From nobody Wed May  6 22:53:19 2026
X-Original-To: python@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4g9rJf322dz6cyH4
	for <python@mlmmj.nyi.freebsd.org>; Wed, 06 May 2026 22:53:22 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4g9rJf2QlKz3GxD
	for <python@FreeBSD.org>; Wed, 06 May 2026 22:53:22 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1778108002;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=ZjsualH1yyUfGwlomTPQM+oScIDSYpOPCcZJVCqdri4=;
	b=UOfktujC2p9EiEneeee3CNOB1Jq7cJo21eBO098Rae/uEAdg/cNCsvlbZ5TaRZAnAy2PyA
	ay5X3lgjXHWxYhcUIQ/FE56DEDvHufG2ou5IBQgN0LkgRVDXCpUaT/n2oU5HP3+tSCShZj
	gb5T4SpZYRf/gUJBqM2BSbNg7sAq3Z1NX5orT+idOtQsUc0WnjA06m0Pz+qseNOUuhByd9
	L/dCRBydsYb6gUbusVjFsT7h88IF1uO9+BY3KVsneuDO37hwHoX/43t2N2fFiCcpPtuoY5
	wBmwbPoZBjalwBbHi9sLp9nkgdO6dfcuuApfAW6EIxrF6X4IvHX3aLYuMAgtTg==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1778108002; a=rsa-sha256; cv=none;
	b=axSCTnxDidmZrCKNKj4IrDSnaRKCJ3GwoXCaFHqqPLzuXiI46mq3ldICjfj3Z9XcQR+eJX
	RBSFsHATjVRlC8d2i/IizhMMvx/N8FqCjIigvMPb2cUUTUlBnkfXXU2TMM7h97ZUwqDDVQ
	h4aWG8CjnAy6pwew4TZfh5Onhc+G8gGBWmfDsQj9C1e+eCbtfi6XqXSFbWJLMO9FOQEG/u
	x/qlCunEzL9PYLQFuOZVZXbBn2KscI85beA24820YAxP39l06yrdqG9/YlE6EJEtpTCcqA
	ZhUECsB7na11k/UDECPdAYTCwaBWZC+wKdj1B6gOhyIg8HVhVWGauRt+7QL/Bg==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1778108002;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=ZjsualH1yyUfGwlomTPQM+oScIDSYpOPCcZJVCqdri4=;
	b=A2UMCOW1ODQ6Qmyffz8Lx8BYhdDmHScdJuS+UqkXfZvuTulASq8yceXhd93e0hLwyfXuBR
	qVk/8zbEwTTMXsg93MYGMKPHT6MFexnpwpA+hs5+K5sMSdHhe8caxWw2yneyie2gP7fTC2
	QeSo4B52oS+Lz4SiFoCfZc4tRinxciR3ifemgpbnw5BerNXmxAhqMTFLoasm0ua8yxCAee
	5Rcp7O7l6MNm35IGvisLkcR+2uzWYNs/VE1tlN0t9D/3P+35LqszyR4a4XWsC7s1o+ReLw
	qboMcUUuCrAzYNf8/a5KswNycfomvukMsoS+nUXOVkcK+4mZvNdnnSpBxnnlBg==
Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4g9rJf1pD7z10Gv
	for <python@FreeBSD.org>; Wed, 06 May 2026 22:53:22 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org ([127.0.1.5])
	by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 646MrMMU063101
	for <python@FreeBSD.org>; Wed, 6 May 2026 22:53:22 GMT
	(envelope-from bugzilla-noreply@freebsd.org)
Received: (from www@localhost)
	by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 646MrMnP063100
	for python@FreeBSD.org; Wed, 6 May 2026 22:53:22 GMT
	(envelope-from bugzilla-noreply@freebsd.org)
X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f
From: bugzilla-noreply@freebsd.org
To: python@FreeBSD.org
Subject: [Bug 294246] lang/python3: Missing security update
Date: Wed, 06 May 2026 22:53:19 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Ports & Packages
X-Bugzilla-Component: Individual Port(s)
X-Bugzilla-Version: Latest
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Only Me
X-Bugzilla-Who: ish@ish.org
X-Bugzilla-Status: Closed
X-Bugzilla-Resolution: FIXED
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: python@FreeBSD.org
X-Bugzilla-Flags: maintainer-feedback+
X-Bugzilla-Changed-Fields: 
Message-ID: <bug-294246-21822-gavFEYTbJm@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-294246-21822@https.bugs.freebsd.org/bugzilla/>
References: <bug-294246-21822@https.bugs.freebsd.org/bugzilla/>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="UTF-8"
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
List-Id: FreeBSD-specific Python issues <freebsd-python.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-python
List-Help: <mailto:python+help@freebsd.org>
List-Post: <mailto:python@freebsd.org>
List-Subscribe: <mailto:python+subscribe@freebsd.org>
List-Unsubscribe: <mailto:python+unsubscribe@freebsd.org>
X-BeenThere: freebsd-python@freebsd.org
Sender: owner-freebsd-python@FreeBSD.org
List-Id: <freebsd-python.FreeBSD.org>
List-Post: <mailto:freebsd-python@FreeBSD.org>
List-Help: <mailto:freebsd-python+help@FreeBSD.org>
List-Subscribe: <mailto:freebsd-python+subscribe@FreeBSD.org>
List-Unsubscribe: <mailto:freebsd-python+unsubscribe@FreeBSD.org>
List-Owner: <mailto:postmaster@FreeBSD.org>
Precedence: list
MIME-Version: 1.0

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D294246

--- Comment #18 from ish <ish@ish.org> ---
Why this thread was closed ?
I use python311 and python314 and the following state is unchanged yet.

# pkg audit=20
python311-3.11.15_2 is vulnerable:
  Python -- use-after-free vulnerability in decompressors under memory pres=
sure
  CVE: CVE-2026-6100
  WWW:
https://vuxml.FreeBSD.org/freebsd/b8e9f33c-375d-11f1-a119-e36228bfe7d4.html

  Python -- HTTP proxy CONNECT tunnel does not sanitize CR/LF
  CVE: CVE-2026-1502
  WWW:
https://vuxml.FreeBSD.org/freebsd/30bda1c3-369b-11f1-b51c-6dd25bec137b.html

  python -- more webbrowser.open() command injection vulnerabilities
  CVE: CVE-2026-4786
  WWW:
https://vuxml.FreeBSD.org/freebsd/cf75f572-378a-11f1-a119-e36228bfe7d4.html

  Python -- configparser vulnerable to excessive CPU use
  WWW:
https://vuxml.FreeBSD.org/freebsd/5ec4dcf6-3588-11f1-b51c-6dd25bec137b.html

  Python -- poplib module, when passed a user-controlled command, can have
additional commands injected using newlines
  CVE: CVE-2025-15367
  WWW:
https://vuxml.FreeBSD.org/freebsd/6d3488ae-2e0f-11f1-88c7-00a098b42aeb.html

  Python -- imaplib module, when passed a user-controlled command, can have
additional commands injected using newlines
  CVE: CVE-2025-15366
  WWW:
https://vuxml.FreeBSD.org/freebsd/0be929a5-2e0f-11f1-88c7-00a098b42aeb.html

python314-3.14.4_2 is vulnerable:
  Python -- imaplib module, when passed a user-controlled command, can have
additional commands injected using newlines
  CVE: CVE-2025-15366
  WWW:
https://vuxml.FreeBSD.org/freebsd/0be929a5-2e0f-11f1-88c7-00a098b42aeb.html

  Python -- poplib module, when passed a user-controlled command, can have
additional commands injected using newlines
  CVE: CVE-2025-15367
  WWW:
https://vuxml.FreeBSD.org/freebsd/6d3488ae-2e0f-11f1-88c7-00a098b42aeb.html

8 problem(s) in 2 package(s) found.

--=20
You are receiving this mail because:
You are the assignee for the bug.=