The only Jython version in ::gentoo is based on CPython 2.7 that has a lot of known vulnerabilities. At a first glance, I see at least (by matching CPython commits): - bpo-43124: Fix smtplib multiple CRLF injection (GH-25987) (GH-28038) - bpo-44022: Fix http client infinite line reading (DoS) after a HTTP 100 Continue (GH-25916) - bpo-43882 - urllib.parse should sanitize urls containing ASCII newline and tabs. (GH-25595) (GH-25725) - bpo-43075: Fix ReDoS in urllib AbstractBasicAuthHandler (GH-24391) - bpo-43285 Make ftplib not trust the PASV response. (GH-24838) (GH-24881) (GH-24882) - bpo-42967: only use '&' as a query string separator (GH-24297) (GH-24532) (and more, see gentoo-2.7-vanilla branch in fork/cpython.git)
This seems to only be a hard requirement of two packages: dev-java/batik[python] and dev-java/bsf[python]. Do we need to keep it around if it's based on Python 2.7?
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=11430d59a4ef0c6bf5fe71cd2dcdc755d52c7197 commit 11430d59a4ef0c6bf5fe71cd2dcdc755d52c7197 Author: Volkmar W. Pogatzki <gentoo@pogatzki.net> AuthorDate: 2023-04-05 12:37:40 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2023-04-08 12:33:57 +0000 profiles/package.mask: Last rite dev-java/jython Bug: https://bugs.gentoo.org/825486 Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net> Closes: https://github.com/gentoo/gentoo/pull/30455 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> profiles/package.mask | 5 +++++ 1 file changed, 5 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=451c0fa5beb7fe981da35b2eff1c2cfb89d65cab commit 451c0fa5beb7fe981da35b2eff1c2cfb89d65cab Author: Volkmar W. Pogatzki <gentoo@pogatzki.net> AuthorDate: 2023-03-26 15:24:46 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2023-04-08 12:33:46 +0000 profiles/base: use.mask dev-java/{ant-apache-,}bsf}[python] Bug: https://bugs.gentoo.org/825486 Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net> Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> profiles/base/package.use.mask | 6 ++++++ 1 file changed, 6 insertions(+)
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e4d717fb45ff9bf0ae328dccee5dd761630c3436 commit e4d717fb45ff9bf0ae328dccee5dd761630c3436 Author: David Seifert <soap@gentoo.org> AuthorDate: 2023-05-11 10:12:23 +0000 Commit: David Seifert <soap@gentoo.org> CommitDate: 2023-05-11 10:12:23 +0000 dev-java/jython: treeclean Closes: https://bugs.gentoo.org/825486 Closes: https://bugs.gentoo.org/828473 Closes: https://bugs.gentoo.org/886363 Signed-off-by: David Seifert <soap@gentoo.org> dev-java/jython/Manifest | 1 - dev-java/jython/files/CVE-2016-4000.patch | 158 --------------------- .../jython-2.5.2-distutils_scripts_location.patch | 11 -- .../files/jython-2.5.2-respect_PYTHONPATH.patch | 15 -- dev-java/jython/files/jython-2.7.0-build.xml.patch | 11 -- dev-java/jython/files/jython-2.7_beta1-ant.patch | 28 ---- ...n-2.7_beta1-dont-always-recompile-classes.patch | 11 -- .../files/jython-2.7_beta2-maxrepeat-import.patch | 16 --- dev-java/jython/jython-2.7.0-r7.ebuild | 156 -------------------- dev-java/jython/metadata.xml | 11 -- profiles/package.mask | 5 - 11 files changed, 423 deletions(-)