Hi Matthias,
I am replying solely in my capacity as a member of ports-secteam.
I do not intend to comment on the questions raised regarding
maintainership, portmgr@ decisions, commit bits, or other governance
matters. Those topics are outside the scope of ports-secteam.
Regarding CVE-2026-9669, the primary concern from a ports-secteam
perspective is that the relevant technical information, patches,
upstream references, and testing results are available so that any
necessary security fixes can be evaluated and processed in a timely manner.
If a tested patch for lang/python314 is available, making it accessible
through the project's established processes will help ensure that it can
be reviewed and considered without unnecessary delay.
Regarding VuXML, I am currently not aware of an existing entry for this
issue. If VuXML coverage is required, that can be evaluated as part of
the normal security handling process.
Regardless of any ongoing discussions elsewhere, I believe the immediate
priority should be ensuring that any security-related issues affecting
FreeBSD users are addressed appropriately and without unnecessary delay.
Where security vulnerabilities are involved, ports-secteam routinely
assists with the established security handling process, including
vulnerability assessment, VuXML review and maintenance where applicable,
and coordination of related security work.
Best regards,
Jochen (ports-secteam)
Am 09.06.26 um 04:23 schrieb Matthias Andree:
[resend, first didn't reach python@ team because I botched the To: address]
Greetings,
mat@ assigned my python ports 3.14 and 3.15 and assigned them to you.
This wasn't authorized, there is no reason other than bullying, I don't
recognize it, isn't in the project's best interest or portmgr@ charter,
so this is on core.14@'s agenda.
Still the focus is on our ports users, and now CVE-2026-9669 was just
out (bzip2 compressor smashes stack when reused after error).
I have a fix for the bzip2 stack smasher ready for 3.14 [1] albeit
without reference to some VuXML entry, the pending medium CVE available
in upstream PRs are not cherry-picked into the port - not sure if
upstream will issue an extraordinary 3.14.6 or just pursue usual schedule.
3.15 not yet started to fix the CVE stuff, beta2 just landed, but the
upstream pull request is available so we could have it, too.
1. So, until core@ decides on the unhelpful portmgr@ incursions (see
below), how do we co-ordinate in the interim to get fixes to ports users
quickly, which includes MFH 2026Q2? Proposals?
2. Who's having the VuXML?
Please respond within 24h.
Speak soon.
Matthias
[1] https://github.com/mandree/freebsd-ports/
commit/5fed4d57a3b786583ad5572f22349998bced1654
P.S. Still you will have noticed I have been working on making Python
3.14 and 3.15b1/b2 smooth rides for our ports users, with swift updates,
and arrowd@ already knows that something's cooking with upstream on 3.15
self-test failures,
see <https://github.com/python/cpython/issues?
q=is%3Aissue%20author%3Amandree%20FreeBSD%20state%3Aopen> what's on the
burner. Some will trickle down to 3.14, some we should re-test and nudge
there.
