From nobody Mon Dec  8 18:48:31 2025
X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dQ9x641RFz6KCRQ
	for <freebsd-security@mlmmj.nyi.freebsd.org>; Mon, 08 Dec 2025 18:48:42 +0000 (UTC)
	(envelope-from hello@bacula-web.org)
Received: from mail-24421.protonmail.ch (mail-24421.protonmail.ch [109.224.244.21])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "protonmail.com", Issuer "R13" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4dQ9x41jVnz3ghQ
	for <freebsd-security@FreeBSD.org>; Mon, 08 Dec 2025 18:48:39 +0000 (UTC)
	(envelope-from hello@bacula-web.org)
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=bacula-web.org header.s=protonmail header.b="NAv/Kk25";
	dmarc=pass (policy=none) header.from=bacula-web.org;
	spf=pass (mx1.freebsd.org: domain of hello@bacula-web.org designates 109.224.244.21 as permitted sender) smtp.mailfrom=hello@bacula-web.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bacula-web.org;
	s=protonmail; t=1765219716; x=1765478916;
	bh=NpomqKx+04HEt3xDhynHBY7sTqTtgqnE1W9lugcNgA0=;
	h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References:
	 Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID:
	 Message-ID:BIMI-Selector;
	b=NAv/Kk25dp4gqVsf0tQkxzlFNNCaxghXDWZBSqbHz/qymfRuQrTU/urJENdcGFXkj
	 RC4YhYp+dOUspucVbWdGi52CM27B7oGNQSRBxISRn0yO3Adb4/GJyNawsyt+Ldjypy
	 M2otd7pSjeTY1z/d7WwJpsBSQarJOuIevSNWA9KotOf6dQaETOfG+e604tsOfC3k0x
	 dOKEv8bSTEwN5EQIXnVMEGsT/QDgPDqx8bibFDeZEapHhIel0JHEj4DOSXFp5QwC13
	 txwlqFtIvtb4AUm/l3/VzXPgH8bcI6alp+odvRYv9JLwxVjq7RVpMbZDsutQzceLHe
	 ryu64G7dppWmw==
Date: Mon, 08 Dec 2025 18:48:31 +0000
To: Dimitry Andric <dim@FreeBSD.org>
From: Bacula-Web project maintainer <hello@bacula-web.org>
Cc: "freebsd-security@FreeBSD.org" <freebsd-security@FreeBSD.org>
Subject: Re: Guidance on how to handle FreeBSD port vulnerability
Message-ID: <VACCz5LMa4FMxnmNWApM_IkcUyWsyJIfaC_aV7MO8_5swa_7SFEfU9EZXclK1VBVY8c-WGov2XTt_9Z_KLMap2aj0LWFU1jjVDqdFIZ4FUE=@bacula-web.org>
In-Reply-To: <11DA25E7-8840-4182-995A-B976439C2E04@FreeBSD.org>
References: <cXTG30QIfXitaGbKSlG7Uj3ytQSr9Iwe6xcuhV_WSSmTA4gYKUzb0RZV2MDm9bi7EHeImSfmx66JWr26-O1iM1w4WyMWnGOI4s8KjJqNNq8=@bacula-web.org> <11DA25E7-8840-4182-995A-B976439C2E04@FreeBSD.org>
Feedback-ID: 62987555:user:proton
X-Pm-Message-ID: 81fe97b1bb18739ed0b3db0cd3b62e572dc04907
List-Id: Security issues <freebsd-security.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-security
List-Help: <mailto:freebsd-security+help@freebsd.org>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Subscribe: <mailto:freebsd-security+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-security+unsubscribe@freebsd.org>
X-BeenThere: freebsd-security@freebsd.org
Sender: owner-freebsd-security@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spamd-Bar: ----
X-Spamd-Result: default: False [-4.39 / 15.00];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	NEURAL_HAM_SHORT(-0.99)[-0.992];
	DMARC_POLICY_ALLOW(-0.50)[bacula-web.org,none];
	RWL_MAILSPIKE_EXCELLENT(-0.40)[109.224.244.21:from];
	R_DKIM_ALLOW(-0.20)[bacula-web.org:s=protonmail];
	R_SPF_ALLOW(-0.20)[+ip4:109.224.244.0/24];
	MIME_GOOD(-0.10)[text/plain];
	TO_DN_EQ_ADDR_SOME(0.00)[];
	MISSING_XM_UA(0.00)[];
	ARC_NA(0.00)[];
	TO_DN_SOME(0.00)[];
	MIME_TRACE(0.00)[0:+];
	MID_RHS_MATCH_FROM(0.00)[];
	RCVD_IN_DNSWL_NONE(0.00)[109.224.244.21:from];
	FROM_EQ_ENVFROM(0.00)[];
	FROM_HAS_DN(0.00)[];
	RCVD_COUNT_ZERO(0.00)[0];
	TO_MATCH_ENVRCPT_SOME(0.00)[];
	RCPT_COUNT_TWO(0.00)[2];
	MLMMJ_DEST(0.00)[freebsd-security@FreeBSD.org];
	DKIM_TRACE(0.00)[bacula-web.org:+]
X-Rspamd-Queue-Id: 4dQ9x41jVnz3ghQ

Thanks for your feedback Dimitry, I=E2=80=99ll create a bug asap.

Best,

Davide

-------- Original Message --------
On Sunday, 12/07/25 at 12:35 Dimitry Andric <dim@FreeBSD.org> wrote:
On 7 Dec 2025, at 12:28, Bacula-Web project maintainer <hello@bacula-web.or=
g> wrote:
>
>
> Hello there,
>
> I'd need some help to tackle a known FreeBSD port vulnerability which doe=
sn't seem to be referenced on FreshPort.org.
>
> The affected port is https://www.freshports.org/www/bacula-web/.
>
> Also, I'd like to put some efforts to keep updated above ports as it dese=
rve some more "love".
>
> An hints / link to documented process would be nice.

Report a bug on https://bugs.freebsd.org/bugzilla/, the "Report an update o=
r defect to a port" link there is the most appropriate. If you start the su=
bject of the bug report with the string "www/bacula-web: " it will automati=
cally get assigned to the port maintainer, which at the moment is ler@FreeB=
SD.org <mailto:ler@FreeBSD.org>.

-Dimitry




From nobody Mon Dec  8 21:25:33 2025
X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dQFQN1KTCz6KPVt
	for <freebsd-security@mlmmj.nyi.freebsd.org>; Mon, 08 Dec 2025 21:25:48 +0000 (UTC)
	(envelope-from polarian@polarian.dev)
Received: from mail.polarian.dev (mail.polarian.dev [IPv6:2001:8b0:57a:2385::8])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4dQFQM00kHz47M5
	for <freebsd-security@freebsd.org>; Mon, 08 Dec 2025 21:25:46 +0000 (UTC)
	(envelope-from polarian@polarian.dev)
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=polarian.dev header.s=polarian header.b=zRnfyrPS;
	dmarc=pass (policy=reject) header.from=polarian.dev;
	spf=pass (mx1.freebsd.org: domain of polarian@polarian.dev designates 2001:8b0:57a:2385::8 as permitted sender) smtp.mailfrom=polarian@polarian.dev
DKIM-Signature: v=1; a=rsa-sha256; c=simple/relaxed; d=polarian.dev;
	s=polarian; t=1765229134;
	bh=9Yve9i5SR/kPNKC7yURGmJKhTGebQZnJXtTyPo4ik/Q=;
	h=Date:From:To:Subject:In-Reply-To:References;
	b=zRnfyrPSfvLU25ZLWPYz8fWbk+mdDQBMMUy1e6L2awDanbeZSjmB+7jbNY/tn38sX
	 2KJl/A37ZLvRbOFBx2A7NzcGGpy4wCZ9iyB07ylbPPehIFQrw39OdGbOCniydLbvpj
	 F71eFzLZUR/wZFKTuy/7O4o39P0/x0WPFNajGtbY=
Date: Mon, 8 Dec 2025 21:25:33 +0000
From: Polarian <polarian@polarian.dev>
To: freebsd-security@freebsd.org
Subject: Re: Guidance on how to handle FreeBSD port vulnerability
Message-ID: <20251208212533.48a22c85@Hydrogen>
In-Reply-To: <VACCz5LMa4FMxnmNWApM_IkcUyWsyJIfaC_aV7MO8_5swa_7SFEfU9EZXclK1VBVY8c-WGov2XTt_9Z_KLMap2aj0LWFU1jjVDqdFIZ4FUE=@bacula-web.org>
References: <cXTG30QIfXitaGbKSlG7Uj3ytQSr9Iwe6xcuhV_WSSmTA4gYKUzb0RZV2MDm9bi7EHeImSfmx66JWr26-O1iM1w4WyMWnGOI4s8KjJqNNq8=@bacula-web.org>
	<11DA25E7-8840-4182-995A-B976439C2E04@FreeBSD.org>
	<VACCz5LMa4FMxnmNWApM_IkcUyWsyJIfaC_aV7MO8_5swa_7SFEfU9EZXclK1VBVY8c-WGov2XTt_9Z_KLMap2aj0LWFU1jjVDqdFIZ4FUE=@bacula-web.org>
X-Mailer: Claws Mail 3.21.0 (GTK+ 2.24.33; amd64-portbld-freebsd15.0)
List-Id: Security issues <freebsd-security.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-security
List-Help: <mailto:freebsd-security+help@freebsd.org>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Subscribe: <mailto:freebsd-security+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-security+unsubscribe@freebsd.org>
X-BeenThere: freebsd-security@freebsd.org
Sender: owner-freebsd-security@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Spamd-Bar: ---
X-Spamd-Result: default: False [-3.48 / 15.00];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	NEURAL_HAM_SHORT(-0.98)[-0.984];
	MID_RHS_NOT_FQDN(0.50)[];
	DMARC_POLICY_ALLOW(-0.50)[polarian.dev,reject];
	R_SPF_ALLOW(-0.20)[+ip6:2001:8b0:57a:2385::8];
	R_DKIM_ALLOW(-0.20)[polarian.dev:s=polarian];
	MIME_GOOD(-0.10)[text/plain];
	ARC_NA(0.00)[];
	MIME_TRACE(0.00)[0:+];
	ASN(0.00)[asn:20712, ipnet:2001:8b0::/34, country:GB];
	RCVD_COUNT_ZERO(0.00)[0];
	MLMMJ_DEST(0.00)[freebsd-security@freebsd.org];
	RCPT_COUNT_ONE(0.00)[1];
	FROM_HAS_DN(0.00)[];
	BLOCKLISTDE_FAIL(0.00)[2001:8b0:57a:2385::8:server fail];
	FROM_EQ_ENVFROM(0.00)[];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	TO_DN_NONE(0.00)[];
	DKIM_TRACE(0.00)[polarian.dev:+]
X-Rspamd-Queue-Id: 4dQFQM00kHz47M5

Hey,

I assume you are referencing CVE-2025-45346?

I checked now I still do not see a bug for this.

Take care,
-- 
Polarian
Jabber/XMPP: polarian@icebound.dev

From nobody Tue Dec  9 05:15:57 2025
X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dQRs24VjBz6K05X
	for <freebsd-security@mlmmj.nyi.freebsd.org>; Tue, 09 Dec 2025 05:16:06 +0000 (UTC)
	(envelope-from hello@bacula-web.org)
Received: from mail-24421.protonmail.ch (mail-24421.protonmail.ch [109.224.244.21])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "protonmail.com", Issuer "R13" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4dQRs222lzz430b
	for <freebsd-security@freebsd.org>; Tue, 09 Dec 2025 05:16:06 +0000 (UTC)
	(envelope-from hello@bacula-web.org)
Authentication-Results: mx1.freebsd.org;
	none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bacula-web.org;
	s=protonmail; t=1765257363; x=1765516563;
	bh=t63Vx1LYIGBqiooFKgyHWi8fBkYrVlVY21LE0aS/18E=;
	h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References:
	 Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID:
	 Message-ID:BIMI-Selector;
	b=ljCHITk42ItZ4pJXjn2zGymQqmh7R/XY/Ixi/TpT9dZg2YKgC04pUQuBsllzR6rSK
	 DEU9UJ5f8WXKp0RzzdN1+gpdeGo78cICc5VkMdWEQmpqIBSK/1bByo04IoCMkHEs1P
	 RHZKl9zsZiU/ApV9KXWHAZfyv0sCrkFDUrbKwUBFIA9yTbdlL/wK11N7ltgJ0IsFn7
	 0wOMfaz97Dl0mBURhyS78717B9+HQ7kIxQw2B7cWQZhPzDzet5UarZ1b8bJqd0ZjXy
	 kTqBA83d9u0sfVXAxzNgtxJQzMxDSea8EwxSWhiBH5UHdE2TljGyLsqU4KZhXWItXZ
	 iR8MIBgiE4+2A==
Date: Tue, 09 Dec 2025 05:15:57 +0000
To: Polarian <polarian@polarian.dev>
From: Bacula-Web project maintainer <hello@bacula-web.org>
Cc: freebsd-security@freebsd.org
Subject: Re: Guidance on how to handle FreeBSD port vulnerability
Message-ID: <Dn9ZQCiTno3chgAUh90EUetbOP89ECT50OdyVgesB_0Rjjtsq4eIfSXtxp8mXcu3QWyRXXZmJNV_58C60nSPRR7e7TVVqcOHMPH7YW2BzOE=@bacula-web.org>
In-Reply-To: <20251208212533.48a22c85@Hydrogen>
References: <cXTG30QIfXitaGbKSlG7Uj3ytQSr9Iwe6xcuhV_WSSmTA4gYKUzb0RZV2MDm9bi7EHeImSfmx66JWr26-O1iM1w4WyMWnGOI4s8KjJqNNq8=@bacula-web.org> <11DA25E7-8840-4182-995A-B976439C2E04@FreeBSD.org> <VACCz5LMa4FMxnmNWApM_IkcUyWsyJIfaC_aV7MO8_5swa_7SFEfU9EZXclK1VBVY8c-WGov2XTt_9Z_KLMap2aj0LWFU1jjVDqdFIZ4FUE=@bacula-web.org> <20251208212533.48a22c85@Hydrogen>
Feedback-ID: 62987555:user:proton
X-Pm-Message-ID: e21edbc321adaadd24f1dec415972f565f8826ac
List-Id: Security issues <freebsd-security.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-security
List-Help: <mailto:freebsd-security+help@freebsd.org>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Subscribe: <mailto:freebsd-security+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-security+unsubscribe@freebsd.org>
X-BeenThere: freebsd-security@freebsd.org
Sender: owner-freebsd-security@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spamd-Bar: ----
X-Spamd-Result: default: False [-4.00 / 15.00];
	REPLY(-4.00)[]
X-Rspamd-Pre-Result: action=no action;
	module=replies;
	Message is reply to one we originated
X-Rspamd-Queue-Id: 4dQRs222lzz430b

Hi,

> Hey,
>=20
> I assume you are referencing CVE-2025-45346?

Yes, this is exactly the CVE I had in mind.

>=20
> I checked now I still do not see a bug for this.

I've created this one -> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=
=3D291505

>=20
> Take care,
> --
> Polarian
> Jabber/XMPP: polarian@icebound.dev

Best regards

Davide

From nobody Fri Dec 12 10:01:30 2025
X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dSQ3J6k5jz6Kfhs
	for <freebsd-security@mlmmj.nyi.freebsd.org>; Fri, 12 Dec 2025 10:01:48 +0000 (UTC)
	(envelope-from cristiano.deana@gmail.com)
Received: from mail-pf1-x429.google.com (mail-pf1-x429.google.com [IPv6:2607:f8b0:4864:20::429])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "smtp.gmail.com", Issuer "WR4" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4dSQ3J1GT8z4153
	for <freebsd-security@freebsd.org>; Fri, 12 Dec 2025 10:01:48 +0000 (UTC)
	(envelope-from cristiano.deana@gmail.com)
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=gmail.com header.s=20230601 header.b=UNbjDl0S;
	dmarc=pass (policy=none) header.from=gmail.com;
	spf=pass (mx1.freebsd.org: domain of cristiano.deana@gmail.com designates 2607:f8b0:4864:20::429 as permitted sender) smtp.mailfrom=cristiano.deana@gmail.com
Received: by mail-pf1-x429.google.com with SMTP id d2e1a72fcca58-7b89c1ce9easo1249209b3a.2
        for <freebsd-security@freebsd.org>; Fri, 12 Dec 2025 02:01:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1765533701; x=1766138501; darn=freebsd.org;
        h=to:subject:message-id:date:from:mime-version:from:to:cc:subject
         :date:message-id:reply-to;
        bh=Dqb6nuT2ORHIDXWsq+me0V9d1I82NM20/2kYWG+xYxs=;
        b=UNbjDl0SE86hqs2xoILXMn/9Jy8A5b6xIE6xyWzFtAS7L9EA4c4vzz/7f0+fa5ywkZ
         LrMorO/6v6paTKP8gvAL6chhwRDjHpoYL04ewQ8XJofpKEN0p/fK3CF3Os3syGQFJ4Ju
         YVKH2SjXQt3SjPjUsUYNxG2TlZ0U5TnewVuBc5kzBqU0xwZmfBl1lVS4b2Xvc+ijTchx
         oTu5Y7Pv37ADd37e7epeSqH2RG1qscUOG3tzXvZR/dGW3NB7yeP6t6Di7AcIaHwUBHaD
         0DHRzcWGd8XYbg1cxS1zGWAOi54rOAfE5YqMN611EUBTtDBN+29hAsm3YcFPg8/Mr37K
         cujg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1765533701; x=1766138501;
        h=to:subject:message-id:date:from:mime-version:x-gm-gg
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=Dqb6nuT2ORHIDXWsq+me0V9d1I82NM20/2kYWG+xYxs=;
        b=PZ8SMcAd0+ymZAf+YBi1tAy1E+HOgd2CLnEk6GZP842yJYWRlWM2NWu5KpHsWrCpu2
         4yc0T4aj6hSE3JqfAzzLIadhZQjUaRkGi09zJpUlFj0WV6qL2L3m7ho15uHdbPX6FyAj
         kMvksygBVLjfABEC4s3eoVnmNkNeCGPVrZyosqwn6v/vUPO9qKmn2HspqFcWtNWw7t88
         sOVEjSjAcbh0Fka57VRJRbIDTQXfMpKUToquTgTJIt+O8wzOEZPfFjWxZR23Gazz8yIq
         UKU2+2tILAx6RtxlywJHqiWG8SOwwYtZGZAZCpeleWttCMB4wiLrew/1Sm69dpT9prQy
         /hCw==
X-Gm-Message-State: AOJu0YwYGG9P795zKmMv0zB20gUNYX4uTzDyJUM6rGCdFCk5itQqbhhF
	HDPbTkMnIpd0V9dnU6849t9rMED/28voTH1tLw1MX5r/k9lJK8yyKmih0fLC3TRp7GeqYZXdES5
	BYc77LVJ0lUdgDlffgxUcPNLDD+tRXH5s5Dc=
X-Gm-Gg: AY/fxX54y5+lno/xeT7BH5wKat0xn3TzvF2OQJmdzTOCC39v0r1Xpt/oeMWE7yaCX2X
	2XhIhVO6mqHp5+4NgeE9pK1anAhRq6CL+d09FOJZ6LboPcJ0pivQiHDaeXus92HbLY7QzSwW5Xd
	IBMJiKTVMhrf39E93CHf7CiAPEqCz/sePappXjul4/U4FlPqDl8dPt+V9073a5/JV6bGUMj4bWY
	0TqfJbsB96G5g11AaLWTJbF1m+TkFuj63ADKZCnZjwhl8e8h5LRebTgos5JljIM75nnEE4=
X-Google-Smtp-Source: AGHT+IGYYgLPl1N1A3dWogYDYnlE6l/FVE3oI8x/yvI/q4CYnA88txdPkTDkkOTXV9LMgRzmZ+aUg8wZXVd6XM6CBls=
X-Received: by 2002:a05:6a21:6d9a:b0:340:cc06:94ee with SMTP id
 adf61e73a8af0-369affec34fmr1672127637.60.1765533700581; Fri, 12 Dec 2025
 02:01:40 -0800 (PST)
List-Id: Security issues <freebsd-security.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-security
List-Help: <mailto:freebsd-security+help@freebsd.org>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Subscribe: <mailto:freebsd-security+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-security+unsubscribe@freebsd.org>
X-BeenThere: freebsd-security@freebsd.org
Sender: owner-freebsd-security@FreeBSD.org
MIME-Version: 1.0
From: Cristiano Deana <cristiano.deana@gmail.com>
Date: Fri, 12 Dec 2025 11:01:30 +0100
X-Gm-Features: AQt7F2qd_JO78OYa3xI3iw0cnYvQdPccgrjnBW9crp6Kz3Fdvipp_yBqpZHGFz4
Message-ID: <CAO82ECHCkRgPi2vpqz4B-+58JMMtLF1aHaKQZwDGqfPT7SZLJQ@mail.gmail.com>
Subject: lang/python311 vulnerable, or not
To: freebsd-security@freebsd.org
Content-Type: text/plain; charset="UTF-8"
X-Spamd-Bar: --
X-Spamd-Result: default: False [-2.72 / 15.00];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	DMARC_POLICY_ALLOW(-0.50)[gmail.com,none];
	NEURAL_SPAM_SHORT(0.28)[0.276];
	R_DKIM_ALLOW(-0.20)[gmail.com:s=20230601];
	R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c];
	MIME_GOOD(-0.10)[text/plain];
	RCVD_TLS_LAST(0.00)[];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	TAGGED_FROM(0.00)[];
	RCPT_COUNT_ONE(0.00)[1];
	MIME_TRACE(0.00)[0:+];
	ARC_NA(0.00)[];
	DWL_DNSWL_NONE(0.00)[gmail.com:dkim];
	FREEMAIL_FROM(0.00)[gmail.com];
	FROM_HAS_DN(0.00)[];
	DKIM_TRACE(0.00)[gmail.com:+];
	MISSING_XM_UA(0.00)[];
	PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org];
	TO_DN_NONE(0.00)[];
	FROM_EQ_ENVFROM(0.00)[];
	FREEMAIL_ENVFROM(0.00)[gmail.com];
	MID_RHS_MATCH_FROMTLD(0.00)[];
	ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US];
	MLMMJ_DEST(0.00)[freebsd-security@freebsd.org];
	RCVD_COUNT_ONE(0.00)[1];
	RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::429:from]
X-Rspamd-Queue-Id: 4dSQ3J1GT8z4153

Hi,

pkg audit marked as vulnerable python311 (default python version right
now), but vuxml doesn't specifies if it's fixed or not:

https://vuxml.freebsd.org/freebsd/613d0f9e-d477-11f0-9e85-03ddfea11990.html

Does this means py311 will not be fixed?

Thank you

-- 
Cris, member of G.U.F.I
Italian FreeBSD User Group
http://www.gufi.org/

From nobody Fri Dec 12 13:38:57 2025
X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dSVt56z7Wz6Kvvj
	for <freebsd-security@mlmmj.nyi.freebsd.org>; Fri, 12 Dec 2025 13:39:09 +0000 (UTC)
	(envelope-from polarian@polarian.dev)
Received: from mail.polarian.dev (mail.polarian.dev [IPv6:2001:8b0:57a:2385::8])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4dSVt36qcCz3SQj
	for <freebsd-security@freebsd.org>; Fri, 12 Dec 2025 13:39:07 +0000 (UTC)
	(envelope-from polarian@polarian.dev)
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=polarian.dev header.s=polarian header.b=jvcdn37C;
	dmarc=pass (policy=reject) header.from=polarian.dev;
	spf=pass (mx1.freebsd.org: domain of polarian@polarian.dev designates 2001:8b0:57a:2385::8 as permitted sender) smtp.mailfrom=polarian@polarian.dev
DKIM-Signature: v=1; a=rsa-sha256; c=simple/relaxed; d=polarian.dev;
	s=polarian; t=1765546739;
	bh=cS/1fzXrOyDCZNr13LBjV7FvBYthm2GZRYGEPwazvQs=;
	h=Date:From:To:Subject:In-Reply-To:References;
	b=jvcdn37CRi4nb6WtqPhNub5PjNt5dn8mCFoIFrY70UUL/BwI2HYt8yKtpcc27BSAy
	 ASZjhwhVdaJXsE8nD5inKg+wyWqyx46wd/fzhQPKMNQTZl8c4Kvd4Y2QxWMpBHKxjs
	 /lgDB8jshyEtZfkIJ0C7WZebHJ1sDHhZ4sPA8F9M=
Date: Fri, 12 Dec 2025 13:38:57 +0000
From: Polarian <polarian@polarian.dev>
To: freebsd-security@freebsd.org
Subject: Re: lang/python311 vulnerable, or not
Message-ID: <20251212133857.0ea26899@Hydrogen>
In-Reply-To: <CAO82ECHCkRgPi2vpqz4B-+58JMMtLF1aHaKQZwDGqfPT7SZLJQ@mail.gmail.com>
References: <CAO82ECHCkRgPi2vpqz4B-+58JMMtLF1aHaKQZwDGqfPT7SZLJQ@mail.gmail.com>
X-Mailer: Claws Mail 3.21.0 (GTK+ 2.24.33; amd64-portbld-freebsd15.0)
List-Id: Security issues <freebsd-security.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-security
List-Help: <mailto:freebsd-security+help@freebsd.org>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Subscribe: <mailto:freebsd-security+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-security+unsubscribe@freebsd.org>
X-BeenThere: freebsd-security@freebsd.org
Sender: owner-freebsd-security@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Spamd-Bar: ---
X-Spamd-Result: default: False [-3.50 / 15.00];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	NEURAL_HAM_SHORT(-1.00)[-0.998];
	MID_RHS_NOT_FQDN(0.50)[];
	DMARC_POLICY_ALLOW(-0.50)[polarian.dev,reject];
	R_SPF_ALLOW(-0.20)[+ip6:2001:8b0:57a:2385::8];
	R_DKIM_ALLOW(-0.20)[polarian.dev:s=polarian];
	MIME_GOOD(-0.10)[text/plain];
	MIME_TRACE(0.00)[0:+];
	ASN(0.00)[asn:20712, ipnet:2001:8b0::/34, country:GB];
	ARC_NA(0.00)[];
	MLMMJ_DEST(0.00)[freebsd-security@freebsd.org];
	RCPT_COUNT_ONE(0.00)[1];
	FROM_HAS_DN(0.00)[];
	RCVD_COUNT_ZERO(0.00)[0];
	FROM_EQ_ENVFROM(0.00)[];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	TO_DN_NONE(0.00)[];
	DKIM_TRACE(0.00)[polarian.dev:+]
X-Rspamd-Queue-Id: 4dSVt36qcCz3SQj

Hey,

> Does this means py311 will not be fixed?

No, it will be fixed.

Python is usually slow to be updated as new updates require rebuilding
of all the python ports (iirc).

You can see the update to 3.12 [1] which just highlights how annoying
python is to port.

On the bright side none of these security vulnerabilities are too bad,
denial of service and inefficient algorithm. Obviously patching it is
important, but the risk is much lower.

If you want to see the kind of vulnerabilities you should be worried
about, see [2]. RCEs, or CVEs which lead to RCEs are the scary ones :p

Even more scary if they have been confirmed to be used in the wild,
like [2].

Take care,
-- 
Polarian
Jabber/XMPP: polarian@icebound.dev

[1] https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=285957
[2] https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=291575