[Bug 294246] lang/python3: Missing security update
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=294246 --- Comment #20 from Charlie Li --- This was closed because the original entries were accounted for. This PR is not for discussing anything beyond that. There will not be any further PRs. The vuxml entries are enough work to deal with. I really hate to sound completely irritable about stuff like this. However. Please stop being selfish whenever the word security enters the fold. Volunteer committers and maintainers (in general, not just FreeBSD) have their own lives. Pulling in individual commits outside of published releases is unacknowledged labour and are handled on best-effort, best-available basis only. Please do not misconstrue this paragraph as a statement of burnout, but rather recognise that the maintainers have context that you do not have, and explaining such is not worth the additional labour. Doubly so when upstream deems certain entries to be incorrect or not immediately actionable. -- You are receiving this mail because: You are the assignee for the bug.
[Bug 294246] lang/python3: Missing security update
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=294246 --- Comment #19 from Gert Doering --- (In reply to ish from comment #18) Indeed. I receive daily complaints about python vulns on all my FreeBSDs, and the corresponding ticket is closed... so is there another ticket where one can see progress, or has python@ decided to abandon 3.11 for 3.12/3.13? (#294246) -- You are receiving this mail because: You are the assignee for the bug.
[Bug 294246] lang/python3: Missing security update
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=294246 --- Comment #18 from ish --- Why this thread was closed ? I use python311 and python314 and the following state is unchanged yet. # pkg audit python311-3.11.15_2 is vulnerable: Python -- use-after-free vulnerability in decompressors under memory pressure CVE: CVE-2026-6100 WWW: https://vuxml.FreeBSD.org/freebsd/b8e9f33c-375d-11f1-a119-e36228bfe7d4.html Python -- HTTP proxy CONNECT tunnel does not sanitize CR/LF CVE: CVE-2026-1502 WWW: https://vuxml.FreeBSD.org/freebsd/30bda1c3-369b-11f1-b51c-6dd25bec137b.html python -- more webbrowser.open() command injection vulnerabilities CVE: CVE-2026-4786 WWW: https://vuxml.FreeBSD.org/freebsd/cf75f572-378a-11f1-a119-e36228bfe7d4.html Python -- configparser vulnerable to excessive CPU use WWW: https://vuxml.FreeBSD.org/freebsd/5ec4dcf6-3588-11f1-b51c-6dd25bec137b.html Python -- poplib module, when passed a user-controlled command, can have additional commands injected using newlines CVE: CVE-2025-15367 WWW: https://vuxml.FreeBSD.org/freebsd/6d3488ae-2e0f-11f1-88c7-00a098b42aeb.html Python -- imaplib module, when passed a user-controlled command, can have additional commands injected using newlines CVE: CVE-2025-15366 WWW: https://vuxml.FreeBSD.org/freebsd/0be929a5-2e0f-11f1-88c7-00a098b42aeb.html python314-3.14.4_2 is vulnerable: Python -- imaplib module, when passed a user-controlled command, can have additional commands injected using newlines CVE: CVE-2025-15366 WWW: https://vuxml.FreeBSD.org/freebsd/0be929a5-2e0f-11f1-88c7-00a098b42aeb.html Python -- poplib module, when passed a user-controlled command, can have additional commands injected using newlines CVE: CVE-2025-15367 WWW: https://vuxml.FreeBSD.org/freebsd/6d3488ae-2e0f-11f1-88c7-00a098b42aeb.html 8 problem(s) in 2 package(s) found. -- You are receiving this mail because: You are the assignee for the bug.
[Bug 294246] lang/python3: Missing security update
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=294246 Jochen Neumeister changed: What|Removed |Added CC||[email protected] Resolution|--- |FIXED Status|Open|Closed -- You are receiving this mail because: You are the assignee for the bug.
[Bug 294246] lang/python3: Missing security update
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=294246 Matthias Andree changed: What|Removed |Added Blocks||294496 Referenced Bugs: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=294496 [Bug 294496] lang/python*: CVE-2026-4786: webbrowser.open() command injection mitigation for CVE-2026-4519 was incomplete -- You are receiving this mail because: You are the assignee for the bug.
[Bug 294246] lang/python3: Missing security update
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=294246 --- Comment #17 from [email protected] --- A commit in branch 2026Q2 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=455fd74a6cdd78e080a554b7630cba826bb098d6 commit 455fd74a6cdd78e080a554b7630cba826bb098d6 Author: Charlie Li AuthorDate: 2026-04-06 01:42:49 + Commit: Charlie Li CommitDate: 2026-04-13 22:29:51 + lang/python312: pull in upstream commits addressing webbrowser.open() issue Security: 9fdad262-2e0f-11f1-88c7-00a098b42aeb PR: 294246 (cherry picked from commit d1ce8f060d6e0c674448b158b9bd0ea42d95b0d8) lang/python312/Makefile | 4 +++- lang/python312/distinfo | 6 +- 2 files changed, 8 insertions(+), 2 deletions(-) -- You are receiving this mail because: You are the assignee for the bug.
[Bug 294246] lang/python3: Missing security update
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=294246 --- Comment #16 from [email protected] --- A commit in branch 2026Q2 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=d6331a1b636cba23623eeef304a31b67c5cbb368 commit d6331a1b636cba23623eeef304a31b67c5cbb368 Author: Charlie Li AuthorDate: 2026-04-06 01:59:51 + Commit: Charlie Li CommitDate: 2026-04-13 22:30:45 + lang/python313: pull in upstream commits addressing webbrowser.open() issue Security: 9fdad262-2e0f-11f1-88c7-00a098b42aeb PR: 294246 (cherry picked from commit 569e99b1dff2d8c0b0d753735b28e0df5e2dd6b9) lang/python313/Makefile | 6 +- lang/python313/distinfo | 6 +- 2 files changed, 10 insertions(+), 2 deletions(-) -- You are receiving this mail because: You are the assignee for the bug.
[Bug 294246] lang/python3: Missing security update
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=294246 --- Comment #15 from [email protected] --- A commit in branch 2026Q2 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=f15e78a69457dbe274deeb7965e96e42046934ae commit f15e78a69457dbe274deeb7965e96e42046934ae Author: Charlie Li AuthorDate: 2026-04-06 02:15:59 + Commit: Charlie Li CommitDate: 2026-04-13 22:29:09 + lang/python311: pull in upstream commits addressing webbrowser.open() issue Security: 9fdad262-2e0f-11f1-88c7-00a098b42aeb PR: 294246 (cherry picked from commit eae851578f69e34b4520d9b0ef582dddf8541281) lang/python311/Makefile | 4 +++- lang/python311/distinfo | 6 +- 2 files changed, 8 insertions(+), 2 deletions(-) -- You are receiving this mail because: You are the assignee for the bug.
[Bug 294246] lang/python3: Missing security update
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=294246 --- Comment #14 from [email protected] --- A commit in branch 2026Q2 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=974a854f766b68fc03b902c486339f904628c226 commit 974a854f766b68fc03b902c486339f904628c226 Author: Charlie Li AuthorDate: 2026-04-06 02:18:16 + Commit: Charlie Li CommitDate: 2026-04-13 22:29:28 + lang/python310: pull in upstream commits addressing webbrowser.open() issue Security: 9fdad262-2e0f-11f1-88c7-00a098b42aeb PR: 294246 (cherry picked from commit cc746eedc4dfcefe29d13fe3c36d29e7fa8b48f5) lang/python310/Makefile | 4 +++- lang/python310/distinfo | 6 +- 2 files changed, 8 insertions(+), 2 deletions(-) -- You are receiving this mail because: You are the assignee for the bug.
[Bug 294246] lang/python3: Missing security update
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=294246 Matthias Andree changed: What|Removed |Added See Also||https://bugs.freebsd.org/bu ||gzilla/show_bug.cgi?id=2943 ||24 CC||[email protected], ||[email protected] --- Comment #13 from Matthias Andree --- (In reply to Herbert J. Skuhra from comment #10) Because I added python314 even before the python@ members got python313 into the tree and I am not handing it over to the team. Everyone feel free though to Cc: me on Python PRs that also apply to 3.14. As to the matter, we don't need cherry picks, we can update/MFH(2026Q2) 3.14 to 3.14.4 instead. The 3.14.4 update contains the fix for leading dashes in webbrowser.open(), so the two cherry-picks to fix these are not needed there. https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=294324 has (1) a 3.14.4 security update (sent by me as the maintainer), and two post-3.14.4 cherry-picked security fixes for: (2) gh-146211: Reject CR/LF in HTTP tunnel request headers (3) gh-146333: Fix quadratic regex backtracking in configparser Which probably want investigation/backport to older Python releases. The PR 294324 (link above) also contains VuXML updates. -- You are receiving this mail because: You are the assignee for the bug.
[Bug 294246] lang/python3: Missing security update
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=294246 --- Comment #12 from Charlie Li --- (In reply to Vladimir Boldin from comment #11) Please read comment 9 if you haven't already. -- You are receiving this mail because: You are the assignee for the bug.
[Bug 294246] lang/python3: Missing security update
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=294246 --- Comment #11 from Vladimir Boldin --- New update also vulenrable python311-3.11.15_2 is vulnerable: Python -- poplib module, when passed a user-controlled command, can have additional commands injected using newlines CVE: CVE-2025-15367 WWW: https://vuxml.FreeBSD.org/freebsd/6d3488ae-2e0f-11f1-88c7-00a098b42aeb.html Python -- imaplib module, when passed a user-controlled command, can have additional commands injected using newlines CVE: CVE-2025-15366 WWW: https://vuxml.FreeBSD.org/freebsd/0be929a5-2e0f-11f1-88c7-00a098b42aeb.html -- You are receiving this mail because: You are the assignee for the bug.
[Bug 294246] lang/python3: Missing security update
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=294246 --- Comment #10 from Herbert J. Skuhra --- Python 3.14.4 is out: https://docs.python.org/release/3.14.4/whatsnew/changelog.html But this release seems to address other CVEs. Why is lang/python314 not maintained by python@? -- You are receiving this mail because: You are the assignee for the bug.
[Bug 294246] lang/python3: Missing security update
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=294246 --- Comment #9 from Charlie Li --- lang/python314 is currently not maintained by the python@ team. It will need portmgr@ action or a repeated maintainer timeout in order for it to go unmaintained, which then enables python@ to take it. Upstream has decided to hold off backporting CVE-2025-15366 and CVE-2025-15367 due to potentially breaking existing behaviour and a need to further analyse if the commits in the main branch addressing them follow the relevant standards/RFCs correctly. Thus we will also hold off on them. -- You are receiving this mail because: You are the assignee for the bug.
[Bug 294246] lang/python3: Missing security update
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=294246 [email protected] changed: What|Removed |Added CC||[email protected] --- Comment #8 from [email protected] --- (In reply to Herbert J. Skuhra from comment #7) 3.14.This patch should be enough, right? 594b5a05dc9913880ac92eded440defbf32a28d1 Wouldn't the following patches also be necessary? 6262704b134db2a4ba12e85ecfbd968534f28b45 CVE-2025-15366 b234a2b67539f787e191d2ef19a7cbdce32874e7 CVE-2025-15367 -- You are receiving this mail because: You are the assignee for the bug.
[Bug 294246] lang/python3: Missing security update
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=294246 Herbert J. Skuhra changed: What|Removed |Added CC||[email protected] --- Comment #7 from Herbert J. Skuhra --- Python 3.14? The patches added to 3.1[0123] are also available for 3.14, right? PATCH_SITES= https://github.com/python/cpython/commit/ PATCHFILES=9669a912a0e329c094e992204d6bdb8787024d76.patch:-p1 \ 594b5a05dc9913880ac92eded440defbf32a28d1.patch:-p1 -- You are receiving this mail because: You are the assignee for the bug.
[Bug 294246] lang/python3: Missing security update
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=294246 --- Comment #6 from [email protected] --- A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=cc746eedc4dfcefe29d13fe3c36d29e7fa8b48f5 commit cc746eedc4dfcefe29d13fe3c36d29e7fa8b48f5 Author: Charlie Li AuthorDate: 2026-04-06 02:18:16 + Commit: Charlie Li CommitDate: 2026-04-06 02:18:16 + lang/python310: pull in upstream commits addressing webbrowser.open() issue Security: 9fdad262-2e0f-11f1-88c7-00a098b42aeb PR: 294246 lang/python310/Makefile | 4 +++- lang/python310/distinfo | 6 +- 2 files changed, 8 insertions(+), 2 deletions(-) -- You are receiving this mail because: You are the assignee for the bug.
[Bug 294246] lang/python3: Missing security update
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=294246 --- Comment #5 from [email protected] --- A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=eae851578f69e34b4520d9b0ef582dddf8541281 commit eae851578f69e34b4520d9b0ef582dddf8541281 Author: Charlie Li AuthorDate: 2026-04-06 02:15:59 + Commit: Charlie Li CommitDate: 2026-04-06 02:15:59 + lang/python311: pull in upstream commits addressing webbrowser.open() issue Security: 9fdad262-2e0f-11f1-88c7-00a098b42aeb PR: 294246 lang/python311/Makefile | 4 +++- lang/python311/distinfo | 6 +- 2 files changed, 8 insertions(+), 2 deletions(-) -- You are receiving this mail because: You are the assignee for the bug.
[Bug 294246] lang/python3: Missing security update
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=294246 --- Comment #4 from [email protected] --- A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=569e99b1dff2d8c0b0d753735b28e0df5e2dd6b9 commit 569e99b1dff2d8c0b0d753735b28e0df5e2dd6b9 Author: Charlie Li AuthorDate: 2026-04-06 01:59:51 + Commit: Charlie Li CommitDate: 2026-04-06 01:59:51 + lang/python313: pull in upstream commits addressing webbrowser.open() issue Security: 9fdad262-2e0f-11f1-88c7-00a098b42aeb PR: 294246 lang/python313/Makefile | 6 +- lang/python313/distinfo | 6 +- 2 files changed, 10 insertions(+), 2 deletions(-) -- You are receiving this mail because: You are the assignee for the bug.
[Bug 294246] lang/python3: Missing security update
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=294246 --- Comment #2 from [email protected] --- A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=f07bff5c0deefac2ad77689a79965fefc468bf9f commit f07bff5c0deefac2ad77689a79965fefc468bf9f Author: Charlie Li AuthorDate: 2026-04-04 17:06:47 + Commit: Charlie Li CommitDate: 2026-04-04 17:09:29 + security/vuxml: add missed python packages PR: 294246 security/vuxml/vuln/2026.xml | 7 +++ 1 file changed, 7 insertions(+) -- You are receiving this mail because: You are the assignee for the bug.
[Bug 294246] lang/python3: Missing security update
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=294246 --- Comment #3 from [email protected] --- A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=2af09f68ce6c2203fa431e4be7778911fdff54e3 commit 2af09f68ce6c2203fa431e4be7778911fdff54e3 Author: Charlie Li AuthorDate: 2026-04-04 17:03:36 + Commit: Charlie Li CommitDate: 2026-04-04 17:09:26 + security/vuxml: add ranges for python webbrowser.open() API entry PR: 294246 security/vuxml/vuln/2026.xml | 9 + 1 file changed, 5 insertions(+), 4 deletions(-) -- You are receiving this mail because: You are the assignee for the bug.
[Bug 294246] lang/python3: Missing security update
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=294246 Charlie Li changed: What|Removed |Added Summary|lang/python311: Missing |lang/python3: Missing |security update |security update -- You are receiving this mail because: You are the assignee for the bug.
