Security update for python311, python-rpm-macros SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:20025-1 Final 1 1 2025-02-03T08:50:40Z current 2025-02-03T08:50:40Z 2025-02-03T08:50:40Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for python311, python-rpm-macros This update for python311, python-rpm-macros fixes the following issues: python311: - CVE-2024-0450: Fixed zipfile module vulnerability with "quoted-overlap" zipbomb (bsc#1221854) - CVE-2024-4032: Fixed incorrect IPv4 and IPv6 private ranges (bsc#1226448) - CVE-2024-0397: Fixed memory race condition in ssl.SSLContext certificate store methods (bsc#1226447) - CVE-2024-6923: Prevent email header injection due to unquoted newlines (bsc#1228780) - Fixed executable bits for /usr/bin/idle* (bsc#1227378). python-rpm-macros: - Update to version 20240618.c146b29: * Add %FLAVOR_pytest and %FLAVOR_pyunittest variants - Update to version 20240618.1e386da: * Fix python_clone sed regex - Update to version 20240614.02920b8: * Make sure that RPM_BUILD_ROOT env is set * don't eliminate any cmdline arguments in the shebang line * Create python313 macros - Update to version 20240415.c664b45: * Fix typo 310 -> 312 in default-prjconf - Update to version 20240202.501440e: * SPEC0: Drop python39, add python312 to buildset (#169) - Update to version 20231220.98427f3: * fix python2_compile macro - Update to version 20231207.46c2ec3: * make FLAVOR_compile compatible with python2 - Update to version 20231204.dd64e74: * Combine fix_shebang in one line * New macro FLAVOR_fix_shebang_path * Use realpath in %python_clone macro shebang replacement * Compile and fix_shebang in %python_install macros - Update to version 20231010.0a1f0d9: * Revert "Compile and fix_shebang in %python_install macros" * gh#openSUSE/python-rpm-macros#163 - Update to version 20231010.a32e110: * Compile and fix_shebang in %python_install macros - Update to version 20231005.bf2d3ab: * Fix shebang also in sbin with macro _fix_shebang The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-Micro-6.0-23 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-202520025-1/ Link for SUSE-SU-2025:20025-1 https://lists.suse.com/pipermail/sle-security-updates/2025-June/021358.html E-Mail link for SUSE-SU-2025:20025-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1174091 SUSE Bug 1174091 https://bugzilla.suse.com/1189495 SUSE Bug 1189495 https://bugzilla.suse.com/1221854 SUSE Bug 1221854 https://bugzilla.suse.com/1226447 SUSE Bug 1226447 https://bugzilla.suse.com/1226448 SUSE Bug 1226448 https://bugzilla.suse.com/1227378 SUSE Bug 1227378 https://bugzilla.suse.com/1228780 SUSE Bug 1228780 https://bugzilla.suse.com/831629 SUSE Bug 831629 https://www.suse.com/security/cve/CVE-2019-20907/ SUSE CVE CVE-2019-20907 page https://www.suse.com/security/cve/CVE-2019-9947/ SUSE CVE CVE-2019-9947 page https://www.suse.com/security/cve/CVE-2020-15523/ SUSE CVE CVE-2020-15523 page https://www.suse.com/security/cve/CVE-2020-15801/ SUSE CVE CVE-2020-15801 page https://www.suse.com/security/cve/CVE-2022-25236/ SUSE CVE CVE-2022-25236 page https://www.suse.com/security/cve/CVE-2023-52425/ SUSE CVE CVE-2023-52425 page https://www.suse.com/security/cve/CVE-2024-0397/ SUSE CVE CVE-2024-0397 page https://www.suse.com/security/cve/CVE-2024-0450/ SUSE CVE CVE-2024-0450 page https://www.suse.com/security/cve/CVE-2024-4032/ SUSE CVE CVE-2024-4032 page https://www.suse.com/security/cve/CVE-2024-6923/ SUSE CVE CVE-2024-6923 page SUSE Linux Micro 6.0 libpython3_11-1_0-3.11.8-3.1 python311-3.11.8-3.1 python311-base-3.11.8-3.1 python311-curses-3.11.8-3.1 libpython3_11-1_0-3.11.8-3.1 as a component of SUSE Linux Micro 6.0 python311-3.11.8-3.1 as a component of SUSE Linux Micro 6.0 python311-base-3.11.8-3.1 as a component of SUSE Linux Micro 6.0 python311-curses-3.11.8-3.1 as a component of SUSE Linux Micro 6.0 In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation. CVE-2019-20907 SUSE Linux Micro 6.0:libpython3_11-1_0-3.11.8-3.1 SUSE Linux Micro 6.0:python311-3.11.8-3.1 SUSE Linux Micro 6.0:python311-base-3.11.8-3.1 SUSE Linux Micro 6.0:python311-curses-3.11.8-3.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520025-1/ https://www.suse.com/security/cve/CVE-2019-20907.html CVE-2019-20907 https://bugzilla.suse.com/1174091 SUSE Bug 1174091 An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9. CVE-2019-9947 SUSE Linux Micro 6.0:libpython3_11-1_0-3.11.8-3.1 SUSE Linux Micro 6.0:python311-3.11.8-3.1 SUSE Linux Micro 6.0:python311-base-3.11.8-3.1 SUSE Linux Micro 6.0:python311-curses-3.11.8-3.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520025-1/ https://www.suse.com/security/cve/CVE-2019-9947.html CVE-2019-9947 https://bugzilla.suse.com/1130840 SUSE Bug 1130840 https://bugzilla.suse.com/1136184 SUSE Bug 1136184 https://bugzilla.suse.com/1155094 SUSE Bug 1155094 https://bugzilla.suse.com/1201559 SUSE Bug 1201559 In Python 3.6 through 3.6.10, 3.7 through 3.7.8, 3.8 through 3.8.4rc1, and 3.9 through 3.9.0b4 on Windows, a Trojan horse python3.dll might be used in cases where CPython is embedded in a native application. This occurs because python3X.dll may use an invalid search path for python3.dll loading (after Py_SetPath has been used). NOTE: this issue CANNOT occur when using python.exe from a standard (non-embedded) Python installation on Windows. CVE-2020-15523 SUSE Linux Micro 6.0:libpython3_11-1_0-3.11.8-3.1 SUSE Linux Micro 6.0:python311-3.11.8-3.1 SUSE Linux Micro 6.0:python311-base-3.11.8-3.1 SUSE Linux Micro 6.0:python311-curses-3.11.8-3.1 important 6.9 AV:L/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520025-1/ https://www.suse.com/security/cve/CVE-2020-15523.html CVE-2020-15523 https://bugzilla.suse.com/1173745 SUSE Bug 1173745 In Python 3.8.4, sys.path restrictions specified in a python38._pth file are ignored, allowing code to be loaded from arbitrary locations. The <executable-name>._pth file (e.g., the python._pth file) is not affected. CVE-2020-15801 SUSE Linux Micro 6.0:libpython3_11-1_0-3.11.8-3.1 SUSE Linux Micro 6.0:python311-3.11.8-3.1 SUSE Linux Micro 6.0:python311-base-3.11.8-3.1 SUSE Linux Micro 6.0:python311-curses-3.11.8-3.1 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520025-1/ https://www.suse.com/security/cve/CVE-2020-15801.html CVE-2020-15801 https://bugzilla.suse.com/1174241 SUSE Bug 1174241 xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs. CVE-2022-25236 SUSE Linux Micro 6.0:libpython3_11-1_0-3.11.8-3.1 SUSE Linux Micro 6.0:python311-3.11.8-3.1 SUSE Linux Micro 6.0:python311-base-3.11.8-3.1 SUSE Linux Micro 6.0:python311-curses-3.11.8-3.1 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520025-1/ https://www.suse.com/security/cve/CVE-2022-25236.html CVE-2022-25236 https://bugzilla.suse.com/1196025 SUSE Bug 1196025 https://bugzilla.suse.com/1196784 SUSE Bug 1196784 https://bugzilla.suse.com/1197217 SUSE Bug 1197217 https://bugzilla.suse.com/1200038 SUSE Bug 1200038 https://bugzilla.suse.com/1201735 SUSE Bug 1201735 libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed. CVE-2023-52425 SUSE Linux Micro 6.0:libpython3_11-1_0-3.11.8-3.1 SUSE Linux Micro 6.0:python311-3.11.8-3.1 SUSE Linux Micro 6.0:python311-base-3.11.8-3.1 SUSE Linux Micro 6.0:python311-curses-3.11.8-3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520025-1/ https://www.suse.com/security/cve/CVE-2023-52425.html CVE-2023-52425 https://bugzilla.suse.com/1219559 SUSE Bug 1219559 A defect was discovered in the Python "ssl" module where there is a memory race condition with the ssl.SSLContext methods "cert_store_stats()" and "get_ca_certs()". The race condition can be triggered if the methods are called at the same time as certificates are loaded into the SSLContext, such as during the TLS handshake with a certificate directory configured. This issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5. CVE-2024-0397 SUSE Linux Micro 6.0:libpython3_11-1_0-3.11.8-3.1 SUSE Linux Micro 6.0:python311-3.11.8-3.1 SUSE Linux Micro 6.0:python311-base-3.11.8-3.1 SUSE Linux Micro 6.0:python311-curses-3.11.8-3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520025-1/ https://www.suse.com/security/cve/CVE-2024-0397.html CVE-2024-0397 https://bugzilla.suse.com/1226447 SUSE Bug 1226447 An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The zipfile module is vulnerable to "quoted-overlap" zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive. CVE-2024-0450 SUSE Linux Micro 6.0:libpython3_11-1_0-3.11.8-3.1 SUSE Linux Micro 6.0:python311-3.11.8-3.1 SUSE Linux Micro 6.0:python311-base-3.11.8-3.1 SUSE Linux Micro 6.0:python311-curses-3.11.8-3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520025-1/ https://www.suse.com/security/cve/CVE-2024-0450.html CVE-2024-0450 https://bugzilla.suse.com/1221854 SUSE Bug 1221854 The "ipaddress" module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as "globally reachable" or "private". This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn't be returned in accordance with the latest information from the IANA Special-Purpose Address Registries. CPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior. CVE-2024-4032 SUSE Linux Micro 6.0:libpython3_11-1_0-3.11.8-3.1 SUSE Linux Micro 6.0:python311-3.11.8-3.1 SUSE Linux Micro 6.0:python311-base-3.11.8-3.1 SUSE Linux Micro 6.0:python311-curses-3.11.8-3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520025-1/ https://www.suse.com/security/cve/CVE-2024-4032.html CVE-2024-4032 https://bugzilla.suse.com/1226448 SUSE Bug 1226448 There is a MEDIUM severity vulnerability affecting CPython. The email module didn't properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized. CVE-2024-6923 SUSE Linux Micro 6.0:libpython3_11-1_0-3.11.8-3.1 SUSE Linux Micro 6.0:python311-3.11.8-3.1 SUSE Linux Micro 6.0:python311-base-3.11.8-3.1 SUSE Linux Micro 6.0:python311-curses-3.11.8-3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520025-1/ https://www.suse.com/security/cve/CVE-2024-6923.html CVE-2024-6923 https://bugzilla.suse.com/1228780 SUSE Bug 1228780