[Bug 291609] lang/python311: Missing security update

In reply to: bugzilla-noreply_a_freebsd.org: "[Bug 291609] lang/python311: Missing security update"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Sat, 03 Jan 2026 20:23:39 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=291609

Charlie Li <vishwin@freebsd.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
              Flags|maintainer-feedback-        |maintainer-feedback+

--- Comment #6 from Charlie Li <vishwin@freebsd.org> ---
[maintainer-timeout does not get to be overridden when it was already set by a
maintainer, especially when feedback was provided]

CVE-2025-13836: https://github.com/python/cpython/issues/119451
Upstream outstanding pull requests (they are backported from the main one
linked from the PR):
3.11: https://github.com/python/cpython/pull/142141
3.10: https://github.com/python/cpython/pull/142142

CVE-2025-12084: https://github.com/python/cpython/issues/142145
Upstream outstanding pull requests:
3.11: https://github.com/python/cpython/pull/142212
3.10: https://github.com/python/cpython/pull/142213

None of these have been committed to their respective branches. Ports will not
include these fixes until upstream commits them, after which PORTREVISION bumps
can happen until they cut new releases.

(In reply to Torsten Zuehlsdorff from comment #3)
It is ultimately up to the upstream CPython project to commit their fixes
appropriately. Using stuff that upstream has not fully blessed, ie through
solid commits, does not provide us and our users a good support trail.

-- 
You are receiving this mail because:
You are the assignee for the bug.