python311-3.11.14 vulnerable but no alternatives/updates

minWi

minWi

Bash: 
# pkg audit -F
vulnxml file up-to-date
python311-3.11.14 is vulnerable:
  python -- several vulnerabilities
  CVE: CVE-2025-13836
  CVE: CVE-2025-12084
  WWW: https://vuxml.FreeBSD.org/freebsd/613d0f9e-d477-11f0-9e85-03ddfea11990.html

1 problem(s) in 1 package(s) found

I need python311 because of py311-zfs-autobackup https://www.freshports.org/filesystems/py-zfs-autobackup/ but it seems there are no python311 updates anymore.

I've requested an account on bugzilla.freebsd.org to report it but just in case someone has any other solution I can apply.

Thanks.
 
From PR 291609
Charlie Li
freebsd_committer
freebsd_triage
2025-12-13 14:00:03 UTC

None of these have been merged into any branch older than 3.13. Although a maintainer has marked each open backport pull request as approved, there may be some further unforeseen issues with them so they are not merged yet. The ports will be updated when upstream cuts corresponding point releases, hopefully including the fixes.
Click to expand...
 
pkg audit -F
vulnxml file up-to-date
c-ares-1.34.5 is vulnerable:
c-ares -- Use After Free
CVE: CVE-2025-62408
WWW: https://vuxml.freebsd.org/freebsd/1adf9ece-d4a3-11f0-83a2-843a4b343614.html

xkbcomp-1.4.7 is vulnerable:
xkbcomp -- Several vulnerabilities
CVE: CVE-2018-15863
CVE: CVE-2018-15861
CVE: CVE-2018-15859
CVE: CVE-2018-15863
WWW: https://vuxml.freebsd.org/freebsd/c7187676-d176-11f0-841f-843a4b343614.html

libxslt-1.1.43_1 is vulnerable:
libxslt -- unmaintained, with multiple unfixed vulnerabilities
CVE: CVE-2025-7425
CVE: CVE-2025-7424
WWW: https://vuxml.freebsd.org/freebsd/b0a3466f-5efc-11f0-ae84-99047d0a6bcc.html

apache24-2.4.65_1 is vulnerable:
Apache httpd -- Multiple vulnerabilities
CVE: CVE-2025-55753
CVE: CVE-2025-58098
CVE: CVE-2025-59775
CVE: CVE-2025-65082
CVE: CVE-2025-66200
WWW: https://vuxml.freebsd.org/freebsd/6ebe4a30-d138-11f0-af8c-8447094a420f.html

chromium-143.0.7499.109_1 is vulnerable:
chromium -- multiple security fixes
CVE: CVE-2025-14766
CVE: CVE-2025-14765
WWW: https://vuxml.freebsd.org/freebsd/f99e70c2-dcb8-11f0-a15a-a8a1599412c6.html

go124-1.24.9 is vulnerable:
go -- excessive resource consumption
CVE: CVE-2025-61729
WWW: https://vuxml.freebsd.org/freebsd/245bd19f-d035-11f0-84e9-c7a56e37e3f0.html

python311-3.11.13_1 is vulnerable:
python -- several vulnerabilities
CVE: CVE-2025-13836
CVE: CVE-2025-12084
WWW: https://vuxml.freebsd.org/freebsd/613d0f9e-d477-11f0-9e85-03ddfea11990.html

openssl35-3.5.0_1 is vulnerable:
OpenSSL -- multiple vulnerabilities
CVE: CVE-2025-9232
CVE: CVE-2025-9231
CVE: CVE-2025-9230
WWW: https://vuxml.freebsd.org/freebsd/00e912c5-9e92-11f0-bc5f-8447094a420f.html

gimp-2.10.38,2 is vulnerable:
Gimp -- GIMP XWD File Parsing Integer Overflow Remote Code Execution Vulnerability
CVE: CVE-2025-2760
WWW: https://vuxml.freebsd.org/freebsd/da0a4374-3fc9-11f0-a39d-b42e991fc52e.html

Gimp -- GIMP FLI File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability
CVE: CVE-2025-2761
WWW: https://vuxml.freebsd.org/freebsd/dc99c67a-3fc9-11f0-a39d-b42e991fc52e.html

10 problem(s) in 9 package(s) found.
x@myfreebsd:~ $
 
Definitely need Python in the base system ecosystem. Not so much for core base system development where this would not utilize its strengths, but more so to keep FreeBSD moving in the long term
 
minWi said:
I need python311 because of py311-zfs-autobackup
Click to expand...
Don't think zfs-autobackup does any HTTP requests, so CVE-2025-13836 would never get hit. Even if it did, at most you would simply run out of memory. Annoying but not "dangerous". Unless you're running this on some important server, it might take it down. Again, annoying but not that catastrophic. You might want to take a hard look at the URL it tried to read though. Something smells fishy there.

And CVE-2025-12084 also seems web related because it involves nested elements of a DOM. At worst you might see your CPU and memory usage spike. Again, a nuisance, not a big deal. Not the kind of "hey, some weirdo hacker just walks into my system and pwned me" bug.
 
pkg audit -F on my machine FreeBSD 15.0-RELEASE-p1

sh: 
python --version
Python 3.11.13

pkg audit -F
vulnxml file up-to-date
python311-3.11.13_1 is vulnerable:
  python -- several vulnerabilities
  CVE: CVE-2025-13836
  CVE: CVE-2025-12084
  WWW: https://vuxml.freebsd.org/freebsd/613d0f9e-d477-11f0-9e85-03ddfea11990.html

libxslt-1.1.43_1 is vulnerable:
  libxslt -- unmaintained, with multiple unfixed vulnerabilities
  CVE: CVE-2025-7425
  CVE: CVE-2025-7424
  WWW: https://vuxml.freebsd.org/freebsd/b0a3466f-5efc-11f0-ae84-99047d0a6bcc.html

2 problem(s) in 2 package(s) found.

I think I subscribed to the freebsd security ML. I'll check again.

On another note. A lot of the claimed fastest technologies have very high latency or do not install at all on base system. Don't send that to X/Twitter. I prefer the blazingly fast technology claims to keep trending hehe
 
pkg audit -F | grep vul

fluidsynth-2.4.7 is vulnerable:
c-ares-1.34.5 is vulnerable:
libxslt-1.1.43_1 is vulnerable:
libxslt -- unmaintained, with multiple unfixed vulnerabilities
go124-1.24.9 is vulnerable:
python311-3.11.13_1 is vulnerable:
python -- several vulnerabilities
gimp-2.10.38,2 is vulnerable:
 
Code: 
 pkg audit -F
vulnxml file up-to-date
python311-3.11.15_2 is vulnerable:
  Python -- configparser vulnerable to excessive CPU use
  WWW: https://vuxml.FreeBSD.org/freebsd/5ec4dcf6-3588-11f1-b51c-6dd25bec137b.html

  Python -- imaplib module, when passed a user-controlled command, can have additional commands injected using newlines
  CVE: CVE-2025-15366
  WWW: https://vuxml.FreeBSD.org/freebsd/0be929a5-2e0f-11f1-88c7-00a098b42aeb.html

  Python -- poplib module, when passed a user-controlled command, can have additional commands injected using newlines
  CVE: CVE-2025-15367
  WWW: https://vuxml.FreeBSD.org/freebsd/6d3488ae-2e0f-11f1-88c7-00a098b42aeb.html

  Python -- HTTP proxy CONNECT tunnel does not sanitize CR/LF
  CVE: CVE-2026-1502
  WWW: https://vuxml.FreeBSD.org/freebsd/30bda1c3-369b-11f1-b51c-6dd25bec137b.html

4 problem(s) in 1 package(s) found.
 
Colleagues, allow me to join this discussion thread and ask the main question to which, unfortunately, I cannot find an answer.
When will it be fixed?
 
I'll write a little about python314.

The maintainer of python314 is not python@.
The maintainer, mandree@, is someone who repeatedly commits and reverts changes and is not cooperative with python@, and it seems he can no longer commit changes himself.
C

Python Post in thread 'We have Python 3.12 already in FreeBSD - how long it takes to build modules for it ?'

T-Aoki said:
For ports affecting too many ports on upgrading, intensive discussion on maintainer team (for python, there's python@) before deprecating / switching default would be strongly wanted to avoid such a commit/revert war.
Click to expand...
Someone needs to intervene.
"Reapply "lang/python31[012]: deprecate 2026-03-31"
Edit: https://cgit.freebsd.org/ports/commit/?id=ac6809aadf8da7bf3288fbfcadde21f253cc20b6
Revert "Reapply "lang/python31[012]: deprecate 2026-03-31""
  • Like
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=294246#c13
Code: 
Because I added python314 even before the python@ members got
python313 into the tree and I am not handing it over to the team.
 
rcbsdpge said:
Definitely need Python in the base system ecosystem. Not so much for core base system development where this would not utilize its strengths, but more so to keep FreeBSD moving in the long term
Click to expand...
It shouldn't be an option.

Far before, once perl was in base.
But as the lifetime of single version of perl was toooooooooo short for base FreeBSD support lifecycle (at the moment, 5 years or more per branch) and backward compatibilities are NOT assured, in-base perl got tooooooooooooo outdated in the middle of support lifecycle per base branch.
If not, why do you forced massive upgrades (if you have a plenty of perl programs from ports) is forced on perl 5.* switch?

Although support lifecycle of base branches are now 4 years, the same applies to python. So incorporating python into base should cause the same hell, thus, unlikely.

The same applies to rust in base.
 
I know this is an older comment, but I just noticed this thread and well... got curious.
rcbsdpge said:
Definitely need Python in the base system ecosystem. Not so much for core base system development where this would not utilize its strengths, but more so to keep FreeBSD moving in the long term
Click to expand...
No offense, but I strongly disagree; it would become a huge hassle. Thing is... there's a lot going on within the Python source base and if you then check the release overview you'll notice that releases get supported for quite a few years. For example: 3.12 (security updates only) is already 3 years old (give or take) yet it'll be supported for another 2 whole years.

As one can imagine it's a lot less stressful to keep software from the ports collection up to date than having to build the wold again ( # make buildworld?) just to update 1 software component.

I'd argue that this is also why so many ports support both options from the base system as well as from the ports collection. You see this heavily within the security section (Kerberos, OpenSSL, etc.).
 
Lua is utilized in base system and it has broken my installation before. I don’t think many know that.

Sorry Lua community. But Python runs a rigorous development process with PEP and it compiles directly down to C. Has been around for a bit of time and has a vast ecosystem to do what Lua can do as well.
 
What's wrong with this evergreen guy from the first chapter of Genesis? Why hasn't it been fixed for so long?
In theory, it's a perfectly mature product, developed according to the canons of software engineering...
 
You must log in or register to reply here.
Back
Top