python311-ldap-3.4.5-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2025:16699 Final 1 1 2025-10-15T00:00:00Z current 2025-10-15T00:00:00Z 2025-10-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z python311-ldap-3.4.5-1.1 on GA media These are all security issues fixed in the python311-ldap-3.4.5-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2025-16699 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2025-61911/ SUSE CVE CVE-2025-61911 page https://www.suse.com/security/cve/CVE-2025-61912/ SUSE CVE CVE-2025-61912 page openSUSE Tumbleweed python311-ldap-3.4.5-1.1 python312-ldap-3.4.5-1.1 python313-ldap-3.4.5-1.1 python311-ldap-3.4.5-1.1 as a component of openSUSE Tumbleweed python312-ldap-3.4.5-1.1 as a component of openSUSE Tumbleweed python313-ldap-3.4.5-1.1 as a component of openSUSE Tumbleweed python-ldap is a lightweight directory access protocol (LDAP) client API for Python. In versions prior to 3.4.5, the sanitization method `ldap.filter.escape_filter_chars` can be tricked to skip escaping of special characters when a crafted `list` or `dict` is supplied as the `assertion_value` parameter, and the non-default `escape_mode=1` is configured. The method `ldap.filter.escape_filter_chars` supports 3 different escaping modes. `escape_mode=0` (default) and `escape_mode=2` happen to raise exceptions when a `list` or `dict` object is supplied as the `assertion_value` parameter. However, `escape_mode=1` computes without performing adequate logic to ensure a fully escaped return value. If an application relies on the vulnerable method in the `python-ldap` library to escape untrusted user input, an attacker might be able to abuse the vulnerability to launch ldap injection attacks which could potentially disclose or manipulate ldap data meant to be inaccessible to them. Version 3.4.5 fixes the issue by adding a type check at the start of the `ldap.filter.escape_filter_chars` method to raise an exception when the supplied `assertion_value` parameter is not of type `str`. CVE-2025-61911 openSUSE Tumbleweed:python311-ldap-3.4.5-1.1 openSUSE Tumbleweed:python312-ldap-3.4.5-1.1 openSUSE Tumbleweed:python313-ldap-3.4.5-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-61911.html CVE-2025-61911 https://bugzilla.suse.com/1251912 SUSE Bug 1251912 python-ldap is a lightweight directory access protocol (LDAP) client API for Python. In versions prior to 3.4.5, ldap.dn.escape_dn_chars() escapes \x00 incorrectly by emitting a backslash followed by a literal NUL byte instead of the RFC-4514 hex form \00. Any application that uses this helper to construct DNs from untrusted input can be made to consistently fail before a request is sent to the LDAP server (e.g., AD), resulting in a client-side denial of service. Version 3.4.5 contains a patch for the issue. CVE-2025-61912 openSUSE Tumbleweed:python311-ldap-3.4.5-1.1 openSUSE Tumbleweed:python312-ldap-3.4.5-1.1 openSUSE Tumbleweed:python313-ldap-3.4.5-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-61912.html CVE-2025-61912 https://bugzilla.suse.com/1251913 SUSE Bug 1251913