Hi, This probably affects a large number of python ports which won't build due to the vulnerability in the build dependency.
Any plans on how to proceed? Best Michael Begin forwarded message: Date: Thu, 14 May 2026 10:00:49 +0000 From: Daniel Engberg <[email protected]> To: [email protected], [email protected], [email protected] Subject: git: 680508df7b6a - main - security/vuxml: Add entry for (py-)setuptools CVE-2025-47273 The branch main has been updated by diizzy: URL: https://cgit.FreeBSD.org/ports/commit/?id=680508df7b6afef2e0946653a556df8db30af1fb commit 680508df7b6afef2e0946653a556df8db30af1fb Author: Daniel Engberg <[email protected]> AuthorDate: 2026-05-14 09:54:53 +0000 Commit: Daniel Engberg <[email protected]> CommitDate: 2026-05-14 09:54:57 +0000 security/vuxml: Add entry for (py-)setuptools CVE-2025-47273 This is almost a one year old CVE --- security/vuxml/vuln/2026.xml | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/security/vuxml/vuln/2026.xml b/security/vuxml/vuln/2026.xml index 16b80d389de4..58825aabec01 100644 --- a/security/vuxml/vuln/2026.xml +++ b/security/vuxml/vuln/2026.xml @@ -1,3 +1,40 @@ + <vuln vid="690144e9-4f88-11f1-982e-00a098b42aeb"> + <topic>py-setuptools -- Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')</topic> + <affects> + <package> + <name>py310-setuptools</name> + <name>py311-setuptools</name> + <name>py312-setuptools</name> + <name>py313-setuptools</name> + <name>py313t-setuptools</name> + <name>py314-setuptools</name> + <range><lt>78.1.1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml";> + <p>https://github.com/pypa/setuptools/security/advisories/GHSA-5rjg-fvgr-3xxf reports:</p> + <blockquote cite="https://github.com/pypa/setuptools/security/advisories/GHSA-5rjg-fvgr-3xxf";> + <p>setuptools is a package that allows users to download, build, + install, upgrade, and uninstall Python packages. A path traversal + vulnerability in `PackageIndex` is present in setuptools prior to + version 78.1.1. An attacker would be allowed to write files to + arbitrary locations on the filesystem with the permissions of the + process running the Python code, which could escalate to remote + code execution depending on the context.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2025-47273</cvename> + <url>https://cveawg.mitre.org/api/cve/CVE-2025-47273</url> + </references> + <dates> + <discovery>2025-05-17</discovery> + <entry>2026-05-14</entry> + </dates> + </vuln> + <vuln vid="b3cb8f40-4f4c-11f1-80f1-2cf05da270f3"> <topic>Gitlab -- vulnerabilities</topic> <affects> -- Michael Gmelin
