https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=296068
Bug ID: 296068
Summary: lang/python311: fails to build with poudriere
Product: Ports & Packages
Version: Latest
Hardware: amd64
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: Individual Port(s)
Assignee: [email protected]
Reporter: [email protected]
Flags: maintainer-feedback?([email protected])
Assignee: [email protected]
Created attachment 271814
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=271814&action=edit
poudriere log failed port
Good Morning,
after the latest commit for python 3.11.15_3 my poudriere setup won't build
python any more. This affects latest (main) and quarterly (2026Q2 Branch),
tested on FreeBSD 14.3 and 15.0.
Poudriere Error Message (full log attached):
```
=======================<phase: checksum >============================
===== env: FETCH_REGET=0 NO_DEPENDS=yes USER=root UID=0 GID=0
===> Fetching all distfiles required by python311-3.11.15_3 for building
=> SHA256 Checksum OK for python/Python-3.11.15.tar.xz.
=> SHA256 Checksum mismatch for
python/ceac1efc66516ac387eef2c9a0ce671895b44f03.patch.
=> SHA256 Checksum mismatch for
python/96fc5048605863c7b6fd6289643feb0e97edd96c.patch.
===> Giving up on fetching files:
python/ceac1efc66516ac387eef2c9a0ce671895b44f03.patch
python/96fc5048605863c7b6fd6289643feb0e97edd96c.patch
Make sure the Makefile and distinfo file (/usr/ports/lang/python311/distinfo)
are up to date. If you are absolutely sure you want to override this
check, type "make NO_CHECKSUM=yes [other args]".
*** Error code 1
```
make makesum fails with
```
===> python311-3.11.15_3 has known vulnerabilities:
python311-3.11.15_3 is vulnerable:
Python -- poplib module, when passed a user-controlled command, can have
additional commands injected using newlines
CVE: CVE-2025-15367
WWW:
https://vuxml.FreeBSD.org/freebsd/6d3488ae-2e0f-11f1-88c7-00a098b42aeb.html
Python -- configparser vulnerable to excessive CPU use
WWW:
https://vuxml.FreeBSD.org/freebsd/5ec4dcf6-3588-11f1-b51c-6dd25bec137b.html
python -- more webbrowser.open() command injection vulnerabilities
CVE: CVE-2026-4786
WWW:
https://vuxml.FreeBSD.org/freebsd/cf75f572-378a-11f1-a119-e36228bfe7d4.html
Python -- use-after-free vulnerability in decompressors under memory pressure
CVE: CVE-2026-6100
WWW:
https://vuxml.FreeBSD.org/freebsd/b8e9f33c-375d-11f1-a119-e36228bfe7d4.html
Python -- imaplib module, when passed a user-controlled command, can have
additional commands injected using newlines
CVE: CVE-2025-15366
WWW:
https://vuxml.FreeBSD.org/freebsd/0be929a5-2e0f-11f1-88c7-00a098b42aeb.html
Python -- HTTP proxy CONNECT tunnel does not sanitize CR/LF
CVE: CVE-2026-1502
WWW:
https://vuxml.FreeBSD.org/freebsd/30bda1c3-369b-11f1-b51c-6dd25bec137b.html
6 problem(s) in 1 package(s) found.
=> Please update your ports tree and try again.
=> Note: Vulnerable ports are marked as such even if there is no update
available.
=> If you wish to ignore this vulnerability rebuild with 'make
DISABLE_VULNERABILITIES=yes'
*** Error code 1
Stop.
make: stopped making "makesum" in
/usr/local/poudriere/ports/bsdcan26/lang/python311
```
I suspect that might be the problem when using poudriere.
I tried setting DISABLE_VULNERABILITIES=yes in the make.conf, but the checksum
error stays.
If i run `make DISABLE_VULNERABILITIES=yes makesum` the distfile does not
change.
Am i doing something wrong or is there a general problem with building
python311 on FreeBSD 14 and 15 (i tried 14.3p15 and 15.0p10 jails).
Thanks.
Lukas
--
You are receiving this mail because:
You are the assignee for the bug.
