FreeBSD ports tree https://cgit-dev.freebsd.org/ports/atom?h=13-eol 2026-04-16T21:38:32Z 2026-04-16T21:38:32Z Matthias Andree mandree@FreeBSD.org 2026-04-13T00:10:42Z urn:sha1:013edbc0a89fc65ca15a5a9b49ef9056859f69db Fix critical use-after-free bug in LZMA/BZ2/ZLib decompressor routines when reusing decompressor instances after a MemoryError was raised from one. While here: - fix DEBUG build/package (several %%ABI%% were in the wrong place in pkg-plist that caused failed installs) - switch to using system textproc/expat2 library - issue warnings in pre-test that IPV6, PYMALLOC are required and DEBUG also breaks one self-test - bump PORTREVISION - drop LTOFULL again and make LTO use =full References: https://mail.python.org/archives/list/security-announce@python.org/thread/HTWB2Z6KT5QQX4RYEZAFININDHNOSIF3 https://www.cve.org/CVERecord?id=CVE-2026-6100 https://github.com/python/cpython/pull/148396 Obtained from: GitHub repo https://github.com/python/cpython/commit/c8d8173c4b06d06902c99ec010ad785a30952880 Security: CVE-2026-6100 b8e9f33c-375d-11f1-a119-e36228bfe7d4 2026-04-12T17:47:23Z Matthias Andree mandree@FreeBSD.org 2026-04-08T09:43:19Z urn:sha1:955268b87942c8ed7787c1cce516bf8bf8ff1041 Add a -flto=full option, which can speed up the port build in terms of wallclock time at the expense of overall more CPU time. Issue a warning that test_ssl will fail from pre-test if DEBUG is enabled. Changelog: https://docs.python.org/release/3.14.4/whatsnew/changelog.html PR: 294324 Which contains these security fixes: pyexpat.c: Unbounded C recursion in conv_content_model causes crash Security: https://github.com/python/cpython/issues/145986 / CVE-2026-4224 Reject control characters in more places in http.cookies.Morsel Security: https://github.com/python/cpython/issues/145599 / CVE-2026-3644 SourcelessFileLoader does not use io.open_code() Security: https://github.com/python/cpython/issues/145506 / CVE-2026-2297 Disallow usage of control characters in status, headers and values for security in Lib/wsgiref/handlers.py Security: https://github.com/python/cpython/issues/144370 Reject leading dashes in webbrowser.open() Security: https://github.com/python/cpython/issues/143930 / 9fdad262-2e0f-11f1-88c7-00a098b42aeb / CVE-2026-4519 Excess Base64 data ignored after padding by default Security: https://github.com/python/cpython/issues/145264 / CVE-2026-3446 Additional security related PRs from upstream HTTP proxy via "CONNECT" tunneling doesn't sanitize CR/LF Obtained from: https://github.com/python/cpython/pull/148342 Security https://github.com/python/cpython/issues/146212 / CVE-2026-1502 configparser.RawConfigParser.{OPTCRE,OPTCRE_NV} regexes vulnerable to quadratic backtracking Obtained from: https://github.com/python/cpython/pull/148287 Security: https://github.com/python/cpython/issues/146333 2026-02-05T00:14:29Z Matthias Andree mandree@FreeBSD.org 2026-02-04T23:52:01Z urn:sha1:ac8b1c3293727c806d352be64fd74b606f1e27b7 ChangeLog: https://docs.python.org/release/3.14.3/whatsnew/changelog.html MFH: 2026Q1 (immediately) Security fixes: * gh-144125: BytesGenerator will now refuse to serialize (write) headers that are unsafely folded or delimited; see verify_generated_headers. (Contributed by Bas Bloemsaat and Petr Viktorin in gh-121650). * gh-143935: Fixed a bug in the folding of comments when flattening an email message using a modern email policy. Comments consisting of a very long sequence of non-foldable characters could trigger a forced line wrap that omitted the required leading space on the continuation line, causing the remainder of the comment to be interpreted as a new header field. This enabled header injection with carefully crafted inputs. * gh-143925: Reject control characters in data: URL media types. * gh-143919: Reject control characters in http.cookies.Morsel fields and values. * gh-143916: Reject C0 control characters within wsgiref.headers.Headers fields, values, and parameters. Security: CVE-2026-0865 Security: CVE-2026-1299 Security: bfe9adc8-0224-11f1-8790-c5fb948922ad 2025-12-03T20:53:15Z Matthias Andree mandree@FreeBSD.org 2025-12-03T19:54:23Z urn:sha1:61c616db40c6e17eefc140bcb00ec608f18459ec Changelog: https://docs.python.org/release/3.14.1/whatsnew/changelog.html 2025-11-04T00:48:10Z Matthias Andree mandree@FreeBSD.org 2025-11-04T00:28:52Z urn:sha1:a48e645bda8549eaf8b2d090084fedcfbeea9396 to avoid a dependency loop through ICU. Reported by: diizzy@ 2025-11-01T20:11:56Z Matthias Andree mandree@FreeBSD.org 2025-11-01T20:02:17Z urn:sha1:60648732604548051b170d9e599e05b870f9d008 claim maintainership on the new port - not doing that with the previous commit by wen@ to have a clear distinction who contributed what. - require archivers/zstd since it's part of the Python standard library: https://docs.python.org/3.14/whatsnew/3.14.html#whatsnew314-zstandard - refresh Makefile.pre.in patch - skip test_gdb without WITH_DEBUG test_gdb has test_pretty_print, which requires debug symbols. Skip it if WITH_DEBUG is not defined. - drop --with-system-ffi configure option, which is no longer supported and its behaviour is now the default - move sqlite3 extension back into port because the separate port fails to build (mark the external python:-3.13) PR: 282176 2025-11-01T20:11:55Z Wen Heping wen@FreeBSD.org 2025-11-01T17:49:09Z urn:sha1:962f4aa7d8cdfe5ac7244cc806f4d451a0414da0 ----- committer's note by mandree@: This does not enable the optional free-threaded build. PR: 282176