Bug 294324 - lang/python314 upgrade to 3.14.4_1 (with two cherry-picked security fixes)
Summary: lang/python314 upgrade to 3.14.4_1 (with two cherry-picked security fixes)
Status: Open
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Ports Security Team
URL:
Keywords: security
Depends on:
Blocks:
 
Reported: 2026-04-08 08:01 UTC by Jordan Ostreff
Modified: 2026-04-11 10:21 UTC (History)
5 users (show)

See Also:
mandree: maintainer-feedback+
mandree: merge-quarterly?

Attachments
upgrade to 3.14.4 (4.93 KB, patch)
2026-04-08 08:01 UTC, Jordan Ostreff 		no flags Details | Diff
maintainer patch to security update Python 3.14 to 3.14.4 (from 3.14.3) (10.02 KB, patch)
2026-04-08 10:02 UTC, Matthias Andree 		mandree: maintainer-approval-
Details | Diff
VuXML update to mark CVE-2026-4519 fixed in Python 3.14.4 (1.05 KB, patch)
2026-04-08 10:12 UTC, Matthias Andree 		no flags Details | Diff
VuXML: document two more python vulnerabilities unfixed in 3.14.4 & co. (not in 269493) (2.24 KB, patch)
2026-04-11 09:40 UTC, Matthias Andree 		no flags Details | Diff
maintainer patch to security update Python 3.14 to 3.14.4_1 (adds fixes for gh-146211 and gh-146333) (22.99 KB, patch)
2026-04-11 09:41 UTC, Matthias Andree 		mandree: maintainer-approval+
Details | Diff
update VuXML entry for two recent Python vulns (now includes python310) post-3.14 (2.31 KB, patch)
2026-04-11 10:03 UTC, Matthias Andree 		no flags Details | Diff
Show Obsolete (3) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jordan Ostreff 2026-04-08 08:01:59 UTC 
Created attachment 269486 [details]
upgrade to 3.14.4

== Tests result: FAILURE then FAILURE ==

10 slowest tests:
- test_compileall: 1 min 55 sec
- test.test_multiprocessing_spawn.test_processes: 1 min 36 sec
- test_mailbox: 1 min 33 sec
- test.test_multiprocessing_forkserver.test_processes: 1 min 28 sec
- test.test_concurrent_futures.test_process_pool: 1 min 22 sec
- test_subprocess: 1 min 18 sec
- test_signal: 1 min 8 sec
- test_logging: 48.1 sec
- test.test_multiprocessing_fork.test_processes: 39.4 sec
- test_multiprocessing_main_handling: 38.8 sec

27 tests skipped:
    test.test_asyncio.test_windows_events
    test.test_asyncio.test_windows_utils test_android test_apple
    test_dbm_gnu test_dbm_sqlite3 test_devpoll test_epoll
    test_free_threading test_idle test_launcher test_msvcrt
    test_perf_profiler test_perfmaps test_remote_pdb test_sqlite3
    test_startfile test_tcl test_tkinter test_ttk test_ttk_textonly
    test_turtle test_winapi test_winconsoleio test_winreg
    test_winsound test_wmi

3 tests skipped (resource denied):
    test_peg_generator test_xpickle test_zipfile64

3 re-run tests:
    test_dtrace test_imaplib test_shutil

3 tests failed:
    test_dtrace test_imaplib test_shutil

454 tests OK.

Total duration: 3 min 9 sec
Total tests: run=46,530 failures=18 skipped=2,252
Total test files: run=487/487 failed=3 skipped=27 resource_denied=3 rerun=3
Result: FAILURE then FAILURE
*** Error code 2

Stop.
make: stopped making "test" in /usr/ports/lang/python314/work/Python-3.14.4
*** Error code 1

Stop.
make: stopped making "test" in /usr/ports/lang/python314
# python -V
Python 3.14.4
Comment 1 Jordan Ostreff 2026-04-08 08:03:34 UTC 
# pkg audit -F
vulnxml file up-to-date
python314-3.14.4 is vulnerable:
  Python -- The webbrowser.open() API allows leading dashes
  CVE: CVE-2026-4519
  WWW: https://vuxml.FreeBSD.org/freebsd/9fdad262-2e0f-11f1-88c7-00a098b42aeb.html

  Python -- poplib module, when passed a user-controlled command, can have additional commands injected using newlines
  CVE: CVE-2025-15367
  WWW: https://vuxml.FreeBSD.org/freebsd/6d3488ae-2e0f-11f1-88c7-00a098b42aeb.html

  Python -- imaplib module, when passed a user-controlled command, can have additional commands injected using newlines
  CVE: CVE-2025-15366
  WWW: https://vuxml.FreeBSD.org/freebsd/0be929a5-2e0f-11f1-88c7-00a098b42aeb.html

3 problem(s) in 1 package(s) found.
Comment 2 Jordan Ostreff 2026-04-08 08:05:48 UTC 
(In reply to Jordan Ostreff from comment #1)

https://docs.python.org/release/3.14.4/whatsnew/changelog.html
Comment 3 Matthias Andree freebsd_committer freebsd_triage 2026-04-08 09:19:04 UTC 
I'll try to reduce the pkg-plist diff and see what I get in terms of self-tests. 3.14.3 is self-checking successfully on 15.0-RELEASE-p7 amd64 for me.
Comment 4 Matthias Andree freebsd_committer freebsd_triage 2026-04-08 10:02:05 UTC 
Created attachment 269492 [details]
maintainer patch to security update Python 3.14 to 3.14.4 (from 3.14.3)

Let's use this patch instead. Self-tests on 15.0-RELEASE amd64 pass, poudriere tests running.
Comment 5 Matthias Andree freebsd_committer freebsd_triage 2026-04-08 10:12:40 UTC 
Created attachment 269493 [details]
VuXML update to mark CVE-2026-4519 fixed in Python 3.14.4

(the imaplib and poplib issues appear to still be unfixed)
Comment 6 Matthias Andree freebsd_committer freebsd_triage 2026-04-08 10:25:07 UTC 
Please commit both patches to main and MFH the Python patch to 2026Q2.
Comment 7 Matthias Andree freebsd_committer freebsd_triage 2026-04-08 10:26:32 UTC 
poudriere build tests have passed for each of these on FreeBSD 13.5, 14.3, 15.0 respectively (all amd64):

lang/python314
databases/py-gdbm@py314
databases/py-sqlite3@py314
x11-toolkits/py-tkinter@py314
Comment 8 Matthias Andree freebsd_committer freebsd_triage 2026-04-11 08:21:57 UTC 
Comment on attachment 269492 [details]
maintainer patch to security update Python 3.14 to 3.14.4 (from 3.14.3)

Since this hasn't been committed yet, revoking maintainer approval. Will require to cherry-pick two more security fixes from upstream.

New patch coming up.
Comment 9 Matthias Andree freebsd_committer freebsd_triage 2026-04-11 09:40:21 UTC 
Created attachment 269614 [details]
VuXML: document two more python vulnerabilities unfixed in 3.14.4 & co. (not in 269493)
Comment 10 Matthias Andree freebsd_committer freebsd_triage 2026-04-11 09:41:16 UTC 
Created attachment 269615 [details]
maintainer patch to security update Python 3.14 to 3.14.4_1 (adds fixes for gh-146211 and gh-146333)

Please commit & MFH. Note I am the maintainer, not python@.
Comment 11 Matthias Andree freebsd_committer freebsd_triage 2026-04-11 09:43:00 UTC 
Patches also available for cherry-picking from my ports forks at

https://gitlab.com/mandree/freebsd-ports/-/commits/main?ref_type=HEADS
https://github.com/mandree/freebsd-ports/commits/main/
Comment 12 Matthias Andree freebsd_committer freebsd_triage 2026-04-11 10:03:36 UTC 
Created attachment 269616 [details]
update VuXML entry for two recent Python vulns (now includes python310) post-3.14

Had to add python310 (which FreeBSD still claims to "support") to the VuXML entry.