From nobody Thu Jun 08 02:52:42 2023
X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Qc7zv0tKHz4ZqJF;
	Thu,  8 Jun 2023 02:52:43 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4Qc7zv0KwLz3xGD;
	Thu,  8 Jun 2023 02:52:43 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1686192763;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=esMPojnv4T8JY9/osk16SVyqUNlZFhvRE22E52zp5cc=;
	b=CxQKQoobX0+65oSrI0ZUzcCJvFT5wmMDVrl7//5rqlCoLGU1XTwIW2EFDB4+qhlT38egus
	fnoAzObgmClOWmPgwoO8wdgjbT/aPWX6q2jEzzGjZUr1OYD9aWM8InBsJE2B2dK3gzHZ5C
	v325ntMgJXiavzAtAf26kKmmK8Zi0bYiRSrs8oiZPezid2mr7b1AwZ5PavYxlZb2Vw7f41
	li0rU34gUbo2lPZ8zX/axGUQ3cBaaBB3gKfrNq1WjFinXjM1VEAsxlotorfFQrKyv5ve5S
	M7ASHCSl0cagl3pcuXxHUXZYw007MF1OpIit2yl/Os0hJ+xwTDhWYUHPmkKiPg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1686192763;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=esMPojnv4T8JY9/osk16SVyqUNlZFhvRE22E52zp5cc=;
	b=UicbbL6tsIp0RWPKkA83tivEDo0lUc3czEMVHGE0KfVSevDWT0iC1ypxClHuClG0HvuPZ5
	PEC/1CgVkWgpjDVYAm2uvvIkMReqJ1u1bliqC6xwdONd9OdVzFBBWgCoOv2AzCOGA8hd/d
	JyOV+LaAMBFaIUJJSmlHbDBoJU0HuLBfhsntOi+B4MEQapaa3SQtzU4JmPcDVqqGEHjeTx
	15WH8bjFJgoUizUKwArdWnOL7sY3ZjpX8sM3fysSyqRQ/skp0fC/tZRnNqSOogKSTib4j2
	4DUgk9ceXH/2VG+HBP9E9TCOm7HiZEStlG6fkNFXdyzEs8uIsxR8Kus1Z1O6bQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1686192763; a=rsa-sha256; cv=none;
	b=rAaNRMg2BrsGi4x9QP9N6MCISZTcsYFm0t7K2xXgVKPSJvjQInwhNLzjuVIuRTRTOGqQHa
	qpCNm6O4wv6ykiJXt08/whTiefEN7j3jLEvNDXG1vrd310Eu8wlk4G20rZoery3WMNOVlR
	K0FZm9b3ILTx1yTpKVwUsszdXgFVMNpHFqiDwwEIzfKvUkMWllKRmA2FuX+9NyRy2FrRa1
	MJiLKIoBhLD5j6I4j7WkuUbKAP2Db0spMcgLzpPfQbg4JfpUMouEl7GsrSAvmARtcooZ3b
	CBmpiPa1YRrL1s2nX8bnirznpLsM+1r/Tw5ygrdnbRzb9z2wXYsol+6PDrVj0g==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Qc7zt6XJmzcbC;
	Thu,  8 Jun 2023 02:52:42 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 3582qgBL011230;
	Thu, 8 Jun 2023 02:52:42 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 3582qg2R011229;
	Thu, 8 Jun 2023 02:52:42 GMT
	(envelope-from git)
Date: Thu, 8 Jun 2023 02:52:42 GMT
Message-Id: <202306080252.3582qg2R011229@gitrepo.freebsd.org>
To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org,
        dev-commits-ports-main@FreeBSD.org
From: Wen Heping <wen@FreeBSD.org>
Subject: git: 1e1334634165 - main - security/vuxml: Document python's multiple vulnerabilities
List-Id: Commits to the main branch of the FreeBSD ports repository <dev-commits-ports-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main
List-Help: <mailto:dev-commits-ports-main+help@freebsd.org>
List-Post: <mailto:dev-commits-ports-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-ports-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-ports-main+unsubscribe@freebsd.org>
Sender: owner-dev-commits-ports-main@freebsd.org
X-BeenThere: dev-commits-ports-main@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: wen
X-Git-Repository: ports
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 1e1334634165b1bdbf8da1e1287e91eaeac71b99
Auto-Submitted: auto-generated
X-ThisMailContainsUnwantedMimeParts: N

The branch main has been updated by wen:

URL: https://cgit.FreeBSD.org/ports/commit/?id=1e1334634165b1bdbf8da1e1287e91eaeac71b99

commit 1e1334634165b1bdbf8da1e1287e91eaeac71b99
Author:     Wen Heping <wen@FreeBSD.org>
AuthorDate: 2023-06-08 02:50:46 +0000
Commit:     Wen Heping <wen@FreeBSD.org>
CommitDate: 2023-06-08 02:52:02 +0000

    security/vuxml: Document python's multiple vulnerabilities
---
 security/vuxml/vuln/2023.xml | 66 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 66 insertions(+)

diff --git a/security/vuxml/vuln/2023.xml b/security/vuxml/vuln/2023.xml
index 0218f35a2aff..6618a0c39571 100644
--- a/security/vuxml/vuln/2023.xml
+++ b/security/vuxml/vuln/2023.xml
@@ -1,3 +1,69 @@
+  <vuln vid="d86becfe-05a4-11ee-9d4a-080027eda32c">
+    <topic>Python -- multiple vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>python37</name>
+	<range><lt>3.7.17</lt></range>
+      </package>
+      <package>
+	<name>python38</name>
+	<range><lt>3.8.17</lt></range>
+      </package>
+      <package>
+	<name>python39</name>
+	<range><lt>3.9.17</lt></range>
+      </package>
+      <package>
+	<name>python310</name>
+	<range><lt>3.10.12</lt></range>
+      </package>
+      <package>
+	<name>python311</name>
+	<range><lt>3.11.4</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Python reports:</p>
+	<blockquote cite="https://pythoninsider.blogspot.com/2023/06/python-3114-31012-3917-3817-3717-and.html">
+	  <p>gh-103142: The version of OpenSSL used in Windows and Mac installers has been upgraded
+	    to 1.1.1u to address CVE-2023-2650, CVE-2023-0465, CVE-2023-0466, CVE-2023-0464, as well
+	    as CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303 fixed previously in 1.1.1t (gh-101727).</p>
+	  <p>gh-102153: urllib.parse.urlsplit() now strips leading C0 control and space characters
+	    following the specification for URLs defined by WHATWG in response to CVE-2023-24329.</p>
+	  <p>gh-99889: Fixed a security in flaw in uu.decode() that could allow for directory traversal
+	    based on the input if no out_file was specified.</p>
+	  <p>gh-104049: Do not expose the local on-disk location in directory indexes produced by
+	    http.client.SimpleHTTPRequestHandler.</p>
+	  <p>gh-101283: subprocess.Popen now uses a safer approach to find cmd.exe when launching with
+	    shell=True.</p>
+	  <p>gh-103935: trace.__main__ now uses io.open_code() for files to be executed instead of raw open().</p>
+	  <p>gh-102953: The extraction methods in tarfile, and shutil.unpack_archive(), have a new filter
+	    argument that allows limiting tar features than may be surprising or dangerous, such as creating
+	    files outside the destination directory. </p>
+	  <p>gh-102126: Fixed a deadlock at shutdown when clearing thread states if any finalizer tries to
+	    acquire the runtime head lock.</p>
+	  <p>gh-100892: Fixed a crash due to a race while iterating over thread states in clearing
+	    threading.local.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2022-4303</cvename>
+      <cvename>CVE-2023-2650</cvename>
+      <cvename>CVE-2023-0286</cvename>
+      <cvename>CVE-2023-0464</cvename>
+      <cvename>CVE-2023-0465</cvename>
+      <cvename>CVE-2023-0466</cvename>
+      <cvename>CVE-2023-24329</cvename>
+      <url>https://pythoninsider.blogspot.com/2023/06/python-3114-31012-3917-3817-3717-and.html</url>
+    </references>
+    <dates>
+      <discovery>2022-06-08</discovery>
+      <entry>2023-06-08</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="12741b1f-04f9-11ee-8290-a8a1599412c6">
     <topic>chromium -- multiple vulnerabilities</topic>
     <affects>