From nobody Sun Apr 12 18:36:46 2026 X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ftzll4lkQz6YWDd for ; Sun, 12 Apr 2026 18:36:51 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4ftzll1WfBz3dCt for ; Sun, 12 Apr 2026 18:36:51 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1776019011; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=mA0IAJq1dlJmfrdFN8EU9nLUkeahr/P+HY64vagfwn0=; b=j1iGDeCj0usKW6zo/188IGks/Etnuyn5ZpVVq+iUTy5XFNyxjKlxpPPj2bITmz7/ZvLPhZ 2MCk2/MH4vnHBG5+RgGHB0CMg698adC6VI7onXNMzSLxOZkEnyCsOCWaOLJHK/oTjp45kh 0denBWGEkRx1TybLe2Yov0LOPMqODn27qblBWwuNGhEIiDG2Fcl83yK/nt2npQ6Nr4asrD v8HOAMkBP6Jh8OIktmGeuZ5squAo0/jlmzJqF5HvndW+zFe3TW5V9BT195SyQD+fdfTk9Y oiniR++wgDS1CZY/uQ0dObb3F9FFZZiYeG3tBMgQRnMlOQQY7wgf2y/cOkn8og== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1776019011; a=rsa-sha256; cv=none; b=yq6Yh7XVpY1FJTyKr1f5IqvTWGBcs9Zn5pZ1chr5CPdKL/Bn9QCM9hkCA36ki+qMhAcZ4i oOEf6qg9r3zKJXGnsmReFGTJpMO/uN5tAM0Cm1WOfYE0m4Tmz15QGdMtzmrKv/uhnkhdSH 6oDwRSnoQrsyWFSqVRvv+sZ42nGGk7n8AWEDxZ5xdqhmUdGLZrFx880OtmmqvR8hRLWZ9x STEIz5InuwuSW4IlZLk/V2sQTqFdmt3nxcjv0UFs/yPIHqgW4h3WU3zgapI9ptZUl7Y2uk 14y5bD1q+XleoWAtt6gdAoHPZflKuAgdOJHAddVrtvTjarGfNomqd1kabPXF3g== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1776019011; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=mA0IAJq1dlJmfrdFN8EU9nLUkeahr/P+HY64vagfwn0=; b=sDkev2yc+GHCNJy5TZS2wd++1L28BoYt5UsAL7yt+y9t7qvGbGG74JyJgaIyh8BNPT5Q2k PC5cH8KbCbmrfO/X7llJDjcUquHh2HPM+1xlGMQlg7utuN6euwGgD9Xi/neCHakfgf8V63 GmzSwqV08FSVo6tj25M3XmblHsEYua7bWTWqhL6Cc/fzEI4EGbZcGNCg8wNIgQ13V6+NMZ FQrpcQ2M6NlGZ1VWaO3201hAZtiWTkEhYkoI9HbdTbxdUYSd5HXFW2Ehcn5xubuRPHCf0I gNlgK0qT205Byq6lQvQB3KmcQkqdrZeBIzNBRtdpKcjBmxh4hfWhuREetqSzkw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4ftzll0y9VzDFL for ; Sun, 12 Apr 2026 18:36:51 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3af47 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Sun, 12 Apr 2026 18:36:46 +0000 To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Cc: Matthias Andree From: Daniel Engberg Subject: git: 8575855cbba0 - main - security/vuxml: Add entries for Python CVE-2026-1502 and gh-146333 List-Id: Commits to the main branch of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-ports-main@freebsd.org Sender: owner-dev-commits-ports-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: diizzy X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 8575855cbba0c7b933aaa7edd1825937b97efad8 Auto-Submitted: auto-generated Date: Sun, 12 Apr 2026 18:36:46 +0000 Message-Id: <69dbe63e.3af47.4aaaa24b@gitrepo.freebsd.org> The branch main has been updated by diizzy: URL: https://cgit.FreeBSD.org/ports/commit/?id=8575855cbba0c7b933aaa7edd1825937b97efad8 commit 8575855cbba0c7b933aaa7edd1825937b97efad8 Author: Matthias Andree AuthorDate: 2026-04-12 18:17:06 +0000 Commit: Daniel Engberg CommitDate: 2026-04-12 18:35:01 +0000 security/vuxml: Add entries for Python CVE-2026-1502 and gh-146333 PR: 294324 Security: CVE-2026-1502 / 30bda1c3-369b-11f1-b51c-6dd25bec137b Security: 5ec4dcf6-3588-11f1-b51c-6dd25bec137b --- security/vuxml/vuln/2026.xml | 53 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) diff --git a/security/vuxml/vuln/2026.xml b/security/vuxml/vuln/2026.xml index 1bc2b6dde970..4597973c97f6 100644 --- a/security/vuxml/vuln/2026.xml +++ b/security/vuxml/vuln/2026.xml @@ -1,3 +1,56 @@ + + Python -- HTTP proxy CONNECT tunnel does not sanitize CR/LF + + python3100 + python3110 + python3120 + python3130 + python3143.14.4 + + + +

Seth Larson reports:

+
+

HTTP proxy via "CONNECT" tunneling doesn't sanitize CR/LF (CVE-2026-1502).

+
+ + + + CVE-2026-1502 + https://github.com/python/cpython/issues/146211 + + + 2026-03-20 + 2026-04-12 + + + + + Python -- configparser vulnerable to excessive CPU use + + python3100 + python3110 + python3120 + python3130 + python3143.14.4 + + + +

Stan Ulbrych reports:

+
+

configparser.RawConfigParser.{OPTCRE,OPTCRE_NV} regexes [are] vulnerable to quadratic backtracking.

+
+ + + + https://github.com/python/cpython/issues/146333 + + + 2026-03-23 + 2026-04-12 + + + py-ormar -- vulnerabilities