python311-3.11.15 is vulnerable: Python -- poplib module, when passed a user-controlled command, can have additional commands injected using newlines CVE: CVE-2025-15367 WWW: https://vuxml.FreeBSD.org/freebsd/6d3488ae-2e0f-11f1-88c7-00a098b42aeb.html Python -- imaplib module, when passed a user-controlled command, can have additional commands injected using newlines CVE: CVE-2025-15366 WWW: https://vuxml.FreeBSD.org/freebsd/0be929a5-2e0f-11f1-88c7-00a098b42aeb.html Python -- The webbrowser.open() API allows leading dashes CVE: CVE-2026-4519 WWW: https://vuxml.FreeBSD.org/freebsd/9fdad262-2e0f-11f1-88c7-00a098b42aeb.html
We've known since the vuxml entries were added. These are not in any release yet. The poplib and imaplib issues are not backported due to potentially breaking behaviour. Upstream are still investigating whether the supplied commits are correct in following the RFCs that they implement. As a result the vuxml entries will need splitting.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=f07bff5c0deefac2ad77689a79965fefc468bf9f commit f07bff5c0deefac2ad77689a79965fefc468bf9f Author: Charlie Li <vishwin@FreeBSD.org> AuthorDate: 2026-04-04 17:06:47 +0000 Commit: Charlie Li <vishwin@FreeBSD.org> CommitDate: 2026-04-04 17:09:29 +0000 security/vuxml: add missed python packages PR: 294246 security/vuxml/vuln/2026.xml | 7 +++++++ 1 file changed, 7 insertions(+)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=2af09f68ce6c2203fa431e4be7778911fdff54e3 commit 2af09f68ce6c2203fa431e4be7778911fdff54e3 Author: Charlie Li <vishwin@FreeBSD.org> AuthorDate: 2026-04-04 17:03:36 +0000 Commit: Charlie Li <vishwin@FreeBSD.org> CommitDate: 2026-04-04 17:09:26 +0000 security/vuxml: add ranges for python webbrowser.open() API entry PR: 294246 security/vuxml/vuln/2026.xml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=569e99b1dff2d8c0b0d753735b28e0df5e2dd6b9 commit 569e99b1dff2d8c0b0d753735b28e0df5e2dd6b9 Author: Charlie Li <vishwin@FreeBSD.org> AuthorDate: 2026-04-06 01:59:51 +0000 Commit: Charlie Li <vishwin@FreeBSD.org> CommitDate: 2026-04-06 01:59:51 +0000 lang/python313: pull in upstream commits addressing webbrowser.open() issue Security: 9fdad262-2e0f-11f1-88c7-00a098b42aeb PR: 294246 lang/python313/Makefile | 6 +++++- lang/python313/distinfo | 6 +++++- 2 files changed, 10 insertions(+), 2 deletions(-)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=eae851578f69e34b4520d9b0ef582dddf8541281 commit eae851578f69e34b4520d9b0ef582dddf8541281 Author: Charlie Li <vishwin@FreeBSD.org> AuthorDate: 2026-04-06 02:15:59 +0000 Commit: Charlie Li <vishwin@FreeBSD.org> CommitDate: 2026-04-06 02:15:59 +0000 lang/python311: pull in upstream commits addressing webbrowser.open() issue Security: 9fdad262-2e0f-11f1-88c7-00a098b42aeb PR: 294246 lang/python311/Makefile | 4 +++- lang/python311/distinfo | 6 +++++- 2 files changed, 8 insertions(+), 2 deletions(-)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=cc746eedc4dfcefe29d13fe3c36d29e7fa8b48f5 commit cc746eedc4dfcefe29d13fe3c36d29e7fa8b48f5 Author: Charlie Li <vishwin@FreeBSD.org> AuthorDate: 2026-04-06 02:18:16 +0000 Commit: Charlie Li <vishwin@FreeBSD.org> CommitDate: 2026-04-06 02:18:16 +0000 lang/python310: pull in upstream commits addressing webbrowser.open() issue Security: 9fdad262-2e0f-11f1-88c7-00a098b42aeb PR: 294246 lang/python310/Makefile | 4 +++- lang/python310/distinfo | 6 +++++- 2 files changed, 8 insertions(+), 2 deletions(-)
Python 3.14? The patches added to 3.1[0123] are also available for 3.14, right? PATCH_SITES= https://github.com/python/cpython/commit/ PATCHFILES= 9669a912a0e329c094e992204d6bdb8787024d76.patch:-p1 \ 594b5a05dc9913880ac92eded440defbf32a28d1.patch:-p1
(In reply to Herbert J. Skuhra from comment #7) 3.14.This patch should be enough, right? 594b5a05dc9913880ac92eded440defbf32a28d1 Wouldn't the following patches also be necessary? 6262704b134db2a4ba12e85ecfbd968534f28b45 CVE-2025-15366 b234a2b67539f787e191d2ef19a7cbdce32874e7 CVE-2025-15367
lang/python314 is currently not maintained by the python@ team. It will need portmgr@ action or a repeated maintainer timeout in order for it to go unmaintained, which then enables python@ to take it. Upstream has decided to hold off backporting CVE-2025-15366 and CVE-2025-15367 due to potentially breaking existing behaviour and a need to further analyse if the commits in the main branch addressing them follow the relevant standards/RFCs correctly. Thus we will also hold off on them.
Python 3.14.4 is out: https://docs.python.org/release/3.14.4/whatsnew/changelog.html But this release seems to address other CVEs. Why is lang/python314 not maintained by python@?
New update also vulenrable python311-3.11.15_2 is vulnerable: Python -- poplib module, when passed a user-controlled command, can have additional commands injected using newlines CVE: CVE-2025-15367 WWW: https://vuxml.FreeBSD.org/freebsd/6d3488ae-2e0f-11f1-88c7-00a098b42aeb.html Python -- imaplib module, when passed a user-controlled command, can have additional commands injected using newlines CVE: CVE-2025-15366 WWW: https://vuxml.FreeBSD.org/freebsd/0be929a5-2e0f-11f1-88c7-00a098b42aeb.html
(In reply to Vladimir Boldin from comment #11) Please read comment 9 if you haven't already.
(In reply to Herbert J. Skuhra from comment #10) Because I added python314 even before the python@ members got python313 into the tree and I am not handing it over to the team. Everyone feel free though to Cc: me on Python PRs that also apply to 3.14. As to the matter, we don't need cherry picks, we can update/MFH(2026Q2) 3.14 to 3.14.4 instead. The 3.14.4 update contains the fix for leading dashes in webbrowser.open(), so the two cherry-picks to fix these are not needed there. https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=294324 has (1) a 3.14.4 security update (sent by me as the maintainer), and two post-3.14.4 cherry-picked security fixes for: (2) gh-146211: Reject CR/LF in HTTP tunnel request headers (3) gh-146333: Fix quadratic regex backtracking in configparser Which probably want investigation/backport to older Python releases. The PR 294324 (link above) also contains VuXML updates.