FreeBSD ports tree https://cgit-dev.freebsd.org/ports/atom?h=13-eol 2026-04-16T21:38:32Z 2026-04-16T21:38:32Z Matthias Andree mandree@FreeBSD.org 2026-04-13T23:00:40Z urn:sha1:965c6f73bbe0a9361fdd92952e3ac622736ebbb3 Cherry-pick fix to resolve Incomplete mitigation of CVE-2026-4519, %action expansion for command injection to webbrowser.open() Obtained from: GitHub repo https://github.com/python/cpython/pull/148516 Security: CVE-2026-4786 cf75f572-378a-11f1-a119-e36228bfe7d4 2026-04-16T21:38:32Z Matthias Andree mandree@FreeBSD.org 2026-04-13T00:10:42Z urn:sha1:013edbc0a89fc65ca15a5a9b49ef9056859f69db Fix critical use-after-free bug in LZMA/BZ2/ZLib decompressor routines when reusing decompressor instances after a MemoryError was raised from one. While here: - fix DEBUG build/package (several %%ABI%% were in the wrong place in pkg-plist that caused failed installs) - switch to using system textproc/expat2 library - issue warnings in pre-test that IPV6, PYMALLOC are required and DEBUG also breaks one self-test - bump PORTREVISION - drop LTOFULL again and make LTO use =full References: https://mail.python.org/archives/list/security-announce@python.org/thread/HTWB2Z6KT5QQX4RYEZAFININDHNOSIF3 https://www.cve.org/CVERecord?id=CVE-2026-6100 https://github.com/python/cpython/pull/148396 Obtained from: GitHub repo https://github.com/python/cpython/commit/c8d8173c4b06d06902c99ec010ad785a30952880 Security: CVE-2026-6100 b8e9f33c-375d-11f1-a119-e36228bfe7d4 2026-04-12T17:47:23Z Matthias Andree mandree@FreeBSD.org 2026-04-08T09:43:19Z urn:sha1:955268b87942c8ed7787c1cce516bf8bf8ff1041 Add a -flto=full option, which can speed up the port build in terms of wallclock time at the expense of overall more CPU time. Issue a warning that test_ssl will fail from pre-test if DEBUG is enabled. Changelog: https://docs.python.org/release/3.14.4/whatsnew/changelog.html PR: 294324 Which contains these security fixes: pyexpat.c: Unbounded C recursion in conv_content_model causes crash Security: https://github.com/python/cpython/issues/145986 / CVE-2026-4224 Reject control characters in more places in http.cookies.Morsel Security: https://github.com/python/cpython/issues/145599 / CVE-2026-3644 SourcelessFileLoader does not use io.open_code() Security: https://github.com/python/cpython/issues/145506 / CVE-2026-2297 Disallow usage of control characters in status, headers and values for security in Lib/wsgiref/handlers.py Security: https://github.com/python/cpython/issues/144370 Reject leading dashes in webbrowser.open() Security: https://github.com/python/cpython/issues/143930 / 9fdad262-2e0f-11f1-88c7-00a098b42aeb / CVE-2026-4519 Excess Base64 data ignored after padding by default Security: https://github.com/python/cpython/issues/145264 / CVE-2026-3446 Additional security related PRs from upstream HTTP proxy via "CONNECT" tunneling doesn't sanitize CR/LF Obtained from: https://github.com/python/cpython/pull/148342 Security https://github.com/python/cpython/issues/146212 / CVE-2026-1502 configparser.RawConfigParser.{OPTCRE,OPTCRE_NV} regexes vulnerable to quadratic backtracking Obtained from: https://github.com/python/cpython/pull/148287 Security: https://github.com/python/cpython/issues/146333 2026-03-31T13:52:28Z Tijl Coosemans tijl@FreeBSD.org 2026-03-31T11:30:41Z urn:sha1:d7a065627cebe93f700d85c8dc605e32074ba886 devel/gettext-tools: Use external libunistring and libxml2. lang/python*: Remove dependency on gettext-tools. It isn't used and it is gettext-tools that depends on python now. PR: 293963 Exp-run by: antoine 2026-02-05T00:14:29Z Matthias Andree mandree@FreeBSD.org 2026-02-04T23:52:01Z urn:sha1:ac8b1c3293727c806d352be64fd74b606f1e27b7 ChangeLog: https://docs.python.org/release/3.14.3/whatsnew/changelog.html MFH: 2026Q1 (immediately) Security fixes: * gh-144125: BytesGenerator will now refuse to serialize (write) headers that are unsafely folded or delimited; see verify_generated_headers. (Contributed by Bas Bloemsaat and Petr Viktorin in gh-121650). * gh-143935: Fixed a bug in the folding of comments when flattening an email message using a modern email policy. Comments consisting of a very long sequence of non-foldable characters could trigger a forced line wrap that omitted the required leading space on the continuation line, causing the remainder of the comment to be interpreted as a new header field. This enabled header injection with carefully crafted inputs. * gh-143925: Reject control characters in data: URL media types. * gh-143919: Reject control characters in http.cookies.Morsel fields and values. * gh-143916: Reject C0 control characters within wsgiref.headers.Headers fields, values, and parameters. Security: CVE-2026-0865 Security: CVE-2026-1299 Security: bfe9adc8-0224-11f1-8790-c5fb948922ad 2026-02-02T21:49:49Z Matthias Andree mandree@FreeBSD.org 2026-02-02T21:38:56Z urn:sha1:c1d4c7da048b60be5d2d2c5ef47653ac34c3bb35 This seems to help with cross-builds (qemu) for RISC-V machines. Obtained from: Siva Mahadevan Differential Revision: https://reviews.freebsd.org/D55050 2026-01-07T01:56:10Z Christian Ullrich chris@chrullrich.net 2026-01-06T18:44:37Z urn:sha1:ee4ed05b2a99e177ff9a60659d87e2a74eb1e3b6 - Python 3.14 does not include the OS version in the name of the sysconfigdata file anymore. - There are at least two commands on a single line that should have their /nxb-bin/ prefix removed. PR: 292222 2025-12-08T21:02:08Z Matthias Andree mandree@FreeBSD.org 2025-12-08T21:02:08Z urn:sha1:27b20775dbd24031c61ce69c9e000584a7b4900e https://github.com/python/cpython/issues/142145 CVE-2025-12084 "Remove quadratic behavior in node ID cache clearing" https://github.com/python/cpython/issues/119451 CVE-2025-13836 "Out-of-memory when reading a HTTP response with large Content-Length" Announcement: https://pythoninsider.blogspot.com/2025/12/python-3142-and-31311-are-now-available.html Changelog: https://docs.python.org/release/3.14.2/whatsnew/changelog.html Security: 613d0f9e-d477-11f0-9e85-03ddfea11990 Security: CVE-2025-12084 Security: CVE-2025-13836 2025-12-03T20:53:15Z Matthias Andree mandree@FreeBSD.org 2025-12-03T19:54:23Z urn:sha1:61c616db40c6e17eefc140bcb00ec608f18459ec Changelog: https://docs.python.org/release/3.14.1/whatsnew/changelog.html 2025-11-07T16:59:30Z Alex Kozlov ak@FreeBSD.org 2025-11-07T16:59:30Z urn:sha1:47146e221c25f49bfbe8d29f2faf6027ec38d030 Approved by: portmgr blanket