Date: Sat, 03 Jan 2026 20:23:39 +0000 From: bugzilla-noreply@freebsd.org To: python@FreeBSD.org Subject: [Bug 291609] lang/python311: Missing security update Message-ID: <bug-291609-21822-I5UNG9frcA@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-291609-21822@https.bugs.freebsd.org/bugzilla/>
index | next in thread | previous in thread | raw e-mail
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=291609 Charlie Li <vishwin@freebsd.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|maintainer-feedback- |maintainer-feedback+ --- Comment #6 from Charlie Li <vishwin@freebsd.org> --- [maintainer-timeout does not get to be overridden when it was already set by a maintainer, especially when feedback was provided] CVE-2025-13836: https://github.com/python/cpython/issues/119451 Upstream outstanding pull requests (they are backported from the main one linked from the PR): 3.11: https://github.com/python/cpython/pull/142141 3.10: https://github.com/python/cpython/pull/142142 CVE-2025-12084: https://github.com/python/cpython/issues/142145 Upstream outstanding pull requests: 3.11: https://github.com/python/cpython/pull/142212 3.10: https://github.com/python/cpython/pull/142213 None of these have been committed to their respective branches. Ports will not include these fixes until upstream commits them, after which PORTREVISION bumps can happen until they cut new releases. (In reply to Torsten Zuehlsdorff from comment #3) It is ultimately up to the upstream CPython project to commit their fixes appropriately. Using stuff that upstream has not fully blessed, ie through solid commits, does not provide us and our users a good support trail. -- You are receiving this mail because: You are the assignee for the bug.home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-291609-21822-I5UNG9frcA>