python311-virtualenv-20.36.1-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2026:10055-1 Final 1 1 2026-01-15T00:00:00Z current 2026-01-15T00:00:00Z 2026-01-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z python311-virtualenv-20.36.1-1.1 on GA media These are all security issues fixed in the python311-virtualenv-20.36.1-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2026-10055 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2025-68146/ SUSE CVE CVE-2025-68146 page https://www.suse.com/security/cve/CVE-2026-22702/ SUSE CVE CVE-2026-22702 page openSUSE Tumbleweed python311-virtualenv-20.36.1-1.1 python312-virtualenv-20.36.1-1.1 python313-virtualenv-20.36.1-1.1 python311-virtualenv-20.36.1-1.1 as a component of openSUSE Tumbleweed python312-virtualenv-20.36.1-1.1 as a component of openSUSE Tumbleweed python313-virtualenv-20.36.1-1.1 as a component of openSUSE Tumbleweed filelock is a platform-independent file lock for Python. In versions prior to 3.20.1, a Time-of-Check-Time-of-Use (TOCTOU) race condition allows local attackers to corrupt or truncate arbitrary user files through symlink attacks. The vulnerability exists in both Unix and Windows lock file creation where filelock checks if a file exists before opening it with O_TRUNC. An attacker can create a symlink pointing to a victim file in the time gap between the check and open, causing os.open() to follow the symlink and truncate the target file. All users of filelock on Unix, Linux, macOS, and Windows systems are impacted. The vulnerability cascades to dependent libraries. The attack requires local filesystem access and ability to create symlinks (standard user permissions on Unix; Developer Mode on Windows 10+). Exploitation succeeds within 1-3 attempts when lock file paths are predictable. The issue is fixed in version 3.20.1. If immediate upgrade is not possible, use SoftFileLock instead of UnixFileLock/WindowsFileLock (note: different locking semantics, may not be suitable for all use cases); ensure lock file directories have restrictive permissions (chmod 0700) to prevent untrusted users from creating symlinks; and/or monitor lock file directories for suspicious symlinks before running trusted applications. These workarounds provide only partial mitigation. The race condition remains exploitable. Upgrading to version 3.20.1 is strongly recommended. CVE-2025-68146 openSUSE Tumbleweed:python311-virtualenv-20.36.1-1.1 openSUSE Tumbleweed:python312-virtualenv-20.36.1-1.1 openSUSE Tumbleweed:python313-virtualenv-20.36.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-68146.html CVE-2025-68146 https://bugzilla.suse.com/1255244 SUSE Bug 1255244 virtualenv is a tool for creating isolated virtual python environments. Prior to version 20.36.1, TOCTOU (Time-of-Check-Time-of-Use) vulnerabilities in virtualenv allow local attackers to perform symlink-based attacks on directory creation operations. An attacker with local access can exploit a race condition between directory existence checks and creation to redirect virtualenv's app_data and lock file operations to attacker-controlled locations. This issue has been patched in version 20.36.1. CVE-2026-22702 openSUSE Tumbleweed:python311-virtualenv-20.36.1-1.1 openSUSE Tumbleweed:python312-virtualenv-20.36.1-1.1 openSUSE Tumbleweed:python313-virtualenv-20.36.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2026-22702.html CVE-2026-22702 https://bugzilla.suse.com/1256458 SUSE Bug 1256458