ok?
Index: Makefile
===================================================================
RCS file: /cvs/ports/lang/python/3/Makefile,v
diff -u -p -r1.25 Makefile
--- Makefile 15 Apr 2026 15:57:02 -0000 1.25
+++ Makefile 2 Jul 2026 15:45:12 -0000
@@ -3,7 +3,7 @@
# requirement of the PSF license, if it constitutes a change to
# Python itself.
-FULL_VERSION = 3.13.13
+FULL_VERSION = 3.13.14
SHARED_LIBS = python3.13 0.0
VERSION_SPEC = >=3.13,<3.14
PORTROACH = limit:^3\.13
Index: distinfo
===================================================================
RCS file: /cvs/ports/lang/python/3/distinfo,v
diff -u -p -r1.11 distinfo
--- distinfo 14 Apr 2026 10:51:23 -0000 1.11
+++ distinfo 2 Jul 2026 15:45:12 -0000
@@ -1,2 +1,2 @@
-SHA256 (Python-3.13.13.tgz) = +c3nsOLsgWXXMm4qD1nqJobOnQxhfbuz1mp+VNMbdLk=
-SIZE (Python-3.13.13.tgz) = 29842908
+SHA256 (Python-3.13.14.tgz) = WuU1o2rw68pvyhduy4GX9ducHLjI8M0SzfF4cEbbH0E=
+SIZE (Python-3.13.14.tgz) = 29914816
Index: files/CHANGES.OpenBSD
===================================================================
RCS file: /cvs/ports/lang/python/3/files/CHANGES.OpenBSD,v
diff -u -p -r1.6 CHANGES.OpenBSD
--- files/CHANGES.OpenBSD 14 Apr 2026 10:51:23 -0000 1.6
+++ files/CHANGES.OpenBSD 2 Jul 2026 15:45:12 -0000
@@ -24,7 +24,5 @@ which results in loading an incorrect ve
8. Work around expat_config.h missing from base.
-9. Cherry-pick fixes for CVE-2026-4519, CVE-2026-6100.
-
These changes are available in the OpenBSD CVS repository
<http://www.openbsd.org/anoncvs.html> in ports/lang/python/3.
Index: patches/patch-Lib_test_test_webbrowser_py
===================================================================
RCS file: patches/patch-Lib_test_test_webbrowser_py
diff -N patches/patch-Lib_test_test_webbrowser_py
--- patches/patch-Lib_test_test_webbrowser_py 14 Apr 2026 10:51:23 -0000
1.1
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,26 +0,0 @@
-Fix fix for CVE 2026-4519
-
-A bypass in :mod:`webbrowser` allowed URLs prefixed with ``%action`` to pass
-the dash-prefix safety check.
-
-https://github.com/python/cpython/pull/148517
-
-Index: Lib/test/test_webbrowser.py
---- Lib/test/test_webbrowser.py.orig
-+++ Lib/test/test_webbrowser.py
-@@ -118,6 +118,15 @@ class ChromeCommandTest(CommandTestMixin, unittest.Tes
- arguments=[URL],
- kw=dict(new=999))
-
-+ def test_reject_action_dash_prefixes(self):
-+ browser = self.browser_class(name=CMD_NAME)
-+ with self.assertRaises(ValueError):
-+ browser.open('%action--incognito')
-+ # new=1: action is "--new-window", so "%action" itself expands to
-+ # a dash-prefixed flag even with no dash in the original URL.
-+ with self.assertRaises(ValueError):
-+ browser.open('%action', new=1)
-+
-
- class EdgeCommandTest(CommandTestMixin, unittest.TestCase):
-
Index: patches/patch-Lib_webbrowser_py
===================================================================
RCS file: patches/patch-Lib_webbrowser_py
diff -N patches/patch-Lib_webbrowser_py
--- patches/patch-Lib_webbrowser_py 14 Apr 2026 10:51:23 -0000 1.1
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,28 +0,0 @@
-Fix fix for CVE 2026-4519
-
-A bypass in :mod:`webbrowser` allowed URLs prefixed with ``%action`` to pass
-the dash-prefix safety check.
-
-https://github.com/python/cpython/pull/148517
-Index: Lib/webbrowser.py
---- Lib/webbrowser.py.orig
-+++ Lib/webbrowser.py
-@@ -275,7 +275,6 @@ class UnixBrowser(BaseBrowser):
-
- def open(self, url, new=0, autoraise=True):
- sys.audit("webbrowser.open", url)
-- self._check_url(url)
- if new == 0:
- action = self.remote_action
- elif new == 1:
-@@ -289,7 +288,9 @@ class UnixBrowser(BaseBrowser):
- raise Error("Bad 'new' parameter to open(); "
- f"expected 0, 1, or 2, got {new}")
-
-- args = [arg.replace("%s", url).replace("%action", action)
-+ self._check_url(url.replace("%action", action))
-+
-+ args = [arg.replace("%action", action).replace("%s", url)
- for arg in self.remote_args]
- args = [arg for arg in args if arg]
- success = self._invoke(args, True, autoraise, url)
Index: patches/patch-Modules__bz2module_c
===================================================================
RCS file: patches/patch-Modules__bz2module_c
diff -N patches/patch-Modules__bz2module_c
--- patches/patch-Modules__bz2module_c 14 Apr 2026 10:51:23 -0000 1.1
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,21 +0,0 @@
-CVE-2026-6100:
-
-Fix a dangling input pointer in :class:`lzma.LZMADecompressor`,
-:class:`bz2.BZ2Decompressor`, and internal :class:`!zlib._ZlibDecompressor`
-when memory allocation fails with :exc:`MemoryError`, which could let a
-subsequent :meth:`!decompress` call read or write through a stale pointer to
-the already-released caller buffer.
-
-https://github.com/python/cpython/pull/148479
-
-Index: Modules/_bz2module.c
---- Modules/_bz2module.c.orig
-+++ Modules/_bz2module.c
-@@ -589,6 +589,7 @@ decompress(BZ2Decompressor *d, char *data, size_t len,
- return result;
-
- error:
-+ bzs->next_in = NULL;
- Py_XDECREF(result);
- return NULL;
- }
Index: patches/patch-Modules__lzmamodule_c
===================================================================
RCS file: patches/patch-Modules__lzmamodule_c
diff -N patches/patch-Modules__lzmamodule_c
--- patches/patch-Modules__lzmamodule_c 14 Apr 2026 10:51:23 -0000 1.1
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,21 +0,0 @@
-CVE-2026-6100:
-
-Fix a dangling input pointer in :class:`lzma.LZMADecompressor`,
-:class:`bz2.BZ2Decompressor`, and internal :class:`!zlib._ZlibDecompressor`
-when memory allocation fails with :exc:`MemoryError`, which could let a
-subsequent :meth:`!decompress` call read or write through a stale pointer to
-the already-released caller buffer.
-
-https://github.com/python/cpython/pull/148479
-
-Index: Modules/_lzmamodule.c
---- Modules/_lzmamodule.c.orig
-+++ Modules/_lzmamodule.c
-@@ -1112,6 +1112,7 @@ decompress(Decompressor *d, uint8_t *data, size_t len,
- return result;
-
- error:
-+ lzs->next_in = NULL;
- Py_XDECREF(result);
- return NULL;
- }
Index: patches/patch-Modules_zlibmodule_c
===================================================================
RCS file: patches/patch-Modules_zlibmodule_c
diff -N patches/patch-Modules_zlibmodule_c
--- patches/patch-Modules_zlibmodule_c 14 Apr 2026 10:51:23 -0000 1.1
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,21 +0,0 @@
-CVE-2026-6100:
-
-Fix a dangling input pointer in :class:`lzma.LZMADecompressor`,
-:class:`bz2.BZ2Decompressor`, and internal :class:`!zlib._ZlibDecompressor`
-when memory allocation fails with :exc:`MemoryError`, which could let a
-subsequent :meth:`!decompress` call read or write through a stale pointer to
-the already-released caller buffer.
-
-https://github.com/python/cpython/pull/148479
-
-Index: Modules/zlibmodule.c
---- Modules/zlibmodule.c.orig
-+++ Modules/zlibmodule.c
-@@ -1675,6 +1675,7 @@ decompress(ZlibDecompressor *self, uint8_t *data,
- return result;
-
- error:
-+ self->zst.next_in = NULL;
- Py_XDECREF(result);
- return NULL;
- }
Index: patches/patch-configure_ac
===================================================================
RCS file: /cvs/ports/lang/python/3/patches/patch-configure_ac,v
diff -u -p -r1.5 patch-configure_ac
--- patches/patch-configure_ac 14 Apr 2026 10:51:23 -0000 1.5
+++ patches/patch-configure_ac 2 Jul 2026 15:45:12 -0000
@@ -49,7 +49,7 @@ Index: configure.ac
# Any changes made here should be reflected in the GCC+Darwin case below
PGO_PROF_GEN_FLAG="-fprofile-instr-generate"
PGO_PROF_USE_FLAG="-fprofile-instr-use=\"\$(shell pwd)/code.profclangd\""
-@@ -4369,11 +4370,7 @@ dnl Detect Tcl/Tk. Use pkg-config if available.
+@@ -4391,11 +4392,7 @@ dnl Detect Tcl/Tk. Use pkg-config if available.
dnl
found_tcltk=no
for _QUERY in \
Index: pkg/PLIST-main
===================================================================
RCS file: /cvs/ports/lang/python/3/pkg/PLIST-main,v
diff -u -p -r1.17 PLIST-main
--- pkg/PLIST-main 14 Apr 2026 10:51:23 -0000 1.17
+++ pkg/PLIST-main 2 Jul 2026 15:45:12 -0000
@@ -1809,7 +1809,7 @@ lib/python3.13/ensurepip/__pycache__/_un
lib/python3.13/ensurepip/__pycache__/_uninstall.cpython-313.opt-2.pyc
lib/python3.13/ensurepip/__pycache__/_uninstall.cpython-313.pyc
lib/python3.13/ensurepip/_bundled/
-lib/python3.13/ensurepip/_bundled/pip-26.0.1-py3-none-any.whl
+lib/python3.13/ensurepip/_bundled/pip-26.1.2-py3-none-any.whl
lib/python3.13/ensurepip/_uninstall.py
lib/python3.13/enum.py
lib/python3.13/filecmp.py
Index: pkg/PLIST-tests
===================================================================
RCS file: /cvs/ports/lang/python/3/pkg/PLIST-tests,v
diff -u -p -r1.12 PLIST-tests
--- pkg/PLIST-tests 14 Apr 2026 10:51:23 -0000 1.12
+++ pkg/PLIST-tests 2 Jul 2026 15:45:12 -0000
@@ -2284,6 +2284,9 @@ lib/python3.13/test/test_capi/__pycache_
lib/python3.13/test/test_capi/__pycache__/test_watchers.cpython-313.opt-1.pyc
lib/python3.13/test/test_capi/__pycache__/test_watchers.cpython-313.opt-2.pyc
lib/python3.13/test/test_capi/__pycache__/test_watchers.cpython-313.pyc
+lib/python3.13/test/test_capi/__pycache__/test_weakref.cpython-313.opt-1.pyc
+lib/python3.13/test/test_capi/__pycache__/test_weakref.cpython-313.opt-2.pyc
+lib/python3.13/test/test_capi/__pycache__/test_weakref.cpython-313.pyc
lib/python3.13/test/test_capi/check_config.py
lib/python3.13/test/test_capi/test_abstract.py
lib/python3.13/test/test_capi/test_bytearray.py
@@ -2316,6 +2319,7 @@ lib/python3.13/test/test_capi/test_time.
lib/python3.13/test/test_capi/test_tuple.py
lib/python3.13/test/test_capi/test_unicode.py
lib/python3.13/test/test_capi/test_watchers.py
+lib/python3.13/test/test_capi/test_weakref.py
lib/python3.13/test/test_cext/
lib/python3.13/test/test_cext/__init__.py
lib/python3.13/test/test_cext/__pycache__/
@@ -3797,6 +3801,7 @@ lib/python3.13/test/test_json/__pycache_
lib/python3.13/test/test_json/__pycache__/test_unicode.cpython-313.opt-1.pyc
lib/python3.13/test/test_json/__pycache__/test_unicode.cpython-313.opt-2.pyc
lib/python3.13/test/test_json/__pycache__/test_unicode.cpython-313.pyc
+lib/python3.13/test/test_json/json_lines.jsonl
lib/python3.13/test/test_json/test_decode.py
lib/python3.13/test/test_json/test_default.py
lib/python3.13/test/test_json/test_dump.py