From nobody Mon Apr 24 20:42:31 2023 X-Original-To: python@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Q4xsF6zHgz47KdV for ; Mon, 24 Apr 2023 20:42:41 +0000 (UTC) (envelope-from hubert.tournier@gmail.com) Received: from mail-wr1-x42b.google.com (mail-wr1-x42b.google.com [IPv6:2a00:1450:4864:20::42b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Q4xsF2ktxz3lYj for ; Mon, 24 Apr 2023 20:42:41 +0000 (UTC) (envelope-from hubert.tournier@gmail.com) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20221208 header.b=TcG8yp+9; spf=pass (mx1.freebsd.org: domain of hubert.tournier@gmail.com designates 2a00:1450:4864:20::42b as permitted sender) smtp.mailfrom=hubert.tournier@gmail.com; dmarc=pass (policy=none) header.from=gmail.com Received: by mail-wr1-x42b.google.com with SMTP id ffacd0b85a97d-2efbaad9d76so4468616f8f.0 for ; Mon, 24 Apr 2023 13:42:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1682368960; x=1684960960; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=QCNTpPbrzK8s1VyVv7EbXXbcef/sCxSP3ldUg1XOxvw=; b=TcG8yp+99uz9Y6e0uM2h5o+m/UqpybUt5P+SOjzjZznFzcm9WDxpK1NKsU95uz4WT9 7R1IFqU15QY+JevtAx4X8NsNzJu9zrUNnJQYJGpFhWdwY7dQCRdfXH2sDhBDWQaUViWp OzkALqlTM+Vm5iLO4jslX3lfqGcpH5cwYI8uC/UBGfAAW2NwHNduUtPgE3O6lXPePEx9 xPzlh4J8bbrwXc0hT1x9zCS0MVLpcb7nmHq1NKlq132Oo9YTNu7noxQdjztv7o8o5i6r 3viIXNAEdmiQQ2aEeAnR48O2WVKlNv1uoLSNouCr6v7sGR0IRwYxURaz4W7Fe1JTroSS qR6w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1682368960; x=1684960960; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=QCNTpPbrzK8s1VyVv7EbXXbcef/sCxSP3ldUg1XOxvw=; b=XrDPFcirftlmh9X+QxmpIjSnT6afbxSY+T7lJxBBrEyZ6W18+RjDAwxk8AKz71sC/5 RLaTeyFSCutKszqe0Ez0o0Ti7aP6whL/4UTRFx/cKL8ORHKk94zcXMWQRjDp+1ltdqkM NWJZeSO/zf1Z4LotwlbdPWP96pDyMWGp3WfhtyxXqzxxqoiX1J7+ECuz9dXMDtUi7ef6 9DCz9Ova2b8QtwKW5cgsghg2K5aoczzCGPDdXZJz2QzfyTMjggHFvTFHU8wN8Xp5XkLu VCsrQi6DW5Z2D8zJL1VqGfHnAytYgX4/IkfXFpj1hlRWV3sF6bgRgQG9LG16+JCNSqf8 QG9g== X-Gm-Message-State: AC+VfDz6gvbC6GgShjn1vv3CGL9N9Y9Pbhy9GPaWISYC47kb2sq/bZp4 X9jIoUQl4ficBzpSOI91gDRC+Cl+6M/aeOf/ilMfeeTOWcg= X-Google-Smtp-Source: ACHHUZ6QGTaF2MDXbGMxgk/iLVgf9iEF8eJkvVfT0C11Aoh4JTW/dgI+zW7ahprfzSSFDnc2O/227CrnKmFLx+HZWwg= X-Received: by 2002:adf:f403:0:b0:304:89f0:24ae with SMTP id g3-20020adff403000000b0030489f024aemr63950wro.6.1682368959762; Mon, 24 Apr 2023 13:42:39 -0700 (PDT) List-Id: FreeBSD-specific Python issues List-Archive: https://lists.freebsd.org/archives/freebsd-python List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-python@freebsd.org X-BeenThere: freebsd-python@freebsd.org MIME-Version: 1.0 References: In-Reply-To: From: Hubert Tournier Date: Mon, 24 Apr 2023 22:42:31 +0200 Message-ID: Subject: Re: [Bug 263060] devel/py-py: Update to 1.10.0 (security) -> 1.11.0 (for @py311 support) To: george@m5p.com Cc: python@freebsd.org Content-Type: multipart/alternative; boundary="0000000000003a54bb05fa1b0c02" X-Spamd-Result: default: False [-4.00 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-0.996]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20221208]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; FROM_HAS_DN(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; PREVIOUSLY_DELIVERED(0.00)[python@freebsd.org]; ARC_NA(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::42b:from]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; MLMMJ_DEST(0.00)[python@freebsd.org]; DKIM_TRACE(0.00)[gmail.com:+]; MID_RHS_MATCH_FROMTLD(0.00)[]; TO_DN_NONE(0.00)[]; TAGGED_FROM(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; RCVD_TLS_LAST(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmail.com]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RCVD_COUNT_TWO(0.00)[2] X-Rspamd-Queue-Id: 4Q4xsF2ktxz3lYj X-Spamd-Bar: --- X-ThisMailContainsUnwantedMimeParts: N --0000000000003a54bb05fa1b0c02 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hello, Project's URL is https://github.com/pytest-dev/py Version 1.11.0 is the last version available. When you look at https://osv.dev/vulnerability/PYSEC-2022-42969 you see the "Last affected 1.11.0" entry, which means that the latest available version is vulnerable (otherwise, you would have a "Fixed x.x.x" entry). The source code repository states that "this library is in *maintenance mode* and should not be used in new code.". According to the discussions referenced in the PYSEC entry, you'll see that the maintainers downplay this vulnerability report and have no intention to fix it. They also mention their desire to have it withdrawn, which apparently never happened from all the vulnerabilities repositories I use... Granted it seems to affect a portion of the code that'll probably rarely be used nowadays, so the risk is probably low. I guess that this port will stay vulnerable, except if someone has a corrected fork among the 65 existing ones... Best regards, Le lun. 24 avr. 2023 =C3=A0 19:45, a =C3=A9c= rit : > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D263060 > > George Mitchell changed: > > What |Removed |Added > > -------------------------------------------------------------------------= --- > CC| |george@m5p.com > > --- Comment #4 from George Mitchell --- > It appears as if this bug should be closed. However, can anyone here > verify > the WWW entry in the Makefile? Visiting https://pylib.org sends one to a > company that appears to be in the business of writing term papers. > https://pypi.org/project/py/ looks a lot more plausible to me. In the > mean > time, version 1.11.0 is now listed in vulm.xml, and there doesn't seem to > be a > newer version available yet. > > -- > You are receiving this mail because: > You are the assignee for the bug. > --0000000000003a54bb05fa1b0c02 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hello,
Project'= s URL is https://github.com/py= test-dev/py
Version 1.11.0 is the last version available.
<= /div>
When you look at https://osv.dev/vulnerability/PYSEC-2022-42969 you see the &= quot;Last affected 1.11.0" entry, which means that the latest availabl= e version is vulnerable (otherwise, you would have a "Fixed x.x.x"= ; entry).
The source code repository states that "this librar= y is in maintenance mode and should not be used in new cod= e.".
According to the discussions referenced in the PYSEC ent= ry, you'll see that the maintainers downplay this vulnerability report = and have no intention to fix it.
They also mention their desire to= have it withdrawn, which apparently never happened from all the vulnerabil= ities repositories I use...
Granted it seems to affect a portion o= f the code that'll probably rarely be used nowadays, so the risk is pro= bably low.
I guess that this port will stay vulnerable, except if someon= e has a corrected fork among the 65 existing ones...
Best regards,

Le= =C2=A0lun. 24 avr. 2023 =C3=A0=C2=A019:45, <bugzilla-noreply@freebsd.org> a =C3=A9crit=C2=A0= :
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D2630= 60

George Mitchell <geo= rge@m5p.com> changed:

=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0What=C2=A0 =C2=A0 |Removed=C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0|Added=
---------------------------------------------------------------------------= -
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0CC|=C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 |george@m= 5p.com

--- Comment #4 from George Mitchell <george@m5p.com> ---
It appears as if this bug should be closed.=C2=A0 However, can anyone here = verify
the WWW entry in the Makefile?=C2=A0 Visiting https://pylib.org sends one to a<= br> company that appears to be in the business of writing term papers.
https://pypi.org/project/py/ looks a lot more plausible to me.=C2=A0= In the mean
time, version 1.11.0 is now listed in vulm.xml, and there doesn't seem = to be a
newer version available yet.

--
You are receiving this mail because:
You are the assignee for the bug.
--0000000000003a54bb05fa1b0c02--