Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 6 Jun 2026 20:52:15 +0200
From:      Michael Gmelin <grembo@freebsd.org>
To:        Charlie Li <vishwin@freebsd.org>
Cc:        python@freebsd.org
Subject:   Re: git: 680508df7b6a - main - security/vuxml: Add entry for (py-)setuptools CVE-2025-47273
Message-ID:  <97C82344-7644-4D2A-9261-321205789261@freebsd.org>
In-Reply-To: <a7e29b85-ef81-4248-a311-e5fa706ef656@freebsd.org>
index | next in thread | previous in thread | raw e-mail 


> On 6. Jun 2026, at 19:56, Charlie Li <vishwin@freebsd.org> wrote:
> 
> Michael Gmelin wrote:
>> Hi,
>> This probably affects a large number of python ports which won't build
>> due to the vulnerability in the build dependency.
> This is a tricky situation because not every consumer can use the latest setuptools, not least due to various breaking functional changes. Even after we finish the latest effort of the setuptools effort (massive is an understatement), there will probably still be a need to keep older versions around.
> 
> As for this specific vulnerability, it is not exploitable to how we (ports) build Python packages, since the affected mechanism is setuptools's own PyPI fetching mechanism which we do not use (we have our own do-fetch via fetch(1) et al). Further, the source file this was found in is an already deprecated module package_index, about whose only consumer is another deprecated entry point easy_install. We don't use those in ports either. And even in the case of a Python virtual environment, the system Python packages are not used by default, and pip will download the latest setuptools if needed.
> 
> In all, this vuxml entry was not added or reviewed by the python@ team, especially not for applicability to actual use cases.
> 

Almost figured that by the tone of the commit message.

Would it be reasonable to patch all the versions of setuptools we have in use (I didn’t look at the details of the vulnerability to understand how complex such a fix would be)?

Cheers
home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?97C82344-7644-4D2A-9261-321205789261>