Date: Mon, 12 Jan 2026 13:52:53 +0000 From: Nicola Vitale <nivit@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: 4c16cd51c0f6 - main - security/vuxml: Add devel/py-virtualenv <= 20.36.0 Message-ID: <6964fcb5.a8cb.39e95db7@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch main has been updated by nivit: URL: https://cgit.FreeBSD.org/ports/commit/?id=4c16cd51c0f662ddea745b816c3d636726156462 commit 4c16cd51c0f662ddea745b816c3d636726156462 Author: Nicola Vitale <nivit@FreeBSD.org> AuthorDate: 2026-01-12 13:50:01 +0000 Commit: Nicola Vitale <nivit@FreeBSD.org> CommitDate: 2026-01-12 13:52:48 +0000 security/vuxml: Add devel/py-virtualenv <= 20.36.0 --- security/vuxml/vuln/2026.xml | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/security/vuxml/vuln/2026.xml b/security/vuxml/vuln/2026.xml index 2c8e398b7d92..431bdeb594ce 100644 --- a/security/vuxml/vuln/2026.xml +++ b/security/vuxml/vuln/2026.xml @@ -1,3 +1,41 @@ + <vuln vid="fd3855b8-efbc-11f0-9e3f-b0416f0c4c67"> + <topic>virtualenv -- CWE-59: Improper Link Resolution Before File Access ('Link Following')</topic> + <affects> + <package> + <name>py310-virtualenv</name> + <name>py311-virtualenv</name> + <name>py312-virtualenv</name> + <name>py313-virtualenv</name> + <name>py313t-virtualenv</name> + <name>py314-virtualenv</name> + <range><lt>20.36.1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>https://github.com/pypa/virtualenv/security/advisories/GHSA-597g-3phw-6986 reports:</p> + <blockquote cite="https://github.com/pypa/virtualenv/security/advisories/GHSA-597g-3phw-6986">; + <p>virtualenv is a tool for creating isolated virtual python environments. +Prior to version 20.36.1, TOCTOU (Time-of-Check-Time-of-Use) +vulnerabilities in virtualenv allow local attackers to perform +symlink-based attacks on directory creation operations. An attacker +with local access can exploit a race condition between directory +existence checks and creation to redirect virtualenv's app_data and +lock file operations to attacker-controlled locations. This issue +has been patched in version 20.36.1.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2026-22702</cvename> + <url>https://cveawg.mitre.org/api/cve/CVE-2026-22702</url>; + </references> + <dates> + <discovery>2026-01-10</discovery> + <entry>2026-01-12</entry> + </dates> + </vuln> + <vuln vid="7e63d0dd-eeff-11f0-b135-c01803b56cc4"> <topic>libtasn1 -- Stack-based buffer overflow</topic> <affects>home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6964fcb5.a8cb.39e95db7>