git 2.54.0 requires vulnerable package python311 3.11.15_03, what to do?

P

Pale_Gray

I have recently installed FreeBSD 15.0-RELEASE and tried installing the git package, but after auditing, it says that the dependency python311 3.11.15_03 is vulnerable with the following vulnerabilities:
Code: 
python -- more webbrowser.open() command injection vulnerabilities
CVE: CVE-2026-4786
WWW: https://vuxml.FreeBSD.org/freebsd/cf75f572-378a-11f1-a119-e36228bfe7d4.html

Python -- poplib module, when passed a user-controlled command, can have additional commands injected using newlines
CVE: CVE-2025-15367
WWW: https://vuxml.FreeBSD.org/freebsd/6d3488ae-2e0f-11f1-88c7-00a098b42aeb.html

Python -- imaplib module, when passed a user-controlled command, can have additional commands injected using newlines
CVE: CVE-2025-15366
WWW: https://vuxml.FreeBSD.org/freebsd/0be929a5-2e0f-11f1-88c7-00a098b42aeb.html

Python -- configparser vulnerable to excessive CPU use
WWW: https://vuxml.FreeBSD.org/freebsd/5ec4dcf6-3588-11f1-b51c-6dd25bec137b.html

Python -- use-after-free vulnerability in decompressors under memory pressure
CVE: CVE-2026-6100
WWW: https://vuxml.FreeBSD.org/freebsd/b8e9f33c-375d-11f1-a119-e36228bfe7d4.html

Python -- HTTP proxy CONNECT tunnel does not sanitize CR/LF
CVE: CVE-2026-1502
WWW: https://vuxml.FreeBSD.org/freebsd/30bda1c3-369b-11f1-b51c-6dd25bec137b.html
I am wary of this, so after reading around in the forums I decided to try to setup git using the ports collections installation guide as shown at https://docs.freebsd.org/en/books/handbook/ports/#ports-using-installation-methods
I try building git, but then another vulnerable package appears:
Code: 
libxslt-1.1.43_1 is vulnerable:
    libxslt -- multiple vulnerabilities
    CVE: CVE-2025-11731
    CVE: CVE-2025-9714
    CVE: CVE-2025-7425
    CVE: CVE-2025-7424
    WWW: https://vuxml.FreeBSD.org/freebsd/b0a3466f-5efc-11f0-ae84-99047d0a6bcc.html
I am unsure now how to proceed.
 
It's the CONTRIB option that pulls in Python. You could install the tiny flavor of git if you don't need all the additional fluff. pkg install git-tiny.

Code: 
.if ${SUBPORT} == p4 || ${PORT_OPTIONS:MCONTRIB}
USES+=		python
CONFIGURE_ARGS+=	--with-python=${PYTHON_CMD}
.else
CONFIGURE_ARGS+=	--without-python
.endif
 
The python bits: are those more used if you are running a git server than a git client?
Basically if all I want to do is "git clone, modify, git push" tiny should have everything.
But I was hosting a server to hold repos, the python is more useful/needed?
 
mer said:
The python bits: are those more used if you are running a git server than a git client?
Click to expand...
As far as I can tell there's only one script that requires python;
Code: 
root@molly:/usr/local/share/git-core/contrib # grep -r python3 *
fast-import/import-zips.py:#!/usr/local/bin/python3.11
 
  • Like
Reactions: mer
mer said:
The python bits: are those more used if you are running a git server than a git client?
Basically if all I want to do is "git clone, modify, git push" tiny should have everything.
But I was hosting a server to hold repos, the python is more useful/needed?
Click to expand...
Nah. I self host my own git server and all I use is git-tiny (on all my servers). I think you were on the right track with promoting just git-tiny all the way. My git server is headless (no web gui--only cli interface) but I think I even remember that I set up gitlab or gitea with git-tiny as well (back when I thought I needed a web-interface).
Thumbs-Up from me as well.
 
  • Like
Reactions: mer
You must log in or register to reply here.
Back
Top