Re: [Bug 263060] devel/py-py: Update to 1.10.0 (security) -> 1.11.0 (for @py311 support)
Date: Mon, 24 Apr 2023 20:42:31 UTC
Hello, Project's URL is https://github.com/pytest-dev/py Version 1.11.0 is the last version available. When you look at https://osv.dev/vulnerability/PYSEC-2022-42969 you see the "Last affected 1.11.0" entry, which means that the latest available version is vulnerable (otherwise, you would have a "Fixed x.x.x" entry). The source code repository states that "this library is in *maintenance mode* and should not be used in new code.". According to the discussions referenced in the PYSEC entry, you'll see that the maintainers downplay this vulnerability report and have no intention to fix it. They also mention their desire to have it withdrawn, which apparently never happened from all the vulnerabilities repositories I use... Granted it seems to affect a portion of the code that'll probably rarely be used nowadays, so the risk is probably low. I guess that this port will stay vulnerable, except if someone has a corrected fork among the 65 existing ones... Best regards, Le lun. 24 avr. 2023 à 19:45, <bugzilla-noreply@freebsd.org> a écrit : > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=263060 > > George Mitchell <george@m5p.com> changed: > > What |Removed |Added > > ---------------------------------------------------------------------------- > CC| |george@m5p.com > > --- Comment #4 from George Mitchell <george@m5p.com> --- > It appears as if this bug should be closed. However, can anyone here > verify > the WWW entry in the Makefile? Visiting https://pylib.org sends one to a > company that appears to be in the business of writing term papers. > https://pypi.org/project/py/ looks a lot more plausible to me. In the > mean > time, version 1.11.0 is now listed in vulm.xml, and there doesn't seem to > be a > newer version available yet. > > -- > You are receiving this mail because: > You are the assignee for the bug. >