From 6e376b9ef504a4099ef2d63d93a444e6e334fe7b Mon Sep 17 00:00:00 2001
From: Vivian Rook <vivian.rook@chainguard.dev>
Date: Tue, 9 Dec 2025 11:49:57 +0000
Subject: [PATCH] doc(python-3.1[0123]): Add pending-upstream-fix
 CVE-2025-12084

python-3.10 Upstream Fix PR: https://github.com/python/cpython/pull/142213
python-3.11 Upstream Fix PR: https://github.com/python/cpython/pull/142212
python-3.12 Upstream Fix PR: https://github.com/python/cpython/pull/142211
python-3.13 Upstream Fix PR: https://github.com/python/cpython/pull/142210
python-3.13 Local Fix PR: https://github.com/wolfi-dev/os/pull/75288
python-3.14 Upstream Fix PR: https://github.com/python/cpython/pull/142209
python-3.14 Local Fix PR: https://github.com/wolfi-dev/os/pull/75289

Related issues:
https://github.com/chainguard-dev/CVE-Dashboard/issues/50689
https://github.com/chainguard-dev/CVE-Dashboard/issues/51027
https://github.com/chainguard-dev/CVE-Dashboard/issues/50150
https://github.com/chainguard-dev/CVE-Dashboard/issues/51032
https://github.com/chainguard-dev/CVE-Dashboard/issues/50978

Signed-off-by: Vivian Rook <vivian.rook@chainguard.dev>
---
 python-3.10.advisories.yaml | 4 ++++
 python-3.11.advisories.yaml | 4 ++++
 python-3.12.advisories.yaml | 4 ++++
 python-3.13.advisories.yaml | 4 ++++
 python-3.14.advisories.yaml | 4 ++++
 5 files changed, 20 insertions(+)

diff --git a/python-3.10.advisories.yaml b/python-3.10.advisories.yaml
index 73c66f42a4..ac27aee2c8 100644
--- a/python-3.10.advisories.yaml
+++ b/python-3.10.advisories.yaml
@@ -66,6 +66,10 @@ advisories:
             componentType: apk
             componentLocation: /.PKGINFO
             scanner: grype
+      - timestamp: 2025-12-09T11:43:24Z
+        type: pending-upstream-fix
+        data:
+          note: 'Upstream are actively working on, and have a PR open regarding this issue. Upstream maintainers will need to approve and merge the PR. Fix PR: https://github.com/python/cpython/pull/142213'
 
   - id: CGA-5pmm-mmg3-pfp3
     aliases:
diff --git a/python-3.11.advisories.yaml b/python-3.11.advisories.yaml
index d6c92b36f1..a027235530 100644
--- a/python-3.11.advisories.yaml
+++ b/python-3.11.advisories.yaml
@@ -162,6 +162,10 @@ advisories:
             componentType: apk
             componentLocation: /.PKGINFO
             scanner: grype
+      - timestamp: 2025-12-09T11:44:14Z
+        type: pending-upstream-fix
+        data:
+          note: 'Upstream are actively working on, and have a PR open regarding this issue. Upstream maintainers will need to approve and merge the PR. Fix PR: https://github.com/python/cpython/pull/142212'
 
   - id: CGA-crq7-9946-pwg9
     aliases:
diff --git a/python-3.12.advisories.yaml b/python-3.12.advisories.yaml
index 61af2444e8..958a67041f 100644
--- a/python-3.12.advisories.yaml
+++ b/python-3.12.advisories.yaml
@@ -318,6 +318,10 @@ advisories:
             componentType: apk
             componentLocation: /.PKGINFO
             scanner: grype
+      - timestamp: 2025-12-09T11:45:07Z
+        type: pending-upstream-fix
+        data:
+          note: 'Upstream are actively working on, and have a PR open regarding this issue. Upstream maintainers will need to approve and merge the PR. Fix PR: https://github.com/python/cpython/pull/142211'
 
   - id: CGA-mfwm-8c36-vh8v
     aliases:
diff --git a/python-3.13.advisories.yaml b/python-3.13.advisories.yaml
index 574f853178..718902b6b3 100644
--- a/python-3.13.advisories.yaml
+++ b/python-3.13.advisories.yaml
@@ -21,6 +21,10 @@ advisories:
             componentType: apk
             componentLocation: /.PKGINFO
             scanner: grype
+      - timestamp: 2025-12-09T11:47:38Z
+        type: pending-upstream-fix
+        data:
+          note: 'Upstream has patched this, but has yet to release a new point version including the patch. Awaiting new release. Patch PR: https://github.com/python/cpython/pull/142210 We have included the patch locally in: https://github.com/wolfi-dev/os/pull/75288'
 
   - id: CGA-436m-hqqq-2cjw
     aliases:
diff --git a/python-3.14.advisories.yaml b/python-3.14.advisories.yaml
index b6d8a06a96..bc9f3567b9 100644
--- a/python-3.14.advisories.yaml
+++ b/python-3.14.advisories.yaml
@@ -43,6 +43,10 @@ advisories:
             componentType: apk
             componentLocation: /.PKGINFO
             scanner: grype
+      - timestamp: 2025-12-09T11:48:53Z
+        type: pending-upstream-fix
+        data:
+          note: 'Upstream has patched this, but has yet to release a new point version including the patch. Awaiting new release. Patch PR: https://github.com/python/cpython/pull/142209 We have included the patch locally in: https://github.com/wolfi-dev/os/pull/75289'
 
   - id: CGA-jfqg-3grj-8wm4
     aliases: