From nobody Fri Apr 17 09:05:26 2026 X-Original-To: python@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4fxpr637NVz6ZNFY for ; Fri, 17 Apr 2026 09:05:26 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4fxpr62VdDz3mkw for ; Fri, 17 Apr 2026 09:05:26 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1776416726; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=wXpjyLEeWBri5VsyDWQYR49hIfHigDYgRFUN0HUgcNE=; b=IY03MpTtu3mc+MugCoMoSnKw0IqrsB5c+N28Q3EnVHexw4TwVTsYDzg2txJ4HZXkHStSbi TRO7LVB45XfOl/MA/Ju2FJBDhX4rigHzkHmQ9dWg1hsskRaRM7/uq719hzfHOQMomz7rM0 JxxROwY15pNvYDBJ0kl/Auo00aERybpQq16S7pYkb23IdyBxEeztlZVXVwBI0PfruUeaQ3 nzgV5IReVVHOrDr5KHhdiJposw/wI3x3+BG02x1mO1Iykma2PPpajwWCRVdz70FNatfaZr cxQu8OMZmNO3Y7nOCr1ZfeTgduuMfGi66WTCJ2+gsqR8wsrHAmnX+Q0AZ37oyg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1776416726; a=rsa-sha256; cv=none; b=fyrQh5llGwjv/+V4MszhHrXXoEgDbNm0cooqjPJFsStGIvarhDD30cuaEwrzHx3nj5LQFM l8XyLzRC521WA4g0NH1mI2wPVQ/Lam3gSwxZLV222k4pkFX/FDyq4VATY6uvkpgvRe0/NC u2P9JcEuEPC4eqWsupVLdsNysNsRWfRoUtS1DjnyQE+lPiNiw9uGkhW7Uhy0pOLMYy6DRb N0aXX3ENa0EdZejx1nN4gHTgfYklcbJSz5RPpQ7+iO22+8tUOmPEXKF7d+NfUOkIgJDn3U Ss/zK2sqiave9uPU4wVG7BkJUKwMo6L1i2NWXhMCevrc71gLEmI7OMWKwcsgRg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1776416726; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=wXpjyLEeWBri5VsyDWQYR49hIfHigDYgRFUN0HUgcNE=; b=DgNkmOJOMbEekiHU+gUaYLAkSoJVBssw3ebxrEloeS/tiqPbyi+3zP9zdAn/kRjZeQusea OX5z69PhaHna2K8dJlQ/CceM7mKj3f60IWzqx1itbfmLbDGwmjUuvjVocHyvus0iRGZp9A QvctAIUUMrxID84kJrS6sskeUXwor/aqW5hk/9z2jQoPNU4uw2W70fruirKUtJRegO4gv5 6h+zhb1dsv/XUGSB9KnHjxLBwuSvaT1cPHvwKVGews+lCXnZ8w65zAgciZ3JhVqnHYBibg Vt1o89DyyvB/SJtr8Rb9pxphfkVbrPjUvHQk7ZZ1TTJywAZc+OeeMDFRfscKLA== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4fxpr626XvznTf for ; Fri, 17 Apr 2026 09:05:26 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 63H95QW6024365 for ; Fri, 17 Apr 2026 09:05:26 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 63H95Q75024364 for python@FreeBSD.org; Fri, 17 Apr 2026 09:05:26 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: python@FreeBSD.org Subject: [Bug 294496] lang/python*: CVE-2026-4786: webbrowser.open() command injection mitigation for CVE-2026-4519 was incomplete Date: Fri, 17 Apr 2026 09:05:26 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Ports & Packages X-Bugzilla-Component: Individual Port(s) X-Bugzilla-Version: Latest X-Bugzilla-Keywords: security X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: mandree@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: ports-secteam@FreeBSD.org X-Bugzilla-Flags: maintainer-feedback+ merge-quarterly? X-Bugzilla-Changed-Fields: flagtypes.name Message-ID: In-Reply-To: References: Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="UTF-8" X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: FreeBSD-specific Python issues List-Archive: https://lists.freebsd.org/archives/freebsd-python List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-python@freebsd.org Sender: owner-freebsd-python@FreeBSD.org MIME-Version: 1.0 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D294496 Matthias Andree changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |maintainer-feedback+ --- Comment #5 from Matthias Andree --- The branch main has been updated by diizzy: URL: https://cgit.FreeBSD.org/ports/commit/?id=3D965c6f73bbe0a9361fdd92952e3ac62= 2736ebbb3 commit 965c6f73bbe0a9361fdd92952e3ac622736ebbb3 Author: Matthias Andree AuthorDate: 2026-04-13 23:00:40 +0000 Commit: Daniel Engberg CommitDate: 2026-04-16 21:38:32 +0000 lang/python314: Fix incomplete mitigation of webbrowser.open() Cherry-pick fix to resolve Incomplete mitigation of CVE-2026-4519, %action expansion for command injection to webbrowser.open() Obtained from: GitHub repo https://github.com/python/cpython/pull/148516 Security: CVE-2026-4786 cf75f572-378a-11f1-a119-e36228bfe7d4 --=20 You are receiving this mail because: You are on the CC list for the bug.=