Mailing List Archive | ports@openbsd.org

update to the next point release of Python which allows removal of the cherry picked fixes. I've been running it locally on amd64 since it was released with no issues. ok? Index: Makefile =================================================================== RCS file: /cvs/ports/lang/python/3/Makefile,v diff -u -p -u -r1.29 Makefile --- Makefile 16 May 2026 21:56:52 -0000 1.29 +++ Makefile 31 May 2026 12:33:14 -0000 @@ -3,8 +3,7 @@ # requirement of the PSF license, if it constitutes a change to # Python itself. -FULL_VERSION = 3.14.4 -REVISION-main = 1 +FULL_VERSION = 3.14.5 SHARED_LIBS = python3.14 0.0 VERSION_SPEC = >=3.14 PORTROACH = limit:^3\.14 Index: distinfo =================================================================== RCS file: /cvs/ports/lang/python/3/distinfo,v diff -u -p -u -r1.12 distinfo --- distinfo 12 May 2026 13:45:10 -0000 1.12 +++ distinfo 31 May 2026 12:33:14 -0000 @@ -1,2 +1,2 @@ -SHA256 (Python-3.14.4.tgz) = tMBZ1YlfAw59+WY4lM43Mr+hsyzTqyiDmAJmpFzjyzs= -SIZE (Python-3.14.4.tgz) = 31148035 +SHA256 (Python-3.14.5.tgz) = nCK/6ZOabFQY/HSyiaXxzEGFmugqxrFjAWtYRL0Khrw= +SIZE (Python-3.14.5.tgz) = 31197461 Index: files/CHANGES.OpenBSD =================================================================== RCS file: /cvs/ports/lang/python/3/files/CHANGES.OpenBSD,v diff -u -p -u -r1.6 CHANGES.OpenBSD --- files/CHANGES.OpenBSD 14 Apr 2026 10:51:23 -0000 1.6 +++ files/CHANGES.OpenBSD 31 May 2026 12:33:14 -0000 @@ -24,7 +24,5 @@ which results in loading an incorrect ve 8. Work around expat_config.h missing from base. -9. Cherry-pick fixes for CVE-2026-4519, CVE-2026-6100. - These changes are available in the OpenBSD CVS repository <http://www.openbsd.org/anoncvs.html> in ports/lang/python/3. Index: patches/patch-Lib_test_test_webbrowser_py =================================================================== RCS file: patches/patch-Lib_test_test_webbrowser_py diff -N patches/patch-Lib_test_test_webbrowser_py --- patches/patch-Lib_test_test_webbrowser_py 12 May 2026 13:45:10 -0000 1.2 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,26 +0,0 @@ -Fix fix for CVE 2026-4519 - -A bypass in :mod:`webbrowser` allowed URLs prefixed with ``%action`` to pass -the dash-prefix safety check. - -https://github.com/python/cpython/pull/148517 - -Index: Lib/test/test_webbrowser.py ---- Lib/test/test_webbrowser.py.orig -+++ Lib/test/test_webbrowser.py -@@ -119,6 +119,15 @@ class ChromeCommandTest(CommandTestMixin, unittest.Tes - arguments=[URL], - kw=dict(new=999)) - -+ def test_reject_action_dash_prefixes(self): -+ browser = self.browser_class(name=CMD_NAME) -+ with self.assertRaises(ValueError): -+ browser.open('%action--incognito') -+ # new=1: action is "--new-window", so "%action" itself expands to -+ # a dash-prefixed flag even with no dash in the original URL. -+ with self.assertRaises(ValueError): -+ browser.open('%action', new=1) -+ - - class EdgeCommandTest(CommandTestMixin, unittest.TestCase): - Index: patches/patch-Lib_webbrowser_py =================================================================== RCS file: patches/patch-Lib_webbrowser_py diff -N patches/patch-Lib_webbrowser_py --- patches/patch-Lib_webbrowser_py 12 May 2026 13:45:10 -0000 1.2 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,28 +0,0 @@ -Fix fix for CVE 2026-4519 - -A bypass in :mod:`webbrowser` allowed URLs prefixed with ``%action`` to pass -the dash-prefix safety check. - -https://github.com/python/cpython/pull/148517 -Index: Lib/webbrowser.py ---- Lib/webbrowser.py.orig -+++ Lib/webbrowser.py -@@ -274,7 +274,6 @@ class UnixBrowser(BaseBrowser): - - def open(self, url, new=0, autoraise=True): - sys.audit("webbrowser.open", url) -- self._check_url(url) - if new == 0: - action = self.remote_action - elif new == 1: -@@ -288,7 +287,9 @@ class UnixBrowser(BaseBrowser): - raise Error("Bad 'new' parameter to open(); " - f"expected 0, 1, or 2, got {new}") - -- args = [arg.replace("%s", url).replace("%action", action) -+ self._check_url(url.replace("%action", action)) -+ -+ args = [arg.replace("%action", action).replace("%s", url) - for arg in self.remote_args] - args = [arg for arg in args if arg] - success = self._invoke(args, True, autoraise, url) Index: patches/patch-Makefile_pre_in =================================================================== RCS file: /cvs/ports/lang/python/3/patches/patch-Makefile_pre_in,v diff -u -p -u -r1.3 patch-Makefile_pre_in --- patches/patch-Makefile_pre_in 12 May 2026 13:45:10 -0000 1.3 +++ patches/patch-Makefile_pre_in 31 May 2026 12:33:14 -0000 @@ -3,7 +3,7 @@ Make bsd make happy Index: Makefile.pre.in --- Makefile.pre.in.orig +++ Makefile.pre.in -@@ -607,8 +607,6 @@ LIBMPDEC_OBJS= \ +@@ -609,8 +609,6 @@ LIBMPDEC_OBJS= \ Modules/_decimal/libmpdec/numbertheory.o \ Modules/_decimal/libmpdec/sixstep.o \ Modules/_decimal/libmpdec/transpose.o Index: patches/patch-Modules__bz2module_c =================================================================== RCS file: patches/patch-Modules__bz2module_c diff -N patches/patch-Modules__bz2module_c --- patches/patch-Modules__bz2module_c 12 May 2026 13:45:10 -0000 1.2 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,21 +0,0 @@ -CVE-2026-6100: - -Fix a dangling input pointer in :class:`lzma.LZMADecompressor`, -:class:`bz2.BZ2Decompressor`, and internal :class:`!zlib._ZlibDecompressor` -when memory allocation fails with :exc:`MemoryError`, which could let a -subsequent :meth:`!decompress` call read or write through a stale pointer to -the already-released caller buffer. - -https://github.com/python/cpython/pull/148479 - -Index: Modules/_bz2module.c ---- Modules/_bz2module.c.orig -+++ Modules/_bz2module.c -@@ -593,6 +593,7 @@ decompress(BZ2Decompressor *d, char *data, size_t len, - return result; - - error: -+ bzs->next_in = NULL; - Py_XDECREF(result); - return NULL; - } Index: patches/patch-Modules__lzmamodule_c =================================================================== RCS file: patches/patch-Modules__lzmamodule_c diff -N patches/patch-Modules__lzmamodule_c --- patches/patch-Modules__lzmamodule_c 12 May 2026 13:45:10 -0000 1.2 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,21 +0,0 @@ -CVE-2026-6100: - -Fix a dangling input pointer in :class:`lzma.LZMADecompressor`, -:class:`bz2.BZ2Decompressor`, and internal :class:`!zlib._ZlibDecompressor` -when memory allocation fails with :exc:`MemoryError`, which could let a -subsequent :meth:`!decompress` call read or write through a stale pointer to -the already-released caller buffer. - -https://github.com/python/cpython/pull/148479 - -Index: Modules/_lzmamodule.c ---- Modules/_lzmamodule.c.orig -+++ Modules/_lzmamodule.c -@@ -1120,6 +1120,7 @@ decompress(Decompressor *d, uint8_t *data, size_t len, - return result; - - error: -+ lzs->next_in = NULL; - Py_XDECREF(result); - return NULL; - } Index: patches/patch-Modules_zlibmodule_c =================================================================== RCS file: patches/patch-Modules_zlibmodule_c diff -N patches/patch-Modules_zlibmodule_c --- patches/patch-Modules_zlibmodule_c 14 Apr 2026 10:51:23 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,21 +0,0 @@ -CVE-2026-6100: - -Fix a dangling input pointer in :class:`lzma.LZMADecompressor`, -:class:`bz2.BZ2Decompressor`, and internal :class:`!zlib._ZlibDecompressor` -when memory allocation fails with :exc:`MemoryError`, which could let a -subsequent :meth:`!decompress` call read or write through a stale pointer to -the already-released caller buffer. - -https://github.com/python/cpython/pull/148479 - -Index: Modules/zlibmodule.c ---- Modules/zlibmodule.c.orig -+++ Modules/zlibmodule.c -@@ -1675,6 +1675,7 @@ decompress(ZlibDecompressor *self, uint8_t *data, - return result; - - error: -+ self->zst.next_in = NULL; - Py_XDECREF(result); - return NULL; - } Index: patches/patch-configure_ac =================================================================== RCS file: /cvs/ports/lang/python/3/patches/patch-configure_ac,v diff -u -p -u -r1.6 patch-configure_ac --- patches/patch-configure_ac 12 May 2026 13:45:10 -0000 1.6 +++ patches/patch-configure_ac 31 May 2026 12:33:14 -0000 @@ -49,7 +49,7 @@ Index: configure.ac # Any changes made here should be reflected in the GCC+Darwin case below PGO_PROF_GEN_FLAG="-fprofile-instr-generate" PGO_PROF_USE_FLAG="-fprofile-instr-use=\"\$(shell pwd)/code.profclangd\"" -@@ -4417,11 +4418,7 @@ dnl Detect Tcl/Tk. Use pkg-config if available. +@@ -4439,11 +4440,7 @@ dnl Detect Tcl/Tk. Use pkg-config if available. dnl found_tcltk=no for _QUERY in \ Index: pkg/PLIST-main =================================================================== RCS file: /cvs/ports/lang/python/3/pkg/PLIST-main,v diff -u -p -u -r1.21 PLIST-main --- pkg/PLIST-main 16 May 2026 21:56:52 -0000 1.21 +++ pkg/PLIST-main 31 May 2026 12:33:15 -0000 @@ -1918,7 +1918,7 @@ lib/${PY_VERSION}/ensurepip/__pycache__/ lib/${PY_VERSION}/ensurepip/__pycache__/_uninstall.${PYC_MAGIC_TAG}.opt-2.pyc lib/${PY_VERSION}/ensurepip/__pycache__/_uninstall.${PYC_MAGIC_TAG}.pyc lib/${PY_VERSION}/ensurepip/_bundled/ -lib/${PY_VERSION}/ensurepip/_bundled/pip-26.0.1-py3-none-any.whl +lib/${PY_VERSION}/ensurepip/_bundled/pip-26.1.1-py3-none-any.whl lib/${PY_VERSION}/ensurepip/_uninstall.py lib/${PY_VERSION}/enum.py lib/${PY_VERSION}/filecmp.py Index: pkg/PLIST-tests =================================================================== RCS file: /cvs/ports/lang/python/3/pkg/PLIST-tests,v diff -u -p -u -r1.14 PLIST-tests --- pkg/PLIST-tests 12 May 2026 13:45:10 -0000 1.14 +++ pkg/PLIST-tests 31 May 2026 12:33:16 -0000 @@ -31,9 +31,6 @@ lib/${PY_VERSION}/test/__pycache__/_test lib/${PY_VERSION}/test/__pycache__/_test_embed_structseq.${PYC_MAGIC_TAG}.opt-1.pyc lib/${PY_VERSION}/test/__pycache__/_test_embed_structseq.${PYC_MAGIC_TAG}.opt-2.pyc lib/${PY_VERSION}/test/__pycache__/_test_embed_structseq.${PYC_MAGIC_TAG}.pyc -lib/${PY_VERSION}/test/__pycache__/_test_gc_fast_cycles.${PYC_MAGIC_TAG}.opt-1.pyc -lib/${PY_VERSION}/test/__pycache__/_test_gc_fast_cycles.${PYC_MAGIC_TAG}.opt-2.pyc -lib/${PY_VERSION}/test/__pycache__/_test_gc_fast_cycles.${PYC_MAGIC_TAG}.pyc lib/${PY_VERSION}/test/__pycache__/_test_monitoring_shutdown.${PYC_MAGIC_TAG}.opt-1.pyc lib/${PY_VERSION}/test/__pycache__/_test_monitoring_shutdown.${PYC_MAGIC_TAG}.opt-2.pyc lib/${PY_VERSION}/test/__pycache__/_test_monitoring_shutdown.${PYC_MAGIC_TAG}.pyc @@ -1362,7 +1359,6 @@ lib/${PY_VERSION}/test/_crossinterp_defi lib/${PY_VERSION}/test/_test_atexit.py lib/${PY_VERSION}/test/_test_eintr.py lib/${PY_VERSION}/test/_test_embed_structseq.py -lib/${PY_VERSION}/test/_test_gc_fast_cycles.py lib/${PY_VERSION}/test/_test_monitoring_shutdown.py lib/${PY_VERSION}/test/_test_multiprocessing.py lib/${PY_VERSION}/test/_test_venv_multiprocessing.py @@ -3951,6 +3947,7 @@ lib/${PY_VERSION}/test/test_json/__pycac lib/${PY_VERSION}/test/test_json/__pycache__/test_unicode.${PYC_MAGIC_TAG}.opt-1.pyc lib/${PY_VERSION}/test/test_json/__pycache__/test_unicode.${PYC_MAGIC_TAG}.opt-2.pyc lib/${PY_VERSION}/test/test_json/__pycache__/test_unicode.${PYC_MAGIC_TAG}.pyc +lib/${PY_VERSION}/test/test_json/json_lines.jsonl lib/${PY_VERSION}/test/test_json/test_decode.py lib/${PY_VERSION}/test/test_json/test_default.py lib/${PY_VERSION}/test/test_json/test_dump.py

2026-05-31 12:38 Daniel Dickman:
(no subject)
- 2026-05-31 14:18 Theo Buehler:
  Python 3.14.5 (Re:)
- - 2026-05-31 14:26 Kurt Mosiejczuk:
    Python 3.14.5 (Re:)