All versions of pypy and pypy3 except for the newest _p1 are currently vulnerable. Vulnerabilities applicable to all three branches, by CPython commit message summary: - bpo-42051: Reject XML entity declarations in plist files (GH-22760) (GH-22801) (GH-22804) - bpo-41944: No longer call eval() on content received via HTTP in the CJK codec tests (GH-22566) (GH-22579) - bpo-42967: only use '&' as a query string separator (GH-24297) (GH-24532) -- warning, this is a breaking change - bpo-40791: Make compare_digest more constant-time. (GH-23438) -- this one needs to be specially updated for pypy, see below To pypy3 (both branches) only: - bpo-42103: Improve validation of Plist files. (GH-22882) (#23117) I'm not sure yet if we should stabilize the new versions (including pypy3.7 that's alpha upstream) or just drop all to ~arch.
Sanity check failed: > dev-python/pypy3-7.3.3_p37_p1 > depend amd64 dev profile default/linux/amd64/17.0/x32 (1 total) > dev-python/pypy3-exe-bin:7.3.3_p37 > dev-python/pypy3-exe:7.3.3_p37[bzip2,ncurses] > depend amd64 stable profile default/linux/amd64/17.1 (26 total) > dev-python/pypy3-exe-bin:7.3.3_p37 > dev-python/pypy3-exe:7.3.3_p37[bzip2,ncurses] > rdepend amd64 dev profile default/linux/amd64/17.0/x32 (1 total) > dev-python/pypy3-exe-bin:7.3.3_p37 > dev-python/pypy3-exe:7.3.3_p37[bzip2,ncurses] > rdepend amd64 stable profile default/linux/amd64/17.1 (26 total) > dev-python/pypy3-exe-bin:7.3.3_p37 > dev-python/pypy3-exe:7.3.3_p37[bzip2,ncurses]
Unable to check for sanity: > no match for package: dev-python/pypy-7.3.3_p1
We need to rebuild the executable for constant-time operator hash thing.
Unable to check for sanity: > no match for package: dev-python/pypy-exe-7.3.3_p2
All sanity-check issues have been resolved
Ok, I see that I've never stable-unmasked pypy3 target, so let's stabilize the new version. All tests should pass for dev-python/pypy on amd64, no clue about x86, pypy3 is test-restricted.
Unable to check for sanity: > no match for package: dev-python/pypy-7.3.3_p2
amd64 stable
x86 stable. Maintainer(s), please cleanup.
cleaned up.
New GLSA request filed.
Unable to check for sanity: > no match for package: dev-python/pypy3-7.3.3_p37_p1-r1
Unable to check for sanity: > no match for package: dev-python/pypy-7.3.3_p2-r1