python311-3.11.14 vulnerable but no alternatives/updates

[minWi]

# pkg audit -F
vulnxml file up-to-date
python311-3.11.14 is vulnerable:
  python -- several vulnerabilities
  CVE: CVE-2025-13836
  CVE: CVE-2025-12084
  WWW: https://vuxml.FreeBSD.org/freebsd/613d0f9e-d477-11f0-9e85-03ddfea11990.html

1 problem(s) in 1 package(s) found

I need python311 because of py311-zfs-autobackup https://www.freshports.org/filesystems/py-zfs-autobackup/ but it seems there are no python311 updates anymore.

I've requested an account on bugzilla.freebsd.org to report it but just in case someone has any other solution I can apply.

Thanks.

 

[fmc000]

The URL says:

Affected packages
0	<=	python39
0	<=	python310
0	<=	python311
0	<=	python312
3.13.0	<=	python313	<	3.13.11
3.14.0	<=	python314	<	3.14.2

so there's some conflicting information here. BTW, this vulnerability is about 19 months old...

 

[POSIX.1]

From PR 291609

Charlie Li

2025-12-13 14:00:03 UTC

None of these have been merged into any branch older than 3.13. Although a maintainer has marked each open backport pull request as approved, there may be some further unforeseen issues with them so they are not merged yet. The ports will be updated when upstream cuts corresponding point releases, hopefully including the fixes.

 

[Alain De Vos]

pkg audit -F
vulnxml file up-to-date
c-ares-1.34.5 is vulnerable:
c-ares -- Use After Free
CVE: CVE-2025-62408
WWW: https://vuxml.freebsd.org/freebsd/1adf9ece-d4a3-11f0-83a2-843a4b343614.html

xkbcomp-1.4.7 is vulnerable:
xkbcomp -- Several vulnerabilities
CVE: CVE-2018-15863
CVE: CVE-2018-15861
CVE: CVE-2018-15859
CVE: CVE-2018-15863
WWW: https://vuxml.freebsd.org/freebsd/c7187676-d176-11f0-841f-843a4b343614.html

libxslt-1.1.43_1 is vulnerable:
libxslt -- unmaintained, with multiple unfixed vulnerabilities
CVE: CVE-2025-7425
CVE: CVE-2025-7424
WWW: https://vuxml.freebsd.org/freebsd/b0a3466f-5efc-11f0-ae84-99047d0a6bcc.html

apache24-2.4.65_1 is vulnerable:
Apache httpd -- Multiple vulnerabilities
CVE: CVE-2025-55753
CVE: CVE-2025-58098
CVE: CVE-2025-59775
CVE: CVE-2025-65082
CVE: CVE-2025-66200
WWW: https://vuxml.freebsd.org/freebsd/6ebe4a30-d138-11f0-af8c-8447094a420f.html

chromium-143.0.7499.109_1 is vulnerable:
chromium -- multiple security fixes
CVE: CVE-2025-14766
CVE: CVE-2025-14765
WWW: https://vuxml.freebsd.org/freebsd/f99e70c2-dcb8-11f0-a15a-a8a1599412c6.html

go124-1.24.9 is vulnerable:
go -- excessive resource consumption
CVE: CVE-2025-61729
WWW: https://vuxml.freebsd.org/freebsd/245bd19f-d035-11f0-84e9-c7a56e37e3f0.html

python311-3.11.13_1 is vulnerable:
python -- several vulnerabilities
CVE: CVE-2025-13836
CVE: CVE-2025-12084
WWW: https://vuxml.freebsd.org/freebsd/613d0f9e-d477-11f0-9e85-03ddfea11990.html

openssl35-3.5.0_1 is vulnerable:
OpenSSL -- multiple vulnerabilities
CVE: CVE-2025-9232
CVE: CVE-2025-9231
CVE: CVE-2025-9230
WWW: https://vuxml.freebsd.org/freebsd/00e912c5-9e92-11f0-bc5f-8447094a420f.html

gimp-2.10.38,2 is vulnerable:
Gimp -- GIMP XWD File Parsing Integer Overflow Remote Code Execution Vulnerability
CVE: CVE-2025-2760
WWW: https://vuxml.freebsd.org/freebsd/da0a4374-3fc9-11f0-a39d-b42e991fc52e.html

Gimp -- GIMP FLI File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability
CVE: CVE-2025-2761
WWW: https://vuxml.freebsd.org/freebsd/dc99c67a-3fc9-11f0-a39d-b42e991fc52e.html

10 problem(s) in 9 package(s) found.
x@myfreebsd:~ $

 

[Alain De Vos]

View: https://www.youtube.com/watch?v=6dYWe1c3OyU&list=RD6dYWe1c3OyU&start_radio=1