From nobody Sat Jun 6 18:52:15 2026 X-Original-To: python@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gXnVB2Tfmz6gCSf for ; Sat, 06 Jun 2026 18:52:18 +0000 (UTC) (envelope-from grembo@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gXnVB212fz3v9H; Sat, 06 Jun 2026 18:52:18 +0000 (UTC) (envelope-from grembo@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1780771938; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=tr/kOfhqMx8amU1/OPlR8cG4rojfUeAkoM/+W/nPw/w=; b=S0c+f+2idrkufoBDDeZkHF6JyHafQeyxlJdhUqrUxLN+lGF5ApMbGRclPdZYFm70U7DquY 5iwABE+PMhWjBry0u+0H1H32WsnfyfsrNRZjuLlmjCDbG6yagrN+9peJyKDYujKQLvsZ90 l0/qhYZtAQJ7xNQIydt2pex5lZ41zOOECNwolIAIgu56ySLBO9gTcv7gpZmD+6g11uapTB kFF6S5bvDF6uvje7LeummkWiiUuwor3ES0TJmZlOLhlAffI4RHLJ0KA+aF4fnW9gA8jFyv T5c/vWcOEuVXV2gEBdj824Zk3G9Q1UM2O8kjHS/2JdUH/ExB0ZAC0eq9ZBGMNg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1780771938; a=rsa-sha256; cv=none; b=yKb6bTzubKNbKdOw+tudwpgcgYBFeWtsMIvJjsI16g9O3l7zm0KJoghHN33K9U/I09RwcO afhwFF+7RlF5r6UJsR9y6H8LRelorzeHEkwKmjfag0PVHBp79GLdAaOBvM7mkSWczglSFh 5wXrsLRlJBXkt5+sNcdIBAVueA9mJVAhU4x0zSOwhcLBhoXtuIb5RRbDNphek760gdir4C dqbmeU+rKFz7b+strevFyhpMWrPwR7/Jb3qIl8uvFQ0C+lgNgBTVj/ElML8HVzuAtkEDkv nAdMmYRfnJiImm+hdwbAYthlYTBC/ZneicdTE2+jcz1WeG/9MWUO6Kj/M+PGOA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1780771938; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=tr/kOfhqMx8amU1/OPlR8cG4rojfUeAkoM/+W/nPw/w=; b=CkibzrAessDkLiLuRUhpIZ4Q5tKLDtDXnntX/zobC1rjcuGt68iRhLY9FidLg8E9299Ghi 5zgQ21/o5STNwCzjqBH32QJhNoyv9yBqCZvyUk2RONf3pMIynyjKbnIopsQEKRaoAoqP+i JrXk465Lpb5k2h2ALsWM5k9TL7b9nzR9rSwx7AR9sH/YWoB1ql1Ljv3kZ+XwB4ME9TN6ig tKZqMwVpA+qJvZ/kmXUqFjJWzVxEM5bGeAoO/8Jp4AGaZjX+266+8dhQ54EsyUsBTR5ew+ lHk8IsDxH1zSjFbkyFMkH0nKq83hTHEkH75ENsqZP5xqB0pw5UjlRAsLMtevvA== Received: from mail.evolve.de (mail.evolve.de [213.239.217.29]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: grembo/mail) by smtp.freebsd.org (Postfix) with ESMTPSA id 4gXnV95Gl3z1H7l; Sat, 06 Jun 2026 18:52:17 +0000 (UTC) (envelope-from grembo@freebsd.org) Received: by mail.evolve.de (OpenSMTPD) with ESMTPSA id 30a067d0 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Sat, 6 Jun 2026 18:52:16 +0000 (UTC) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable List-Id: FreeBSD-specific Python issues List-Archive: https://lists.freebsd.org/archives/freebsd-python List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-python@freebsd.org Sender: owner-freebsd-python@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list Mime-Version: 1.0 (1.0) Subject: Re: git: 680508df7b6a - main - security/vuxml: Add entry for (py-)setuptools CVE-2025-47273 From: Michael Gmelin In-Reply-To: Date: Sat, 6 Jun 2026 20:52:15 +0200 Cc: python@freebsd.org Message-Id: <97C82344-7644-4D2A-9261-321205789261@freebsd.org> References: To: Charlie Li X-Mailer: iPhone Mail (23F81) > On 6. Jun 2026, at 19:56, Charlie Li wrote: >=20 > =EF=BB=BFMichael Gmelin wrote: >> Hi, >> This probably affects a large number of python ports which won't build >> due to the vulnerability in the build dependency. > This is a tricky situation because not every consumer can use the latest s= etuptools, not least due to various breaking functional changes. Even after w= e finish the latest effort of the setuptools effort (massive is an understat= ement), there will probably still be a need to keep older versions around. >=20 > As for this specific vulnerability, it is not exploitable to how we (ports= ) build Python packages, since the affected mechanism is setuptools's own Py= PI fetching mechanism which we do not use (we have our own do-fetch via fetc= h(1) et al). Further, the source file this was found in is an already deprec= ated module package_index, about whose only consumer is another deprecated e= ntry point easy_install. We don't use those in ports either. And even in the= case of a Python virtual environment, the system Python packages are not us= ed by default, and pip will download the latest setuptools if needed. >=20 > In all, this vuxml entry was not added or reviewed by the python@ team, es= pecially not for applicability to actual use cases. >=20 Almost figured that by the tone of the commit message. Would it be reasonable to patch all the versions of setuptools we have in us= e (I didn=E2=80=99t look at the details of the vulnerability to understand h= ow complex such a fix would be)? Cheers