Date: Wed, 01 Apr 2026 21:36:58 +0000 From: Daniel Engberg <diizzy@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: 5d5dab25a1ab - main - security/vuxml: Document Python security issues Message-ID: <69cd8ffa.3f3b9.5c0e319b@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch main has been updated by diizzy: URL: https://cgit.FreeBSD.org/ports/commit/?id=5d5dab25a1ab34e1d01d48cb0add3a9539c31c04 commit 5d5dab25a1ab34e1d01d48cb0add3a9539c31c04 Author: Daniel Engberg <diizzy@FreeBSD.org> AuthorDate: 2026-04-01 21:30:59 +0000 Commit: Daniel Engberg <diizzy@FreeBSD.org> CommitDate: 2026-04-01 21:31:07 +0000 security/vuxml: Document Python security issues Security: CVE-2025-15366 Security: CVE-2025-15367 Security: CVE-2026-4519 --- security/vuxml/vuln/2026.xml | 86 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 86 insertions(+) diff --git a/security/vuxml/vuln/2026.xml b/security/vuxml/vuln/2026.xml index 3da5fc37aaec..974dc8cba77f 100644 --- a/security/vuxml/vuln/2026.xml +++ b/security/vuxml/vuln/2026.xml @@ -1,3 +1,89 @@ + <vuln vid="9fdad262-2e0f-11f1-88c7-00a098b42aeb"> + <topic>Python -- The webbrowser.open() API allows leading dashes</topic> + <affects> + <package><name>python310</name> <range><ge>0</ge></range></package> + <package><name>python311</name> <range><ge>0</ge></range></package> + <package><name>python312</name> <range><ge>0</ge></range></package> + <package><name>python313</name> <range><ge>0</ge></range></package> + <package><name>python314</name> <range><ge>0</ge></range></package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>https://github.com/python/cpython/pull/143931 reports:</p> + <blockquote cite="https://github.com/python/cpython/pull/143931">; + <p>The webbrowser.open() API would accept leading dashes in the URL + which could be handled as command line options for certain web + browsers. New behavior rejects leading dashes. Users are recommended + to sanitize URLs prior to passing to webbrowser.open().</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2026-4519</cvename> + <url>https://cveawg.mitre.org/api/cve/CVE-2026-4519</url>; + </references> + <dates> + <discovery>2026-03-20</discovery> + <entry>2026-04-01</entry> + </dates> + </vuln> + + <vuln vid="6d3488ae-2e0f-11f1-88c7-00a098b42aeb"> + <topic>Python -- poplib module, when passed a user-controlled command, can have additional commands injected using newlines</topic> + <affects> + <package><name>python311</name> <range><ge>0</ge></range></package> + <package><name>python312</name> <range><ge>0</ge></range></package> + <package><name>python313</name> <range><ge>0</ge></range></package> + <package><name>python314</name> <range><ge>0</ge></range></package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Python Software Foundation Security Developer reports:</p> + <blockquote cite="https://github.com/python/cpython/pull/143924">; + <p>The poplib module, when passed a user-controlled command, can have + additional commands injected using newlines. Mitigation rejects + commands containing control characters.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-15367</cvename> + <url>https://cveawg.mitre.org/api/cve/CVE-2025-15367</url>; + </references> + <dates> + <discovery>2026-01-20</discovery> + <entry>2026-04-01</entry> + </dates> + </vuln> + + <vuln vid="0be929a5-2e0f-11f1-88c7-00a098b42aeb"> + <topic>Python -- imaplib module, when passed a user-controlled command, can have additional commands injected using newlines</topic> + <affects> + <package><name>python311</name> <range><ge>0</ge></range></package> + <package><name>python312</name> <range><ge>0</ge></range></package> + <package><name>python313</name> <range><ge>0</ge></range></package> + <package><name>python314</name> <range><ge>0</ge></range></package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Python Software Foundation Security Developer reports:</p> + <blockquote cite="https://github.com/python/cpython/issues/143921">; + <p>The imaplib module, when passed a user-controlled command, can have + additional commands injected using newlines. Mitigation rejects + commands containing control characters.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-15366</cvename> + <url>https://cveawg.mitre.org/api/cve/CVE-2025-15366</url>; + </references> + <dates> + <discovery>2026-01-20</discovery> + <entry>2026-04-01</entry> + </dates> + </vuln> + <vuln vid="1dc2aae1-0793-4dbd-8548-e63ae0e1bdaf"> <topic>chromium -- security fixes</topic> <affects>home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?69cd8ffa.3f3b9.5c0e319b>