From nobody Sun Jun 7 15:22:58 2026 X-Original-To: freebsd-python@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gYJpD37F8z6gq4Q for ; Sun, 07 Jun 2026 15:23:00 +0000 (UTC) (envelope-from diizzy@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gYJpD29Lvz3mvV; Sun, 07 Jun 2026 15:23:00 +0000 (UTC) (envelope-from diizzy@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1780845780; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type; bh=VcBUew8N2FpszIpNz5xypyj3VE2Qan7S5DDOlEBE3BY=; b=lAe0XKQB7PH0gQ0zT3IGmmjL7Wq2xi1g1oKlBSYjfcakKhwKJgiEaNocSD1fkdZczgj4Xv r27QjX1xliJ6DZ/Uxy6qdq+wlB/8dly2NHy7JB3PeSz6FSmVb+1hWO0Q+RLze1lZiPcGab Q/nQM8YZnt/RDGZf4E4212H6aUQhTpnzlVzEHjL8IL564pRPo3KlTbA+LYT37Afiwo269j tBTJKdb4WvY2JreHray/riYvG04fbxVSkt0BtOriPCocYhtRmAEvVSlTIkFQN0xxAoGXvo Z+4/K5Jcf7Mtr0kj1syYs2epjg/wO5P5pSLHLCdGB4m63bRotpQteuEG2ZgFbQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1780845780; a=rsa-sha256; cv=none; b=bo0kcCmKi5UOzC0Vu8PV+SsFjH7NZGR+95WKBkHmzyJ5YkDVmThV51k+aIUZ1v01X3ibgb w5YqI8XKRcRCw3gLC7ezSFDH1yKNLOB1WlYyGbz/Wdwp0T9F0kG6dIcrdwoh3v8CBn4mIq U8p60jQTIkO6Kj8LbGvVNj1opwiA0RprrOM+V2xOgfne768JFA8384U8A5ad2nyXYz5VmW 80cnTfCSZgz2TiEIjIly/r5wajUEWqtaF3ZHQgzscVNkvERjUIZQtcsgXV++mNoZu18U8I Wha3/9foaTYnI2bGpQhLSFLDVgh75t/V2o2T9h3m4jg63ATPPZcaca/cHUItOg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1780845780; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type; bh=VcBUew8N2FpszIpNz5xypyj3VE2Qan7S5DDOlEBE3BY=; b=E/B3Wi1id1Lj+ECk9ATYap7GcMTMG7XX6waGrrSQHyW6ki1AfsL2KLnSU5CNiPFX6PgOQi Uz1R1QcyMXMBOszdrJuvZ+cwRh4Ir+3umyefaVtKxB+pqJOhaof3YpzaTEt5mjGw52zfmT o7SOwCuuyCWqslpNoCWVbi+Mt6+wpy4Vx77oNFbTap1Vl2LSyEfh1I9JQTptprNJv36JZP PRmK/E0sAXZAmc9FYPufO8A9UpbDxLYnHbNMXKElrifdTEAA/eTArXynOUopo8poggcyQw +KVVdNBLC0TgC3yWXc1UibwWZqZEiACgnwaCoicv0cTcfHJ/PjjTOIF26L+WBQ== Received: from [192.168.1.231] (81-233-109-15-no600.tbcn.telia.com [81.233.109.15]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: diizzy/mail) by smtp.freebsd.org (Postfix) with ESMTPSA id 4gYJpC6XTwzGZM; Sun, 07 Jun 2026 15:22:59 +0000 (UTC) (envelope-from diizzy@FreeBSD.org) Content-Type: multipart/alternative; boundary="------------KIcXDjcYclHP6bXqV0qx5Tqr" Message-ID: Date: Sun, 7 Jun 2026 17:22:58 +0200 List-Id: FreeBSD-specific Python issues List-Archive: https://lists.freebsd.org/archives/freebsd-python List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-python@freebsd.org Sender: owner-freebsd-python@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 User-Agent: Betterbird (Windows) From: Daniel Engberg Subject: Re: git: 680508df7b6a - main - security/vuxml: Add entry for (py-)setuptools CVE-2025-47273 To: freebsd-python@freebsd.org Cc: Michael Gmelin Content-Language: en-US This is a multi-part message in MIME format. --------------KIcXDjcYclHP6bXqV0qx5Tqr Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit > From: Michael Gmelin > Date: Sat, 06 Jun 2026 18:52:15 UTC > > > On 6. Jun 2026, at 19:56, Charlie Li wrote: > > > > Michael Gmelin wrote: > >> Hi, > >> This probably affects a large number of python ports which won't build > >> due to the vulnerability in the build dependency. > > This is a tricky situation because not every consumer can use the > latest setuptools, not least due to various breaking functional changes. > Even after we finish the latest effort of the setuptools effort (massive > is an understatement), there will probably still be a need to keep older > versions around. > > > > As for this specific vulnerability, it is not exploitable to how we > (ports) build Python packages, since the affected mechanism is > setuptools's own PyPI fetching mechanism which we do not use (we have > our own do-fetch via fetch(1) et al). Further, the source file this was > found in is an already deprecated module package_index, about whose only > consumer is another deprecated entry point easy_install. We don't use > those in ports either. And even in the case of a Python virtual > environment, the system Python packages are not used by default, and pip > will download the latest setuptools if needed. > > > > In all, this vuxml entry was not added or reviewed by the python@ > team, especially not for applicability to actual use cases. > > > > Almost figured that by the tone of the commit message. > > Would it be reasonable to patch all the versions of setuptools we have > in use (I didn’t look at the details of the vulnerability to understand > how complex such a fix would be)? > > Cheers > There's nothing to review, it's valid. There are also multiple security issues with Python itself and related ports but progress gets blocked or moves at a glacial pace. https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=271673 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=274671 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=270358 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=281470 To mention a few You might also want to consider the view on security by reading comments in https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=287391 Looking at git history none of listed VuXML entries related to Python have been initially added by the "Python team" for the past 2 years and there certainly have been relevant CVEs issued during that time. https://github.com/psf/advisory-database/tree/main/advisories/python Security overall isn't a priority in the ports tree, bofh@ made a very good talk about it last year and so far little response unfortunately https://www.youtube.com/watch?v=ZGmuZz5ETHs&t=19276s . Security vulnerabilities are in general poorly tracked due to multiple issues, maintainer time, interest, adding entries are time consuming and so on. Repology lists about 400 ports as "Potentially vulnerable" but there are likely some mismatches, a lot of ports aren't tracked/matched with upstream projects correctly or simply very outdated/EOL/discontinued upstream so they lack any (active) reviewing. Additionally it also lists about 6.5k ports as out of date which probably isn't too far off. If security is a priority you likely want to review the ports you use and consider using an overlay/fork the ports tree. Best regards, Daniel --------------KIcXDjcYclHP6bXqV0qx5Tqr Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 8bit > From: Michael Gmelin <grembo_at_freebsd.org> > Date: Sat, 06 Jun 2026 18:52:15 UTC > > > On 6. Jun 2026, at 19:56, Charlie Li <vishwin@freebsd.org> wrote: > > > > Michael Gmelin wrote: > >> Hi, > >> This probably affects a large number of python ports which won't build > >> due to the vulnerability in the build dependency. > > This is a tricky situation because not every consumer can use the > latest setuptools, not least due to various breaking functional changes. > Even after we finish the latest effort of the setuptools effort (massive > is an understatement), there will probably still be a need to keep older > versions around. > > > > As for this specific vulnerability, it is not exploitable to how we > (ports) build Python packages, since the affected mechanism is > setuptools's own PyPI fetching mechanism which we do not use (we have > our own do-fetch via fetch(1) et al). Further, the source file this was > found in is an already deprecated module package_index, about whose only > consumer is another deprecated entry point easy_install. We don't use > those in ports either. And even in the case of a Python virtual > environment, the system Python packages are not used by default, and pip > will download the latest setuptools if needed. > > > > In all, this vuxml entry was not added or reviewed by the python@ > team, especially not for applicability to actual use cases. > > > > Almost figured that by the tone of the commit message. > > Would it be reasonable to patch all the versions of setuptools we have > in use (I didn’t look at the details of the vulnerability to understand > how complex such a fix would be)? > > Cheers > There's nothing to review, it's valid. There are also multiple security issues with Python itself and related ports but progress gets blocked or moves at a glacial pace. https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=271673 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=274671 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=270358 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=281470 To mention a few You might also want to consider the view on security by reading comments in https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=287391 Looking at git history none of listed VuXML entries related to Python have been initially added by the "Python team" for the past 2 years and there certainly have been relevant CVEs issued during that time. https://github.com/psf/advisory-database/tree/main/advisories/python Security overall isn't a priority in the ports tree, bofh@ made a very good talk about it last year and so far little response unfortunately https://www.youtube.com/watch?v=ZGmuZz5ETHs&t=19276s . Security vulnerabilities are in general poorly tracked due to multiple issues, maintainer time, interest, adding entries are time consuming and so on. Repology lists about 400 ports as "Potentially vulnerable" but there are likely some mismatches, a lot of ports aren't tracked/matched with upstream projects correctly or simply very outdated/EOL/discontinued upstream so they lack any (active) reviewing. Additionally it also lists about 6.5k ports as out of date which probably isn't too far off. If security is a priority you likely want to review the ports you use and consider using an overlay/fork the ports tree. Best regards, Daniel --------------KIcXDjcYclHP6bXqV0qx5Tqr--