[Bug 294496] lang/python*: CVE-2026-4786: webbrowser.open() command injection mitigation for CVE-2026-4519 was incomplete

In reply to: bugzilla-noreply_a_freebsd.org: "[Bug 294496] lang/python*: CVE-2026-4786: webbrowser.open() command injection mitigation for CVE-2026-4519 was incomplete"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Fri, 17 Apr 2026 09:05:26 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=294496

Matthias Andree <mandree@FreeBSD.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
              Flags|                            |maintainer-feedback+

--- Comment #5 from Matthias Andree <mandree@FreeBSD.org> ---
The branch main has been updated by diizzy:

URL:
https://cgit.FreeBSD.org/ports/commit/?id=965c6f73bbe0a9361fdd92952e3ac622736ebbb3

commit 965c6f73bbe0a9361fdd92952e3ac622736ebbb3
Author:     Matthias Andree <mandree@FreeBSD.org>
AuthorDate: 2026-04-13 23:00:40 +0000
Commit:     Daniel Engberg <diizzy@FreeBSD.org>
CommitDate: 2026-04-16 21:38:32 +0000

    lang/python314: Fix incomplete mitigation of webbrowser.open()

    Cherry-pick fix to resolve
    Incomplete mitigation of CVE-2026-4519,
    %action expansion for command injection to webbrowser.open()

    Obtained from:  GitHub repo
                    https://github.com/python/cpython/pull/148516
    Security:       CVE-2026-4786
                    cf75f572-378a-11f1-a119-e36228bfe7d4

-- 
You are receiving this mail because:
You are on the CC list for the bug.