Date: Mon, 24 Apr 2023 22:42:31 +0200 From: Hubert Tournier <hubert.tournier@gmail.com> To: george@m5p.com Cc: python@freebsd.org Subject: Re: [Bug 263060] devel/py-py: Update to 1.10.0 (security) -> 1.11.0 (for @py311 support) Message-ID: <CADr%2Bmw8Ws39LCQ4RoVon_XGijP3qmynPe1m5KcRwQ3wcCboi-w@mail.gmail.com> In-Reply-To: <bug-263060-21822-HEdmuI5eBK@https.bugs.freebsd.org/bugzilla/> References: <bug-263060-21822@https.bugs.freebsd.org/bugzilla/> <bug-263060-21822-HEdmuI5eBK@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
--0000000000003a54bb05fa1b0c02 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hello, Project's URL is https://github.com/pytest-dev/py Version 1.11.0 is the last version available. When you look at https://osv.dev/vulnerability/PYSEC-2022-42969 you see the "Last affected 1.11.0" entry, which means that the latest available version is vulnerable (otherwise, you would have a "Fixed x.x.x" entry). The source code repository states that "this library is in *maintenance mode* and should not be used in new code.". According to the discussions referenced in the PYSEC entry, you'll see that the maintainers downplay this vulnerability report and have no intention to fix it. They also mention their desire to have it withdrawn, which apparently never happened from all the vulnerabilities repositories I use... Granted it seems to affect a portion of the code that'll probably rarely be used nowadays, so the risk is probably low. I guess that this port will stay vulnerable, except if someone has a corrected fork among the 65 existing ones... Best regards, Le lun. 24 avr. 2023 =C3=A0 19:45, <bugzilla-noreply@freebsd.org> a =C3=A9c= rit : > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D263060 > > George Mitchell <george@m5p.com> changed: > > What |Removed |Added > > -------------------------------------------------------------------------= --- > CC| |george@m5p.com > > --- Comment #4 from George Mitchell <george@m5p.com> --- > It appears as if this bug should be closed. However, can anyone here > verify > the WWW entry in the Makefile? Visiting https://pylib.org sends one to a > company that appears to be in the business of writing term papers. > https://pypi.org/project/py/ looks a lot more plausible to me. In the > mean > time, version 1.11.0 is now listed in vulm.xml, and there doesn't seem to > be a > newer version available yet. > > -- > You are receiving this mail because: > You are the assignee for the bug. > --0000000000003a54bb05fa1b0c02 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable <div dir=3D"ltr"><div><div><div><div><div><div>Hello,<br></div>Project'= s URL is <a href=3D"https://github.com/pytest-dev/py">https://github.com/py= test-dev/py</a><br></div>Version 1.11.0 is the last version available.<br><= /div><div>When you look at <a href=3D"https://osv.dev/vulnerability/PYSEC-2= 022-42969">https://osv.dev/vulnerability/PYSEC-2022-42969</a>; you see the &= quot;Last affected 1.11.0" entry, which means that the latest availabl= e version is vulnerable (otherwise, you would have a "Fixed x.x.x"= ; entry).<br></div>The source code repository states that "this librar= y is in <strong>maintenance mode</strong> and should not be used in new cod= e.".<br></div>According to the discussions referenced in the PYSEC ent= ry, you'll see that the maintainers downplay this vulnerability report = and have no intention to fix it.<br></div>They also mention their desire to= have it withdrawn, which apparently never happened from all the vulnerabil= ities repositories I use...<br></div>Granted it seems to affect a portion o= f the code that'll probably rarely be used nowadays, so the risk is pro= bably low.<br>I guess that this port will stay vulnerable, except if someon= e has a corrected fork among the 65 existing ones...<br>Best regards,<br></= div><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">Le= =C2=A0lun. 24 avr. 2023 =C3=A0=C2=A019:45, <<a href=3D"mailto:bugzilla-n= oreply@freebsd.org">bugzilla-noreply@freebsd.org</a>> a =C3=A9crit=C2=A0= :<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.= 8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><a href=3D"htt= ps://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D263060" rel=3D"noreferrer"= target=3D"_blank">https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D2630= 60</a><br> <br> George Mitchell <<a href=3D"mailto:george@m5p.com" target=3D"_blank">geo= rge@m5p.com</a>> changed:<br> <br> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0What=C2=A0 =C2=A0 |Removed=C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0|Added= <br> ---------------------------------------------------------------------------= -<br> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0CC|=C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 |<a href=3D"mailto:george@m5p.com" target=3D"_blank">george@m= 5p.com</a><br> <br> --- Comment #4 from George Mitchell <<a href=3D"mailto:george@m5p.com" t= arget=3D"_blank">george@m5p.com</a>> ---<br> It appears as if this bug should be closed.=C2=A0 However, can anyone here = verify<br> the WWW entry in the Makefile?=C2=A0 Visiting <a href=3D"https://pylib.org"= rel=3D"noreferrer" target=3D"_blank">https://pylib.org</a>; sends one to a<= br> company that appears to be in the business of writing term papers. <br> <a href=3D"https://pypi.org/project/py/" rel=3D"noreferrer" target=3D"_blan= k">https://pypi.org/project/py/</a>; looks a lot more plausible to me.=C2=A0= In the mean<br> time, version 1.11.0 is now listed in vulm.xml, and there doesn't seem = to be a<br> newer version available yet.<br> <br> -- <br> You are receiving this mail because:<br> You are the assignee for the bug.<br> </blockquote></div> --0000000000003a54bb05fa1b0c02--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CADr%2Bmw8Ws39LCQ4RoVon_XGijP3qmynPe1m5KcRwQ3wcCboi-w>