On Thu, Jul 02, 2026 at 04:45:32PM +0100, Stuart Henderson wrote: > ok? ok kmos
Sorry for the delay. I've been melting the past couple of days :) --Kurt > Index: Makefile > =================================================================== > RCS file: /cvs/ports/lang/python/3/Makefile,v > diff -u -p -r1.25 Makefile > --- Makefile 15 Apr 2026 15:57:02 -0000 1.25 > +++ Makefile 2 Jul 2026 15:45:12 -0000 > @@ -3,7 +3,7 @@ > # requirement of the PSF license, if it constitutes a change to > # Python itself. > > -FULL_VERSION = 3.13.13 > +FULL_VERSION = 3.13.14 > SHARED_LIBS = python3.13 0.0 > VERSION_SPEC = >=3.13,<3.14 > PORTROACH = limit:^3\.13 > Index: distinfo > =================================================================== > RCS file: /cvs/ports/lang/python/3/distinfo,v > diff -u -p -r1.11 distinfo > --- distinfo 14 Apr 2026 10:51:23 -0000 1.11 > +++ distinfo 2 Jul 2026 15:45:12 -0000 > @@ -1,2 +1,2 @@ > -SHA256 (Python-3.13.13.tgz) = +c3nsOLsgWXXMm4qD1nqJobOnQxhfbuz1mp+VNMbdLk= > -SIZE (Python-3.13.13.tgz) = 29842908 > +SHA256 (Python-3.13.14.tgz) = WuU1o2rw68pvyhduy4GX9ducHLjI8M0SzfF4cEbbH0E= > +SIZE (Python-3.13.14.tgz) = 29914816 > Index: files/CHANGES.OpenBSD > =================================================================== > RCS file: /cvs/ports/lang/python/3/files/CHANGES.OpenBSD,v > diff -u -p -r1.6 CHANGES.OpenBSD > --- files/CHANGES.OpenBSD 14 Apr 2026 10:51:23 -0000 1.6 > +++ files/CHANGES.OpenBSD 2 Jul 2026 15:45:12 -0000 > @@ -24,7 +24,5 @@ which results in loading an incorrect ve > > 8. Work around expat_config.h missing from base. > > -9. Cherry-pick fixes for CVE-2026-4519, CVE-2026-6100. > - > These changes are available in the OpenBSD CVS repository > <http://www.openbsd.org/anoncvs.html> in ports/lang/python/3. > Index: patches/patch-Lib_test_test_webbrowser_py > =================================================================== > RCS file: patches/patch-Lib_test_test_webbrowser_py > diff -N patches/patch-Lib_test_test_webbrowser_py > --- patches/patch-Lib_test_test_webbrowser_py 14 Apr 2026 10:51:23 -0000 > 1.1 > +++ /dev/null 1 Jan 1970 00:00:00 -0000 > @@ -1,26 +0,0 @@ > -Fix fix for CVE 2026-4519 > - > -A bypass in :mod:`webbrowser` allowed URLs prefixed with ``%action`` to pass > -the dash-prefix safety check. > - > -https://github.com/python/cpython/pull/148517 > - > -Index: Lib/test/test_webbrowser.py > ---- Lib/test/test_webbrowser.py.orig > -+++ Lib/test/test_webbrowser.py > -@@ -118,6 +118,15 @@ class ChromeCommandTest(CommandTestMixin, unittest.Tes > - arguments=[URL], > - kw=dict(new=999)) > - > -+ def test_reject_action_dash_prefixes(self): > -+ browser = self.browser_class(name=CMD_NAME) > -+ with self.assertRaises(ValueError): > -+ browser.open('%action--incognito') > -+ # new=1: action is "--new-window", so "%action" itself expands to > -+ # a dash-prefixed flag even with no dash in the original URL. > -+ with self.assertRaises(ValueError): > -+ browser.open('%action', new=1) > -+ > - > - class EdgeCommandTest(CommandTestMixin, unittest.TestCase): > - > Index: patches/patch-Lib_webbrowser_py > =================================================================== > RCS file: patches/patch-Lib_webbrowser_py > diff -N patches/patch-Lib_webbrowser_py > --- patches/patch-Lib_webbrowser_py 14 Apr 2026 10:51:23 -0000 1.1 > +++ /dev/null 1 Jan 1970 00:00:00 -0000 > @@ -1,28 +0,0 @@ > -Fix fix for CVE 2026-4519 > - > -A bypass in :mod:`webbrowser` allowed URLs prefixed with ``%action`` to pass > -the dash-prefix safety check. > - > -https://github.com/python/cpython/pull/148517 > -Index: Lib/webbrowser.py > ---- Lib/webbrowser.py.orig > -+++ Lib/webbrowser.py > -@@ -275,7 +275,6 @@ class UnixBrowser(BaseBrowser): > - > - def open(self, url, new=0, autoraise=True): > - sys.audit("webbrowser.open", url) > -- self._check_url(url) > - if new == 0: > - action = self.remote_action > - elif new == 1: > -@@ -289,7 +288,9 @@ class UnixBrowser(BaseBrowser): > - raise Error("Bad 'new' parameter to open(); " > - f"expected 0, 1, or 2, got {new}") > - > -- args = [arg.replace("%s", url).replace("%action", action) > -+ self._check_url(url.replace("%action", action)) > -+ > -+ args = [arg.replace("%action", action).replace("%s", url) > - for arg in self.remote_args] > - args = [arg for arg in args if arg] > - success = self._invoke(args, True, autoraise, url) > Index: patches/patch-Modules__bz2module_c > =================================================================== > RCS file: patches/patch-Modules__bz2module_c > diff -N patches/patch-Modules__bz2module_c > --- patches/patch-Modules__bz2module_c 14 Apr 2026 10:51:23 -0000 > 1.1 > +++ /dev/null 1 Jan 1970 00:00:00 -0000 > @@ -1,21 +0,0 @@ > -CVE-2026-6100: > - > -Fix a dangling input pointer in :class:`lzma.LZMADecompressor`, > -:class:`bz2.BZ2Decompressor`, and internal :class:`!zlib._ZlibDecompressor` > -when memory allocation fails with :exc:`MemoryError`, which could let a > -subsequent :meth:`!decompress` call read or write through a stale pointer to > -the already-released caller buffer. > - > -https://github.com/python/cpython/pull/148479 > - > -Index: Modules/_bz2module.c > ---- Modules/_bz2module.c.orig > -+++ Modules/_bz2module.c > -@@ -589,6 +589,7 @@ decompress(BZ2Decompressor *d, char *data, size_t len, > - return result; > - > - error: > -+ bzs->next_in = NULL; > - Py_XDECREF(result); > - return NULL; > - } > Index: patches/patch-Modules__lzmamodule_c > =================================================================== > RCS file: patches/patch-Modules__lzmamodule_c > diff -N patches/patch-Modules__lzmamodule_c > --- patches/patch-Modules__lzmamodule_c 14 Apr 2026 10:51:23 -0000 > 1.1 > +++ /dev/null 1 Jan 1970 00:00:00 -0000 > @@ -1,21 +0,0 @@ > -CVE-2026-6100: > - > -Fix a dangling input pointer in :class:`lzma.LZMADecompressor`, > -:class:`bz2.BZ2Decompressor`, and internal :class:`!zlib._ZlibDecompressor` > -when memory allocation fails with :exc:`MemoryError`, which could let a > -subsequent :meth:`!decompress` call read or write through a stale pointer to > -the already-released caller buffer. > - > -https://github.com/python/cpython/pull/148479 > - > -Index: Modules/_lzmamodule.c > ---- Modules/_lzmamodule.c.orig > -+++ Modules/_lzmamodule.c > -@@ -1112,6 +1112,7 @@ decompress(Decompressor *d, uint8_t *data, size_t len, > - return result; > - > - error: > -+ lzs->next_in = NULL; > - Py_XDECREF(result); > - return NULL; > - } > Index: patches/patch-Modules_zlibmodule_c > =================================================================== > RCS file: patches/patch-Modules_zlibmodule_c > diff -N patches/patch-Modules_zlibmodule_c > --- patches/patch-Modules_zlibmodule_c 14 Apr 2026 10:51:23 -0000 > 1.1 > +++ /dev/null 1 Jan 1970 00:00:00 -0000 > @@ -1,21 +0,0 @@ > -CVE-2026-6100: > - > -Fix a dangling input pointer in :class:`lzma.LZMADecompressor`, > -:class:`bz2.BZ2Decompressor`, and internal :class:`!zlib._ZlibDecompressor` > -when memory allocation fails with :exc:`MemoryError`, which could let a > -subsequent :meth:`!decompress` call read or write through a stale pointer to > -the already-released caller buffer. > - > -https://github.com/python/cpython/pull/148479 > - > -Index: Modules/zlibmodule.c > ---- Modules/zlibmodule.c.orig > -+++ Modules/zlibmodule.c > -@@ -1675,6 +1675,7 @@ decompress(ZlibDecompressor *self, uint8_t *data, > - return result; > - > - error: > -+ self->zst.next_in = NULL; > - Py_XDECREF(result); > - return NULL; > - } > Index: patches/patch-configure_ac > =================================================================== > RCS file: /cvs/ports/lang/python/3/patches/patch-configure_ac,v > diff -u -p -r1.5 patch-configure_ac > --- patches/patch-configure_ac 14 Apr 2026 10:51:23 -0000 1.5 > +++ patches/patch-configure_ac 2 Jul 2026 15:45:12 -0000 > @@ -49,7 +49,7 @@ Index: configure.ac > # Any changes made here should be reflected in the GCC+Darwin case below > PGO_PROF_GEN_FLAG="-fprofile-instr-generate" > PGO_PROF_USE_FLAG="-fprofile-instr-use=\"\$(shell > pwd)/code.profclangd\"" > -@@ -4369,11 +4370,7 @@ dnl Detect Tcl/Tk. Use pkg-config if available. > +@@ -4391,11 +4392,7 @@ dnl Detect Tcl/Tk. Use pkg-config if available. > dnl > found_tcltk=no > for _QUERY in \ > Index: pkg/PLIST-main > =================================================================== > RCS file: /cvs/ports/lang/python/3/pkg/PLIST-main,v > diff -u -p -r1.17 PLIST-main > --- pkg/PLIST-main 14 Apr 2026 10:51:23 -0000 1.17 > +++ pkg/PLIST-main 2 Jul 2026 15:45:12 -0000 > @@ -1809,7 +1809,7 @@ lib/python3.13/ensurepip/__pycache__/_un > lib/python3.13/ensurepip/__pycache__/_uninstall.cpython-313.opt-2.pyc > lib/python3.13/ensurepip/__pycache__/_uninstall.cpython-313.pyc > lib/python3.13/ensurepip/_bundled/ > -lib/python3.13/ensurepip/_bundled/pip-26.0.1-py3-none-any.whl > +lib/python3.13/ensurepip/_bundled/pip-26.1.2-py3-none-any.whl > lib/python3.13/ensurepip/_uninstall.py > lib/python3.13/enum.py > lib/python3.13/filecmp.py > Index: pkg/PLIST-tests > =================================================================== > RCS file: /cvs/ports/lang/python/3/pkg/PLIST-tests,v > diff -u -p -r1.12 PLIST-tests > --- pkg/PLIST-tests 14 Apr 2026 10:51:23 -0000 1.12 > +++ pkg/PLIST-tests 2 Jul 2026 15:45:12 -0000 > @@ -2284,6 +2284,9 @@ lib/python3.13/test/test_capi/__pycache_ > lib/python3.13/test/test_capi/__pycache__/test_watchers.cpython-313.opt-1.pyc > lib/python3.13/test/test_capi/__pycache__/test_watchers.cpython-313.opt-2.pyc > lib/python3.13/test/test_capi/__pycache__/test_watchers.cpython-313.pyc > +lib/python3.13/test/test_capi/__pycache__/test_weakref.cpython-313.opt-1.pyc > +lib/python3.13/test/test_capi/__pycache__/test_weakref.cpython-313.opt-2.pyc > +lib/python3.13/test/test_capi/__pycache__/test_weakref.cpython-313.pyc > lib/python3.13/test/test_capi/check_config.py > lib/python3.13/test/test_capi/test_abstract.py > lib/python3.13/test/test_capi/test_bytearray.py > @@ -2316,6 +2319,7 @@ lib/python3.13/test/test_capi/test_time. > lib/python3.13/test/test_capi/test_tuple.py > lib/python3.13/test/test_capi/test_unicode.py > lib/python3.13/test/test_capi/test_watchers.py > +lib/python3.13/test/test_capi/test_weakref.py > lib/python3.13/test/test_cext/ > lib/python3.13/test/test_cext/__init__.py > lib/python3.13/test/test_cext/__pycache__/ > @@ -3797,6 +3801,7 @@ lib/python3.13/test/test_json/__pycache_ > lib/python3.13/test/test_json/__pycache__/test_unicode.cpython-313.opt-1.pyc > lib/python3.13/test/test_json/__pycache__/test_unicode.cpython-313.opt-2.pyc > lib/python3.13/test/test_json/__pycache__/test_unicode.cpython-313.pyc > +lib/python3.13/test/test_json/json_lines.jsonl > lib/python3.13/test/test_json/test_decode.py > lib/python3.13/test/test_json/test_default.py > lib/python3.13/test/test_json/test_dump.py
