From nobody Sat Jun 6 12:33:13 2026 X-Original-To: python@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gXd4s33rjz6gd0P for ; Sat, 06 Jun 2026 12:33:17 +0000 (UTC) (envelope-from grembo@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gXd4s162Pz3HfD for ; Sat, 06 Jun 2026 12:33:17 +0000 (UTC) (envelope-from grembo@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1780749197; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=nCisIB12dEfnyxJwS/ThD5f+CBktPqHmkaZwvmF85o4=; b=dis3bbZ+S1m0Duuv4U/z7qEcOcw68jfHj2X9UmH1TyTUdx/663jiY0Shxtayd4Q6AYlpOM YwcEhnos1Xtvfl1NH17Av9xgroaJKWBq/xM+gK2EUrHsBqC8aodRfxj0q9RaNl1X8ffv3e i4jlVUfHCecrMD4+iwGppKP2HLxnMpnijwAMgAz8mqmU0EPsynS0J/Zdci0jT5GrZsjg/j xpeYUcf6nlYZwky+yQk0qKYxwzMhV/5fPOM9QZk2zAW3VF5X5q5199jVvfEJUmsk7yEsjD 40XOAim9KO34FQ/MQL4z4xoOhLvU5/CjcehrkkNC2m2v3F39V37nQju6FCdQ9Q== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1780749197; a=rsa-sha256; cv=none; b=fHOhvAJswPOoiq/ypqPW+scKXrLSTkrRPTpFGl19wv/gBco9Av143osEtDHlmV53QtSYVX /G4qaoJulIJQJpCDfwXOiKEGU24UNdjnmflbl6cCL4R6uy8Wuz+M9+RnLs0qKX2mwZfSim kTAJLRrFuXUoTB0XTCM7FZjzz6DK90ngztz+D+XieZ/7w54ScizbSuP3HLXlxsSD7koLQT EbfUkCOrI4LauGF1Gqj2Bo5Zej5l9EBs6deOHHHysocNVTb6FyxpV1Vq34eeUvUjI1VprU OUKpidvlKODPCWm9UPqfRg0Wnf0zkKBSENzydxVIbY3ptQJbpZ1JgJb7zUy5Cw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1780749197; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=nCisIB12dEfnyxJwS/ThD5f+CBktPqHmkaZwvmF85o4=; b=aR9ZHmsXSqVvDQwie/vUAcPZd8NOXCgKK35hEsQ4rYSmIyZTn6ppij24kc1FpbZ9vBdRF1 jzeaM4ziRzRmpcddYodjcEemSiRa40ESnsNUukvNLUF2BdSBbOBlC06tA1sVP6IBSQ+yEf J02ahIRcm/ml2PuuxhLWFrvIoDoNN5x+s3gqBOAFC9kJYQ4tfjb4jlW7BtcmmIYffArGlP ecvYnMEA+fxynOl0o6Qjfleoy0mlyj59qJHBAjQIUdMUCVGMclBzTdDnAX81qLO61huOr7 It22TLsgdiGqcdjauqUNAPBSdR2Z4RDcknthf4DjAJBY6WDNkvks8vQr3bZExA== Received: from mail.evolve.de (mail.evolve.de [213.239.217.29]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: grembo/mail) by smtp.freebsd.org (Postfix) with ESMTPSA id 4gXd4r5k5pz184Y for ; Sat, 06 Jun 2026 12:33:16 +0000 (UTC) (envelope-from grembo@freebsd.org) Received: by mail.evolve.de (OpenSMTPD) with ESMTPSA id 7c9399ee (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO) for ; Sat, 6 Jun 2026 12:33:14 +0000 (UTC) Date: Sat, 6 Jun 2026 14:33:13 +0200 From: Michael Gmelin To: python@freebsd.org Subject: Fw: git: 680508df7b6a - main - security/vuxml: Add entry for (py-)setuptools CVE-2025-47273 Message-ID: <20260606143313.5d528823.grembo@freebsd.org> X-Face: $wrgCtfdVw_H9WAY?S&9+/F"!41z'L$uo*WzT8miX?kZ~W~Lr5W7v?j0Sde\mwB&/ypo^}> +a'4xMc^^KroE~+v^&^#[B">soBo1y6(TW6#UZiC]o>C6`ej+i Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAJFBMVEWJBwe5BQDl LASZU0/LTEWEfHbyj0Txi32+sKrp1Mv944X8/fm1rS+cAAAACXBIWXMAAAsTAAAL EwEAmpwYAAAAB3RJTUUH3wESCxwC7OBhbgAAACFpVFh0Q29tbWVudAAAAAAAQ3Jl YXRlZCB3aXRoIFRoZSBHSU1QbbCXAAAAAghJREFUOMu11DFvEzEUAGCfEhBVFzuq AKkLd0O6VrIQsLXVSZXoWE5N1K3DobBBA9fQpRWc8OkWouaIjedWKiyREOKs+3PY fvalCNjgLVHeF7/3bMtBzV8C/VsQ8tecEgCcDgrzjekwKZ7TwsJZd/ywEKwwP+ZM 8P3drTsAwWn2mpWuDDuYiK1bFs6De0KUUFw0tWxm+D4AIhuuvZqtyWYeO7jQ4Aea 7jUqI+ixhQoHex4WshEvSXdood7stlv4oSuFOC4tqGcr0NjEqXgV4mMJO38nld4+ xKNxRDon7khyKVqY7YR4d+Cg0OMrkWXZOM7YDkEfKiilCn1qYv4mighZiynuHHOA Wq9QJq+BIES7lMFUtcikMnkDGHUoncA+uHgrP0ctIEqfwLHzeSo+eUA66AqzwN6n 2ZHJhw6Qh/PoyC/QENyEyC/AyNjq74Bs+3UH0xYwzDUC4B97HgLocg1QLYgDDO1v f3UX9Y307Ew4AHh67YAFFsxEpkXwpXY3eIgMhAAE3R19L919nNnuD2wlPcDE3UeT L2ytEICQib9BXgS2fU8PrD82ToYO1OEmMSnYTjSqSv9wdC0tPYC+rQRQD9ESnldF CyqfmiYW+tlALt8gH2xrMdC/youbjzPXEun+/ReXsMCDyve3dZc09fn2Oas8oXGc Jj6/fOeK5UmSMPmf/jL+GD8BEj0k/Fn6IO4AAAAASUVORK5CYII= List-Id: FreeBSD-specific Python issues List-Archive: https://lists.freebsd.org/archives/freebsd-python List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-python@freebsd.org Sender: owner-freebsd-python@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Hi, This probably affects a large number of python ports which won't build due to the vulnerability in the build dependency. Any plans on how to proceed? Best Michael Begin forwarded message: Date: Thu, 14 May 2026 10:00:49 +0000 From: Daniel Engberg To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: 680508df7b6a - main - security/vuxml: Add entry for (py-)setuptools CVE-2025-47273 The branch main has been updated by diizzy: URL: https://cgit.FreeBSD.org/ports/commit/?id=680508df7b6afef2e0946653a556df8db30af1fb commit 680508df7b6afef2e0946653a556df8db30af1fb Author: Daniel Engberg AuthorDate: 2026-05-14 09:54:53 +0000 Commit: Daniel Engberg CommitDate: 2026-05-14 09:54:57 +0000 security/vuxml: Add entry for (py-)setuptools CVE-2025-47273 This is almost a one year old CVE --- security/vuxml/vuln/2026.xml | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/security/vuxml/vuln/2026.xml b/security/vuxml/vuln/2026.xml index 16b80d389de4..58825aabec01 100644 --- a/security/vuxml/vuln/2026.xml +++ b/security/vuxml/vuln/2026.xml @@ -1,3 +1,40 @@ + + py-setuptools -- Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') + + + py310-setuptools + py311-setuptools + py312-setuptools + py313-setuptools + py313t-setuptools + py314-setuptools + 78.1.1 + + + + +

https://github.com/pypa/setuptools/security/advisories/GHSA-5rjg-fvgr-3xxf reports:

+
+

setuptools is a package that allows users to download, build, + install, upgrade, and uninstall Python packages. A path traversal + vulnerability in `PackageIndex` is present in setuptools prior to + version 78.1.1. An attacker would be allowed to write files to + arbitrary locations on the filesystem with the permissions of the + process running the Python code, which could escalate to remote + code execution depending on the context.

+
+ + + + CVE-2025-47273 + https://cveawg.mitre.org/api/cve/CVE-2025-47273 + + + 2025-05-17 + 2026-05-14 + + + Gitlab -- vulnerabilities -- Michael Gmelin