FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2026-02-11 07:54:38 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
bfe9adc8-0224-11f1-8790-c5fb948922ad	python -- several security vulnerabilities The Python project announces a new release with several security fixes: CVE-2026-1299: gh-144125: BytesGenerator will now refuse to serialize (write) headers that are unsafely folded or delimited; see verify_generated_headers. (Contributed by Bas Bloemsaat and Petr Viktorin in gh-121650). gh-143935: Fixed a bug in the folding of comments when flattening an email message using a modern email policy. Comments consisting of a very long sequence of non-foldable characters could trigger a forced line wrap that omitted the required leading space on the continuation line, causing the remainder of the comment to be interpreted as a new header field. This enabled header injection with carefully crafted inputs. gh-143925: Reject control characters in data: URL media types. gh-143919: Reject control characters in http.cookies.Morsel fields and values. CVE-2026-0865: gh-143916: Reject C0 control characters within wsgiref.headers.Headers fields, values, and parameters. Discovery 2026-01-16 Entry 2026-02-04 python310 >= 0 python311 < 3.11.14_2 python312 >= 0 python313 < 3.13.12 python313t < 3.13.12 python314 < 3.14.3 CVE-2026-1299 CVE-2026-0865 https://docs.python.org/release/3.14.3/whatsnew/changelog.html
613d0f9e-d477-11f0-9e85-03ddfea11990	python -- several vulnerabilities Hugo van Kemenade reports: Python 3.14.2 and 3.13.11 are now available [... and] come with some bonus security fixes. gh-142145: Remove quadratic behavior in node ID cache clearing (CVE-2025-12084) gh-119451: Fix a potential denial of service in http.client [only in 3.13; CVE-2025-13836] gh-119452: Fix a potential virtual memory allocation denial of service in http.server [affects platforms without fork()] Discovery 2024-05-23 Entry 2025-12-08 Modified 2026-01-25 python39 >= 0 python310 < 3.10.19_1 python311 < 3.11.14_1 python312 < 3.12.12_3 python313 < 3.13.11 python314 < 3.14.2 CVE-2025-12084 CVE-2025-13836 https://pythoninsider.blogspot.com/2025/12/python-3142-and-31311-are-now-available.html https://github.com/python/cpython/issues/142145 https://github.com/python/cpython/issues/119451 https://github.com/python/cpython/issues/119452 https://docs.python.org/release/3.14.2/whatsnew/changelog.html https://docs.python.org/release/3.13.11/whatsnew/changelog.html

VuXML ID

Description

bfe9adc8-0224-11f1-8790-c5fb948922ad

python -- several security vulnerabilities

The Python project announces a new release with several security fixes:

CVE-2026-1299: gh-144125: BytesGenerator will now refuse to serialize (write) headers that are unsafely folded or delimited; see verify_generated_headers. (Contributed by Bas Bloemsaat and Petr Viktorin in gh-121650).

gh-143935: Fixed a bug in the folding of comments when flattening an email message using a modern email policy. Comments consisting of a very long sequence of non-foldable characters could trigger a forced line wrap that omitted the required leading space on the continuation line, causing the remainder of the comment to be interpreted as a new header field. This enabled header injection with carefully crafted inputs.

gh-143925: Reject control characters in data: URL media types.

gh-143919: Reject control characters in http.cookies.Morsel fields and values.

CVE-2026-0865: gh-143916: Reject C0 control characters within wsgiref.headers.Headers fields, values, and parameters.

Discovery 2026-01-16
Entry 2026-02-04
python310

>= 0

python311

< 3.11.14_2

python312

>= 0

python313

< 3.13.12

python313t

< 3.13.12

python314

< 3.14.3

CVE-2026-1299
CVE-2026-0865
https://docs.python.org/release/3.14.3/whatsnew/changelog.html

613d0f9e-d477-11f0-9e85-03ddfea11990

python -- several vulnerabilities

Hugo van Kemenade reports:

Python 3.14.2 and 3.13.11 are now available [... and] come with some bonus security fixes.

gh-142145: Remove quadratic behavior in node ID cache clearing (CVE-2025-12084)

gh-119451: Fix a potential denial of service in http.client [only in 3.13; CVE-2025-13836]

gh-119452: Fix a potential virtual memory allocation denial of service in http.server [affects platforms without fork()]

Discovery 2024-05-23
Entry 2025-12-08
Modified 2026-01-25
python39

>= 0

python310

< 3.10.19_1

python311

< 3.11.14_1

python312

< 3.12.12_3

python313

< 3.13.11

python314

< 3.14.2

CVE-2025-12084
CVE-2025-13836
https://pythoninsider.blogspot.com/2025/12/python-3142-and-31311-are-now-available.html
https://github.com/python/cpython/issues/142145
https://github.com/python/cpython/issues/119451
https://github.com/python/cpython/issues/119452
https://docs.python.org/release/3.14.2/whatsnew/changelog.html
https://docs.python.org/release/3.13.11/whatsnew/changelog.html