From nobody Mon Sep 13 23:55:19 2021
X-Original-To: python@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 2ACBA17BCF74
	for <python@mlmmj.nyi.freebsd.org>; Mon, 13 Sep 2021 23:55:26 +0000 (UTC)
	(envelope-from koobs.freebsd@gmail.com)
Received: from mail-pj1-x102a.google.com (mail-pj1-x102a.google.com [IPv6:2607:f8b0:4864:20::102a])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4H7jz10VYDz3CHV;
	Mon, 13 Sep 2021 23:55:25 +0000 (UTC)
	(envelope-from koobs.freebsd@gmail.com)
Received: by mail-pj1-x102a.google.com with SMTP id n13-20020a17090a4e0d00b0017946980d8dso704223pjh.5;
        Mon, 13 Sep 2021 16:55:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=sender:message-id:date:mime-version:user-agent:reply-to:subject
         :content-language:to:references:cc:from:in-reply-to
         :content-transfer-encoding;
        bh=Xa5DpQa26VEVdgfCNYtM58aXNKriUnAqy77TbXfn7E0=;
        b=k4co4f5YHhb/NJoOpZ+U/2mKMbpbQIgKWGnXNj17BnTQYcesJhDBAwzEtkvBPsq+FA
         ZHCJGsNUDFi+uuZmlQPqnkCKQ0WxIYBax+ALhYd9zPjuRp+yGPK5Sj0y3pUeanwrArqI
         Ei+ZZUTaRgnMIjGvB6GwMO5fmxuWO+/IhohL2ilWT4sQAL2Jy3XiK1gToX+MAzD2iZ/7
         9OQEAcufUPo2n+ORFW8xl2rcsGNlFgujy2GqWQE6Mg2U9mC2ZWW2Buv9kTO5VSTIyWds
         8rKx03bGaWmRRpCxaWLNhzUnlZ8rIL/C+qWW0Gg+3tHVNZxCzvoD3ef7bWP09HXDsRML
         qszQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:sender:message-id:date:mime-version:user-agent
         :reply-to:subject:content-language:to:references:cc:from:in-reply-to
         :content-transfer-encoding;
        bh=Xa5DpQa26VEVdgfCNYtM58aXNKriUnAqy77TbXfn7E0=;
        b=0xClkut4bAe8T99OFUpLguvlanacW6n3efVsVEd3P/s7krzkrDpLUoca2Jh6KTIyTt
         gYXi/vfk1AVRF43/sHCe9bBCrHkj2ys+CTLdZNc4DkpBPFtNFveO3AmuaZkd8Yu73YpX
         wgj2bhY4LFcTDw4MU//qrVianzxtBGq9DN0wkBlnb9JbhibXQA2EnldfkmtTlE1AWj6W
         ta5FI9D2lQpBnQNXM68Ri4YumU3p0C2FfCqGfaOdddjBcUay2Qi6CwlFeJ3Iz9jCRJK/
         j2pW46TTtxTC6ChrDOZqGLY5NjQw6kIwrKmJ+YEc9/GO4cQxqYfA1b42Sm4Aj9sZ/1gC
         tyQA==
X-Gm-Message-State: AOAM533FZMVhgIQhQa/QnxODqfdVP06iSpbXrHwxjOA82B3/v9RA1k/o
	Db+YAadzgNN7cvdAN+wXUEM=
X-Google-Smtp-Source: ABdhPJzxWt5jFx2fGeMSRafNEK23AbqYvA38B5Ym9My6TEKBiOKKyjW/Ov6UPVVKSoGoYePEcSGpLQ==
X-Received: by 2002:a17:90b:4f4b:: with SMTP id pj11mr2364836pjb.170.1631577323545;
        Mon, 13 Sep 2021 16:55:23 -0700 (PDT)
Received: from ?IPV6:2403:5800:7500:3601:c922:4300:a0c1:1e52? (2403-5800-7500-3601-c922-4300-a0c1-1e52.ip6.aussiebb.net. [2403:5800:7500:3601:c922:4300:a0c1:1e52])
        by smtp.gmail.com with ESMTPSA id q20sm9461719pgu.31.2021.09.13.16.55.21
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Mon, 13 Sep 2021 16:55:23 -0700 (PDT)
Message-ID: <97804325-5c6e-48a6-7e8d-82090734c359@FreeBSD.org>
Date: Tue, 14 Sep 2021 09:55:19 +1000
List-Id: FreeBSD-specific Python issues <freebsd-python.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-python
List-Help: <mailto:python+help@freebsd.org>
List-Post: <mailto:python@freebsd.org>
List-Subscribe: <mailto:python+subscribe@freebsd.org>
List-Unsubscribe: <mailto:python+unsubscribe@freebsd.org>
Sender: owner-freebsd-python@freebsd.org
X-BeenThere: freebsd-python@freebsd.org
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101
 Thunderbird/94.0a1
Reply-To: koobs@FreeBSD.org
Subject: Re: python38-3.8.11 is vulnerable
Content-Language: en-US
To: lumiwa@dismail.de
References: <20210912091711.6141a695@dismail.de>
Cc: "python@FreeBSD.org" <python@FreeBSD.org>, Wen Heping <wen@FreeBSD.org>
From: Kubilay Kocak <koobs@FreeBSD.org>
In-Reply-To: <20210912091711.6141a695@dismail.de>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Rspamd-Queue-Id: 4H7jz10VYDz3CHV
X-Spamd-Bar: ---
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=gmail.com header.s=20210112 header.b=k4co4f5Y;
	dmarc=none;
	spf=pass (mx1.freebsd.org: domain of koobsfreebsd@gmail.com designates 2607:f8b0:4864:20::102a as permitted sender) smtp.mailfrom=koobsfreebsd@gmail.com
X-Spamd-Result: default: False [-3.20 / 15.00];
	 HAS_REPLYTO(0.00)[koobs@FreeBSD.org];
	 TO_DN_EQ_ADDR_SOME(0.00)[];
	 RCVD_VIA_SMTP_AUTH(0.00)[];
	 TO_DN_SOME(0.00)[];
	 R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36];
	 REPLYTO_ADDR_EQ_FROM(0.00)[];
	 RCVD_COUNT_THREE(0.00)[3];
	 DKIM_TRACE(0.00)[gmail.com:+];
	 NEURAL_HAM_SHORT(-1.00)[-1.000];
	 FORGED_SENDER(0.30)[koobs@FreeBSD.org,koobsfreebsd@gmail.com];
	 MIME_TRACE(0.00)[0:+];
	 FREEMAIL_ENVFROM(0.00)[gmail.com];
	 ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US];
	 MID_RHS_MATCH_FROM(0.00)[];
	 TAGGED_FROM(0.00)[];
	 DWL_DNSWL_NONE(0.00)[gmail.com:dkim];
	 FROM_NEQ_ENVFROM(0.00)[koobs@FreeBSD.org,koobsfreebsd@gmail.com];
	 ARC_NA(0.00)[];
	 R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112];
	 NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	 FROM_HAS_DN(0.00)[];
	 RCPT_COUNT_THREE(0.00)[3];
	 NEURAL_HAM_LONG(-1.00)[-1.000];
	 MIME_GOOD(-0.10)[text/plain];
	 DMARC_NA(0.00)[FreeBSD.org];
	 TO_MATCH_ENVRCPT_SOME(0.00)[];
	 RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::102a:from];
	 RCVD_TLS_ALL(0.00)[]
X-ThisMailContainsUnwantedMimeParts: N

On 12/09/2021 11:17 pm, LuMiWa via python wrote:
> Hi!
> 
> I start using latest binary packages and my questuions if is better to
> use ports for some port in this case for Pythong because ports as I
> know I faster update for vulnerabilities.
> 
>   pkg audit -F
> vulnxml file up-to-date
> python38-3.8.11 is vulnerable:
>    Python -- multiple vulnerabilities
>    WWW:
>    https://vuxml.FreeBSD.org/freebsd/145ce848-1165-11ec-ac7e-08002789875b.html
> 
> Thank you.
> 

All Python language ports (lang/python*) bugfix and security updates 
should be committed to head and then merged to quarterly as part of the 
same task as a matter of course.

The python38 update is being tracked here:

   https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=258195

Once committed/merged, the availability of updates packages is 
contingent on the package building infrastructure, which can take up to 
  a few days to complete on average, if there are no other issues.

./koobs