From nobody Fri Dec 12 13:38:57 2025 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dSVt56z7Wz6Kvvj for ; Fri, 12 Dec 2025 13:39:09 +0000 (UTC) (envelope-from polarian@polarian.dev) Received: from mail.polarian.dev (mail.polarian.dev [IPv6:2001:8b0:57a:2385::8]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4dSVt36qcCz3SQj for ; Fri, 12 Dec 2025 13:39:07 +0000 (UTC) (envelope-from polarian@polarian.dev) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=polarian.dev header.s=polarian header.b=jvcdn37C; dmarc=pass (policy=reject) header.from=polarian.dev; spf=pass (mx1.freebsd.org: domain of polarian@polarian.dev designates 2001:8b0:57a:2385::8 as permitted sender) smtp.mailfrom=polarian@polarian.dev DKIM-Signature: v=1; a=rsa-sha256; c=simple/relaxed; d=polarian.dev; s=polarian; t=1765546739; bh=cS/1fzXrOyDCZNr13LBjV7FvBYthm2GZRYGEPwazvQs=; h=Date:From:To:Subject:In-Reply-To:References; b=jvcdn37CRi4nb6WtqPhNub5PjNt5dn8mCFoIFrY70UUL/BwI2HYt8yKtpcc27BSAy ASZjhwhVdaJXsE8nD5inKg+wyWqyx46wd/fzhQPKMNQTZl8c4Kvd4Y2QxWMpBHKxjs /lgDB8jshyEtZfkIJ0C7WZebHJ1sDHhZ4sPA8F9M= Date: Fri, 12 Dec 2025 13:38:57 +0000 From: Polarian To: freebsd-security@freebsd.org Subject: Re: lang/python311 vulnerable, or not Message-ID: <20251212133857.0ea26899@Hydrogen> In-Reply-To: References: X-Mailer: Claws Mail 3.21.0 (GTK+ 2.24.33; amd64-portbld-freebsd15.0) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Spamd-Bar: --- X-Spamd-Result: default: False [-3.50 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-0.998]; MID_RHS_NOT_FQDN(0.50)[]; DMARC_POLICY_ALLOW(-0.50)[polarian.dev,reject]; R_SPF_ALLOW(-0.20)[+ip6:2001:8b0:57a:2385::8]; R_DKIM_ALLOW(-0.20)[polarian.dev:s=polarian]; MIME_GOOD(-0.10)[text/plain]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:20712, ipnet:2001:8b0::/34, country:GB]; ARC_NA(0.00)[]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; FROM_HAS_DN(0.00)[]; RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; TO_DN_NONE(0.00)[]; DKIM_TRACE(0.00)[polarian.dev:+] X-Rspamd-Queue-Id: 4dSVt36qcCz3SQj Hey, > Does this means py311 will not be fixed? No, it will be fixed. Python is usually slow to be updated as new updates require rebuilding of all the python ports (iirc). You can see the update to 3.12 [1] which just highlights how annoying python is to port. On the bright side none of these security vulnerabilities are too bad, denial of service and inefficient algorithm. Obviously patching it is important, but the risk is much lower. If you want to see the kind of vulnerabilities you should be worried about, see [2]. RCEs, or CVEs which lead to RCEs are the scary ones :p Even more scary if they have been confirmed to be used in the wild, like [2]. Take care, -- Polarian Jabber/XMPP: polarian@icebound.dev [1] https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=285957 [2] https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=291575