From: Stuart Henderson Subject: python 3.12.13 update To: Kurt Mosiejczuk , Theo Buehler , ports Date: Mon, 16 Mar 2026 23:30:09 +0000 On 2026/03/16 23:23, Stuart Henderson wrote: > This updates to February's release, and cherry-picks two recent CVE > fixes (med/high). I expect another release will be on the way at some > point but seems worth bringing them in already. > > Diff to follow for 7.8-stable. There's no commit on the 3.12 branch for those CVEs yet; probably doesn't need a lot of work but for now here's the 3.12.13 update with the required bits to cope with our expat build. Index: Makefile =================================================================== RCS file: /cvs/ports/lang/python/3/Makefile,v diff -u -p -r1.15 Makefile --- Makefile 14 Jun 2025 20:08:20 -0000 1.15 +++ Makefile 16 Mar 2026 23:27:53 -0000 @@ -3,12 +3,15 @@ # requirement of the PSF license, if it constitutes a change to # Python itself. -FULL_VERSION = 3.12.11 +FULL_VERSION = 3.12.13 SHARED_LIBS = python3.12 0.0 VERSION_SPEC = >=3.12,<3.13 PORTROACH = limit:^3\.12 AUTOCONF_VERSION = 2.71 + +# XXX - should come from expat_config.h, which isn't installed in base +CFLAGS += -DXML_DTD -DXML_GE=1 CONFIGURE_ENV += ac_cv_working_openssl_hashlib=yes \ TCLTK_CFLAGS="-I${MODTCL_INCDIR} -I${MODTK_INCDIR} -I${X11BASE}/include" \ Index: distinfo =================================================================== RCS file: /cvs/ports/lang/python/3/distinfo,v diff -u -p -r1.6 distinfo --- distinfo 14 Jun 2025 20:08:20 -0000 1.6 +++ distinfo 16 Mar 2026 23:27:53 -0000 @@ -1,2 +1,2 @@ -SHA256 (Python-3.12.11.tgz) = e41Zr4IWBE0jE96BIL/CzACpvS5ULxV5Xh1hbFH689Y= -SIZE (Python-3.12.11.tgz) = 27126512 +SHA256 (Python-3.12.13.tgz) = CBbEdhyX7Ns/UKOSTeCpP9eMtj7o5sBCAd367cpQCws= +SIZE (Python-3.12.13.tgz) = 27262093 Index: files/CHANGES.OpenBSD =================================================================== RCS file: /cvs/ports/lang/python/3/files/CHANGES.OpenBSD,v diff -u -p -r1.2 CHANGES.OpenBSD --- files/CHANGES.OpenBSD 21 Dec 2024 11:32:44 -0000 1.2 +++ files/CHANGES.OpenBSD 16 Mar 2026 23:27:53 -0000 @@ -25,5 +25,7 @@ which results in loading an incorrect ve 8. Adjust #ifdef to use LibreSSL's version of X509_STORE_get1_objects(). +9. Work around expat_config.h missing from base. + These changes are available in the OpenBSD CVS repository in ports/lang/python/3. Index: patches/patch-Modules_pyexpat_c =================================================================== RCS file: patches/patch-Modules_pyexpat_c diff -N patches/patch-Modules_pyexpat_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-Modules_pyexpat_c 16 Mar 2026 23:27:53 -0000 @@ -0,0 +1,15 @@ +- remove #include "expat_config.h"; this (or an alternative, see +textproc/xmlwf for another approach) needs to be kept unless expat +in base starts providing this config header + +Index: Modules/pyexpat.c +--- Modules/pyexpat.c.orig ++++ Modules/pyexpat.c +@@ -8,7 +8,6 @@ + + #include + #include "structmember.h" // PyMemberDef +-#include "expat_config.h" + #include "expat.h" + + #include "pyexpat.h" Index: pkg/PLIST-tests =================================================================== RCS file: /cvs/ports/lang/python/3/pkg/PLIST-tests,v diff -u -p -r1.8 PLIST-tests --- pkg/PLIST-tests 15 Apr 2025 20:36:43 -0000 1.8 +++ pkg/PLIST-tests 16 Mar 2026 23:27:53 -0000 @@ -4820,7 +4820,7 @@ lib/python3.12/test/typinganndata/ann_mo lib/python3.12/test/typinganndata/ann_module9.py lib/python3.12/test/typinganndata/mod_generics_cache.py lib/python3.12/test/wheeldata/ -lib/python3.12/test/wheeldata/setuptools-67.6.1-py3-none-any.whl +lib/python3.12/test/wheeldata/setuptools-79.0.1-py3-none-any.whl lib/python3.12/test/wheeldata/wheel-0.40.0-py3-none-any.whl lib/python3.12/test/win_console_handler.py lib/python3.12/test/xmltestdata/