrc/print/py-octoprint: Makefile distinfo

Log Message:
py-octoprint: updated to 1.11.8

1.11.8

Security fixes

XSS in Suppressed Command Notifications, severity Moderate (4.6): OctoPrint versions up to and including 1.11.7 as well as 2.0.0rc1 and 2.0.0rc2 are affected by a vulnerability that allows injection 
of arbitrary HTML and JavaScript into Suppressed Command notifications popups generated by the printer.

An attacker who successfully convinces a victim to print a specially crafted file could exploit this issue to disrupt ongoing prints, extract information (including sensitive configuration settings, 
if the targeted user has the necessary permissions for that), or perform other actions on behalf of the targeted user within the OctoPrint instance.

See also the GitHub Security Advisory and CVE-2026-35163.

File exfiltration possible via further parameter injection on upload endpoints, severity High (7.0): OctoPrint versions up until and including 1.11.7 as well as 2.0.0rc1 and 2.0.0rc2 contain a 
vulnerability that allows an attacker with the FILE_UPLOAD permission to exfiltrate files from the host that OctoPrint has read access to, by moving them into the upload folder where they then can be 
downloaded from. This vulnerability was already reported as GHSA-m9jh-jf9h-x3h2/CVE-2025-48067 but the fix provided in OctoPrint 1.11.2 turned out to be incomplete.

The primary risk lies in the potential exfiltration of secrets stored inside OctoPrint's config, or further system files. By removing important runtime files, this could also be used to impact the 
availability of the host after an attempted server restart. Given that the attacker requires a user account with file upload permissions, the actual impact of this should however hopefully be minimal 
in most cases.

See also the GitHub Security Advisory and CVE-2026-54134.

Bug fixes

Fix thread leak when connecting to a serial port that doesn't respond to the handshake attempts.


To generate a diff of this commit:
cvs rdiff -u -r1.18 -r1.19 pkgsrc/print/py-octoprint/Makefile
cvs rdiff -u -r1.10 -r1.11 pkgsrc/print/py-octoprint/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/print/py-octoprint/Makefile
diff -u pkgsrc/print/py-octoprint/Makefile:1.18 pkgsrc/print/py-octoprint/Makefile:1.19
--- pkgsrc/print/py-octoprint/Makefile:1.18     Sun Jun 28 15:41:35 2026
+++ pkgsrc/print/py-octoprint/Makefile  Fri Jul  3 07:30:05 2026
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.18 2026/06/28 15:41:35 wiz Exp $
+# $NetBSD: Makefile,v 1.19 2026/07/03 07:30:05 adam Exp $
 
-DISTNAME=      octoprint-1.11.7
+DISTNAME=      octoprint-1.11.8
 PKGNAME=       ${PYPKGPREFIX}-${DISTNAME}
 CATEGORIES=    print python
 MASTER_SITES=  ${MASTER_SITE_PYPI:=O/OctoPrint/}
@@ -74,11 +74,9 @@ DEPENDS+=    ${PYPKGPREFIX}-appdirs>=1.4.4:
 
 USE_LANGUAGES= # none
 
-PYTHON_VERSIONS_INCOMPATIBLE=  310 311
+PY_RENAME_BINARIES=    octoprint
 
-post-install:
-       cd ${DESTDIR}${PREFIX}/bin && \
-       ${MV} octoprint octoprint-${PYVERSSUFFIX} || ${TRUE}
+PYTHON_VERSIONS_INCOMPATIBLE=  310 311
 
 .include "../../lang/python/wheel.mk"
 .include "../../mk/bsd.pkg.mk"

Index: pkgsrc/print/py-octoprint/distinfo
diff -u pkgsrc/print/py-octoprint/distinfo:1.10 pkgsrc/print/py-octoprint/distinfo:1.11
--- pkgsrc/print/py-octoprint/distinfo:1.10     Thu Feb 26 11:25:09 2026
+++ pkgsrc/print/py-octoprint/distinfo  Fri Jul  3 07:30:05 2026
@@ -1,5 +1,5 @@
-$NetBSD: distinfo,v 1.10 2026/02/26 11:25:09 adam Exp $
+$NetBSD: distinfo,v 1.11 2026/07/03 07:30:05 adam Exp $
 
-BLAKE2s (octoprint-1.11.7.tar.gz) = 27fd292d790e08b7a77942c2a3b85e4e645f630967e38b3281f9335324c67f6c
-SHA512 (octoprint-1.11.7.tar.gz) = 98cecc2e638de19692a1f35e2983b7c3bd9c18acdf190f50f22b9028c554c0e654ac6efed52432c836e6e542bce3075480ad54fd71b66569af07d51f3d4c3c9e
-Size (octoprint-1.11.7.tar.gz) = 3236058 bytes
+BLAKE2s (octoprint-1.11.8.tar.gz) = 646da78e617db57152d4af2766a84f11387df8200da32ce23c77e13f18c94403
+SHA512 (octoprint-1.11.8.tar.gz) = d87483fa2aa5bf2298fa2d5238923ebeed13f76b73e3228971687c657cd8dddf803a07ad53f88204e7b1f50ee36672fb154ae39f945744dbe912459bdc7bb554
+Size (octoprint-1.11.8.tar.gz) = 3237610 bytes



Home | Main Index | Thread Index | Old Index