From nobody Thu Feb 5 00:14:31 2026 X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4f5yQJ0sdRz6QsNZ for ; Thu, 05 Feb 2026 00:14:32 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4f5yQJ08LLz3Srw for ; Thu, 05 Feb 2026 00:14:32 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1770250472; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=eSVOvdT5YHszU4RvfxPNsRuMAY61lv56ZT+xb/ur5Wo=; b=j42uhvk2ojl593N8M4btV/fVrCXlTemylYPi7/zIZRsImfIzI3L5mkOerBFQfcZQEekXha dF11cZJSMKyBYFvqFoV18MQvdF4pJspJHyQewIC7KfegAv8vaLpwEBPkCNKzjY3ouewGvb +b5yoj1/m62CLym5MGFOGSNB8sSL7/3RJQF1hAAGiL7GGKnmG/9NAXTNS0aU/Fv5GJSSUW d4BF0CJApR122823TTP3Ylp63g+bDVk4yp8Q5tACe8TsuxZChK0QLvm+e0klt720O9PzHL tQgsUwa6Y/SD2GlTgT8lqzg9v41MFDTB/tylNtv1UUb+n7j3ZASqBXf2k8pa+g== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1770250472; a=rsa-sha256; cv=none; b=nWYLBg6R0USB4LyflGX7ScCvuFOq/HdywLWtIN2T6JqHF0h6WvQ1rfYJXeFQtX49goBzJU vIMueWB9pt/e1ccZwdSdN7JI13aXklyiHRHzE6ugepaBanH5+MPE9rb9Z3cHqdtwN48W1T BzMJexUQUvw1qljPXWw6poaKPvYGwZRkmLs5yZLxPbxZSkyXgvGtk4t/LbSQ9IwjR/27vU pvCnk6wQwiS1t0michzCCBWrtcXidYfYWEIrlHVWzzWkwmL+pkrCTSWFquiefgGo8OskwD IYDQPwxYAkqn2UwTCkMhD3HtssuW0QEwKer6diB7139RiZXS0nndWQbWQiM+Ww== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1770250472; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=eSVOvdT5YHszU4RvfxPNsRuMAY61lv56ZT+xb/ur5Wo=; b=ZQ8gWVo/5nzjkQ5ohRJvaM+9HtszwhkDppAMkZSW4HWSy1YT5rcS7UHlJ2jN6t+itNHbYg pocdl3yJQUVgBr9132EkPIwTjevm5RH1twG0BLKjptjFvmuJSs/lJ5GGBkxzy3/7lAXobJ Lmwsw3QmVyBJlGKafgHT5J8CRu4h4A7fHA/kixbi/xZpZZsjg+ZH1s2yvSwq/i2jR8p3eH 8NsnPFX4PSi3ZSScoTpmLJvjwHRFblhWHvci8ndGdtMOW8FKGu3pZJgOBSXFHDinsw7+S+ Jd23kWxT9hLWQsu426rS/pWU8Sh2O/LPfn0C5rLP1wF0CFNXiD2c4EtKXhPt2Q== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4f5yQH6j3Gz1L2t for ; Thu, 05 Feb 2026 00:14:31 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3220f by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Thu, 05 Feb 2026 00:14:31 +0000 To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Matthias Andree Subject: git: a950cda2477c - main - security/vuxml: add python <3.14.3 <3.13.12 security issues List-Id: Commits to the main branch of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-ports-main@freebsd.org Sender: owner-dev-commits-ports-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: mandree X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: a950cda2477cd8681c9463467dbb46aeae222305 Auto-Submitted: auto-generated Date: Thu, 05 Feb 2026 00:14:31 +0000 Message-Id: <6983e0e7.3220f.2037fb07@gitrepo.freebsd.org> The branch main has been updated by mandree: URL: https://cgit.FreeBSD.org/ports/commit/?id=a950cda2477cd8681c9463467dbb46aeae222305 commit a950cda2477cd8681c9463467dbb46aeae222305 Author: Matthias Andree AuthorDate: 2026-02-05 00:11:12 +0000 Commit: Matthias Andree CommitDate: 2026-02-05 00:14:28 +0000 security/vuxml: add python <3.14.3 <3.13.12 security issues Security: CVE-2026-0865 Security: CVE-2026-1299 Security: bfe9adc8-0224-11f1-8790-c5fb948922ad --- security/vuxml/vuln/2026.xml | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/security/vuxml/vuln/2026.xml b/security/vuxml/vuln/2026.xml index bcfd780ce523..fa3c767e2264 100644 --- a/security/vuxml/vuln/2026.xml +++ b/security/vuxml/vuln/2026.xml @@ -1,3 +1,39 @@ + + python -- several security vulnerabilities + + python39 0 + python310 0 + python311 0 + python312 0 + python313 3.13.12 + python313t 3.13.12 + python314 3.14.3 + + + +

The Python project announces a new release with several security fixes:

+
+
    +
  • CVE-2026-1299: gh-144125: BytesGenerator will now refuse to serialize (write) headers that are unsafely folded or delimited; see verify_generated_headers. (Contributed by Bas Bloemsaat and Petr Viktorin in gh-121650).
    • +
  • gh-143935: Fixed a bug in the folding of comments when flattening an email message using a modern email policy. Comments consisting of a very long sequence of non-foldable characters could trigger a forced line wrap that omitted the required leading space on the continuation line, causing the remainder of the comment to be interpreted as a new header field. This enabled header injection with carefully crafted inputs.
    • +
  • gh-143925: Reject control characters in data: URL media types.
    • +
  • gh-143919: Reject control characters in http.cookies.Morsel fields and values.
    • +
  • CVE-2026-0865: gh-143916: Reject C0 control characters within wsgiref.headers.Headers fields, values, and parameters.
    • +
+
+ + + + CVE-2026-1299 + CVE-2026-0865 + https://docs.python.org/release/3.14.3/whatsnew/changelog.html + + + 2026-01-16 + 2026-02-04 + + + xrdp -- remote code execution