Security update for python311 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:20154-1 Final 1 1 2025-03-19T11:31:40Z current 2025-03-19T11:31:40Z 2025-03-19T11:31:40Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for python311 This update for python311 fixes the following issues: - Skip PGO with %want_reproducible_builds (bsc#1239210) - CVE-2025-0938: Disallows square brackets ([ and ]) in domain names for parsed URLs (bsc#1236705). - Configure externally_managed with a bcond (bsc#1228165). - Update to 3.11.11: - Tools/Demos - gh-123418: Update GitHub CI workflows to use OpenSSL 3.0.15 and multissltests to use 3.0.15, 3.1.7, and 3.2.3. - Tests - gh-125041: Re-enable skipped tests for zlib on the s390x architecture: only skip checks of the compressed bytes, which can be different between zlib’s software implementation and the hardware-accelerated implementation. - Security - gh-126623: Upgrade libexpat to 2.6.4 - gh-122792: Changed IPv4-mapped ipaddress.IPv6Address to consistently use the mapped IPv4 address value for deciding properties. Properties which have their behavior fixed are is_multicast, is_reserved, is_link_local, is_global, and is_unspecified. - Library - gh-124651: Properly quote template strings in venv activation scripts (bsc#1232241, CVE-2024-9287). - Remove -IVendor/ from python-config (bsc#1231795) - CVE-2024-9287: Properly quote path names provided when creating a virtual environment (bsc#1232241) - Drop .pyc files from docdir for reproducible builds (bsc#1230906). - Update to 3.11.10: - Security - gh-123678: Upgrade libexpat to 2.6.3 - gh-121957: Fixed missing audit events around interactive use of Python, now also properly firing for ``python -i``, as well as for ``python -m asyncio``. The event in question is ``cpython.run_stdin``. - gh-122133: Authenticate the socket connection for the ``socket.socketpair()`` fallback on platforms where ``AF_UNIX`` is not available like Windows. Patch by Gregory P. Smith <greg@krypto.org> and Seth Larson <seth@python.org>. Reported by Ellie <el@horse64.org> - gh-121285: Remove backtracking from tarfile header parsing for ``hdrcharset``, PAX, and GNU sparse headers (bsc#1230227, CVE-2024-6232). - gh-118486: :func:`os.mkdir` on Windows now accepts *mode* of ``0o700`` to restrict the new directory to the current user. This fixes CVE-2024-4030 affecting :func:`tempfile.mkdtemp` in scenarios where the base temporary directory is more permissive than the default. - gh-116741: Update bundled libexpat to 2.6.2 - Library - gh-123270: Applied a more surgical fix for malformed payloads in :class:`zipfile.Path` causing infinite loops (gh-122905) without breaking contents using legitimate characters (bsc#1229704, CVE-2024-8088). - gh-123067: Fix quadratic complexity in parsing ``"``-quoted cookie values with backslashes by :mod:`http.cookies` (bsc#1229596, CVE-2024-7592). - gh-122905: :class:`zipfile.Path` objects now sanitize names from the zipfile. - gh-121650: :mod:`email` headers with embedded newlines are now quoted on output. The :mod:`~email.generator` will now refuse to serialize (write) headers that are unsafely folded or delimited; see :attr:`~email.policy.Policy.verify_generated_headers`. (Contributed by Bas Bloemsaat and Petr Viktorin in :gh:`121650`; CVE-2024-6923, bsc#1228780). - gh-119506: Fix :meth:`!io.TextIOWrapper.write` method breaks internal buffer when the method is called again during flushing internal buffer. - gh-118643: Fix an AttributeError in the :mod:`email` module when re-fold a long address list. Also fix more cases of incorrect encoding of the address separator in the address list. - gh-113171: Fixed various false positives and false negatives in * :attr:`ipaddress.IPv4Address.is_private` (see these docs for details) * :attr:`ipaddress.IPv4Address.is_global` * :attr:`ipaddress.IPv6Address.is_private` * :attr:`ipaddress.IPv6Address.is_global` Also in the corresponding :class:`ipaddress.IPv4Network` and :class:`ipaddress.IPv6Network` attributes. Fixes bsc#1226448 (CVE-2024-4032). - gh-102988: :func:`email.utils.getaddresses` and :func:`email.utils.parseaddr` now return ``('', '')`` 2-tuples in more situations where invalid email addresses are encountered instead of potentially inaccurate values. Add optional *strict* parameter to these two functions: use ``strict=False`` to get the old behavior, accept malformed inputs. ``getattr(email.utils, 'supports_strict_parsing', False)`` can be use to check if the *strict* paramater is available. Patch by Thomas Dwyer and Victor Stinner to improve the CVE-2023-27043 fix (bsc#1210638). - gh-67693: Fix :func:`urllib.parse.urlunparse` and :func:`urllib.parse.urlunsplit` for URIs with path starting with multiple slashes and no authority. Based on patch by Ashwin Ramaswami. - Core and Builtins - gh-112275: A deadlock involving ``pystate.c``'s ``HEAD_LOCK`` in ``posixmodule.c`` at fork is now fixed. Patch by ChuBoning based on previous Python 3.12 fix by Victor Stinner. - gh-109120: Added handle of incorrect star expressions, e.g ``f(3, *)``. Patch by Grigoryev Semyon - CVE-2024-8088: Prevent malformed payload to cause infinite loops in zipfile.Path (bsc#1229704). - Make pip and modern tools install directly in /usr/local when used by the user. (bsc#1225660). - CVE-2024-4032: Fix rearranging definition of private v global IP addresses (bsc#1226448). - Update to 3.11.9: * Security - gh-115398: Allow controlling Expat >=2.6.0 reparse deferral (CVE-2023-52425, bsc#1219559) by adding five new methods: xml.etree.ElementTree.XMLParser.flush() xml.etree.ElementTree.XMLPullParser.flush() xml.parsers.expat.xmlparser.GetReparseDeferralEnabled() xml.parsers.expat.xmlparser.SetReparseDeferralEnabled() xml.sax.expatreader.ExpatParser.flush() - gh-115399: Update bundled libexpat to 2.6.0 - gh-115243: Fix possible crashes in collections.deque.index() when the deque is concurrently modified. - gh-114572: ssl.SSLContext.cert_store_stats() and ssl.SSLContext.get_ca_certs() now correctly lock access to the certificate store, when the ssl.SSLContext is shared across multiple threads (bsc#1226447, CVE-2024-0397). * Core and Builtins - gh-116296: Fix possible refleak in object.__reduce__() internal error handling. - gh-116034: Fix location of the error on a failed assertion. - gh-115823: Properly calculate error ranges in the parser when raising SyntaxError exceptions caused by invalid byte sequences. Patch by Pablo Galindo - gh-112087: For an empty reverse iterator for list will be reduced to reversed(). Patch by Donghee Na. - gh-115011: Setters for members with an unsigned integer type now support the same range of valid values for objects that has a __index__() method as for int. - gh-96497: Fix incorrect resolution of mangled class variables used in assignment expressions in comprehensions. * Library - gh-117310: Fixed an unlikely early & extra Py_DECREF triggered crash in ssl when creating a new _ssl._SSLContext if CPython was built implausibly such that the default cipher list is empty or the SSL library it was linked against reports a failure from its C SSL_CTX_set_cipher_list() API. - gh-117178: Fix regression in lazy loading of self-referential modules, introduced in gh-114781. - gh-117084: Fix zipfile extraction for directory entries with the name containing backslashes on Windows. - gh-117110: Fix a bug that prevents subclasses of typing.Any to be instantiated with arguments. Patch by Chris Fu. - gh-90872: On Windows, subprocess.Popen.wait() no longer calls WaitForSingleObject() with a negative timeout: pass 0 ms if the timeout is negative. Patch by Victor Stinner. - gh-116957: configparser: Don’t leave ConfigParser values in an invalid state (stored as a list instead of a str) after an earlier read raised DuplicateSectionError or DuplicateOptionError. - gh-90095: Ignore empty lines and comments in .pdbrc - gh-116764: Restore support of None and other false values in urllib.parse functions parse_qs() and parse_qsl(). Also, they now raise a TypeError for non-zero integers and non-empty sequences. - gh-116811: In PathFinder.invalidate_caches, delegate to MetadataPathFinder.invalidate_caches. - gh-116600: Fix repr() for global Flag members. - gh-116484: Change automatically generated tkinter.Checkbutton widget names to avoid collisions with automatically generated tkinter.ttk.Checkbutton widget names within the same parent widget. - gh-116401: Fix blocking os.fwalk() and shutil.rmtree() on opening named pipe. - gh-116143: Fix a race in pydoc _start_server, eliminating a window in which _start_server can return a thread that is “serving” but without a docserver set. - gh-116325: typing: raise SyntaxError instead of AttributeError on forward references as empty strings. - gh-90535: Fix support of interval values > 1 in logging.TimedRotatingFileHandler for when='MIDNIGHT' and when='Wx'. - gh-115978: Disable preadv(), readv(), pwritev(), and writev() on WASI. - Under wasmtime for WASI 0.2, these functions don’t pass test_posix (https://github.com/bytecodealliance/wasmtime/issues/7830). - gh-88352: Fix the computation of the next rollover time in the logging.TimedRotatingFileHandler handler. computeRollover() now always returns a timestamp larger than the specified time and works correctly during the DST change. doRollover() no longer overwrite the already rolled over file, saving from data loss when run at midnight or during repeated time at the DST change. - gh-87115: Set __main__.__spec__ to None when running a script with pdb - gh-76511: Fix UnicodeEncodeError in email.Message.as_string() that results when a message that claims to be in the ascii character set actually has non-ascii characters. Non-ascii characters are now replaced with the U+FFFD replacement character, like in the replace error handler. - gh-75988: Fixed unittest.mock.create_autospec() to pass the call through to the wrapped object to return the real result. - gh-115881: Fix issue where ast.parse() would incorrectly flag conditional context managers (such as with (x() if y else z()): ...) as invalid syntax if feature_version=(3, 8) was passed. This reverts changes to the grammar made as part of gh-94949. - gh-115886: Fix silent truncation of the name with an embedded null character in multiprocessing.shared_memory.SharedMemory. - gh-115809: Improve algorithm for computing which rolled-over log files to delete in logging.TimedRotatingFileHandler. It is now reliable for handlers without namer and with arbitrary deterministic namer that leaves the datetime part in the file name unmodified. - gh-74668: urllib.parse functions parse_qs() and parse_qsl() now support bytes arguments containing raw and percent-encoded non-ASCII data. - gh-67044: csv.writer() now always quotes or escapes '\r' and '\n', regardless of lineterminator value. - gh-115712: csv.writer() now quotes empty fields if delimiter is a space and skipinitialspace is true and raises exception if quoting is not possible. - gh-115618: Fix improper decreasing the reference count for None argument in property methods getter(), setter() and deleter(). - gh-115570: A DeprecationWarning is no longer omitted on access to the __doc__ attributes of the deprecated typing.io and typing.re pseudo-modules. - gh-112006: Fix inspect.unwrap() for types with the __wrapper__ data descriptor. - gh-101293: Support callables with the __call__() method and types with __new__() and __init__() methods set to class methods, static methods, bound methods, partial functions, and other types of methods and descriptors in inspect.Signature.from_callable(). - gh-115392: Fix a bug in doctest where incorrect line numbers would be reported for decorated functions. - gh-114563: Fix several format() bugs when using the C implementation of Decimal: * memory leak in some rare cases when using the z format option (coerce negative 0) * incorrect output when applying the z format option to type F (fixed-point with capital NAN / INF) * incorrect output when applying the # format option (alternate form) - gh-115197: urllib.request no longer resolves the hostname before checking it against the system’s proxy bypass list on macOS and Windows. - gh-115198: Fix support of Docutils >= 0.19 in distutils. - gh-115165: Most exceptions are now ignored when attempting to set the __orig_class__ attribute on objects returned when calling typing generic aliases (including generic aliases created using typing.Annotated). Previously only AttributeError was ignored. Patch by Dave Shawley. - gh-115133: Fix tests for XMLPullParser with Expat 2.6.0. - gh-115059: io.BufferedRandom.read1() now flushes the underlying write buffer. - gh-79382: Trailing ** no longer allows to match files and non-existing paths in recursive glob(). - gh-114763: Protect modules loaded with importlib.util.LazyLoader from race conditions when multiple threads try to access attributes before the loading is complete. - gh-97959: Fix rendering class methods, bound methods, method and function aliases in pydoc. Class methods no longer have “method of builtins.type instance” note. Corresponding notes are now added for class and unbound methods. Method and function aliases now have references to the module or the class where the origin was defined if it differs from the current. Bound methods are now listed in the static methods section. Methods of builtin classes are now supported as well as methods of Python classes. - gh-112281: Allow creating union of types for typing.Annotated with unhashable metadata. - gh-111775: Fix importlib.resources.simple.ResourceHandle.open() for text mode, added missed stream argument. - gh-90095: Make .pdbrc and -c work with any valid pdb commands. - gh-107155: Fix incorrect output of help(x) where x is a lambda function, which has an __annotations__ dictionary attribute with a "return" key. - gh-105866: Fixed _get_slots bug which caused error when defining dataclasses with slots and a weakref_slot. - gh-60346: Fix ArgumentParser inconsistent with parse_known_args. - gh-100985: Update HTTPSConnection to consistently wrap IPv6 Addresses when using a proxy. - gh-100884: email: fix misfolding of comma in address-lists over multiple lines in combination with unicode encoding (bsc#1238450 CVE-2025-1795) - gh-95782: Fix io.BufferedReader.tell(), io.BufferedReader.seek(), _pyio.BufferedReader.tell(), io.BufferedRandom.tell(), io.BufferedRandom.seek() and _pyio.BufferedRandom.tell() being able to return negative offsets. - gh-96310: Fix a traceback in argparse when all options in a mutually exclusive group are suppressed. - gh-93205: Fixed a bug in logging.handlers.TimedRotatingFileHandler where multiple rotating handler instances pointing to files with the same name but different extensions would conflict and not delete the correct files. - bpo-44865: Add missing call to localization function in argparse. - bpo-43952: Fix multiprocessing.connection.Listener.accept() to accept empty bytes as authkey. Not accepting empty bytes as key causes it to hang indefinitely. - bpo-42125: linecache: get module name from __spec__ if available. This allows getting source code for the __main__ module when a custom loader is used. - gh-66543: Make mimetypes.guess_type() properly parsing of URLs with only a host name, URLs containing fragment or query, and filenames with only a UNC sharepoint on Windows. Based on patch by Dong-hee Na. - bpo-33775: Add ‘default’ and ‘version’ help text for localization in argparse. * Documentation - gh-115399: Document CVE-2023-52425 of Expat <2.6.0 under “XML vulnerabilities”. - gh-115233: Fix an example for LoggerAdapter in the Logging Cookbook. * Tests - gh-83434: Disable JUnit XML output (--junit-xml=FILE command line option) in regrtest when hunting for reference leaks (-R option). Patch by Victor Stinner. - gh-117187: Fix XML tests for vanilla Expat <2.6.0. - gh-115979: Update test_importlib so that it passes under WASI SDK 21. - gh-116307: Added import helper isolated_modules as CleanImport does not remove modules imported during the context. - gh-115720: Leak tests (-R, --huntrleaks) now show a summary of the number of leaks found in each iteration. - gh-115122: Add --bisect option to regrtest test runner: run failed tests with test.bisect_cmd to identify failing tests. Patch by Victor Stinner. - gh-115596: Fix ProgramPriorityTests in test_os permanently changing the process priority. - gh-115198: Fix test_check_metadata_deprecate in distutils tests with a newer Docutils. * Build - gh-116313: Get WASI builds to work under wasmtime 18 w/ WASI 0.2/preview2 primitives. - gh-115167: Avoid vendoring vcruntime140_threads.dll when building with Visual Studio 2022 version 17.8. * Windows - gh-116773: Fix instances of <_overlapped.Overlapped object at 0xXXX> still has pending operation at deallocation, the process may crash. - gh-91227: Fix the asyncio ProactorEventLoop implementation so that sending a datagram to an address that is not listening does not prevent receiving any more datagrams. - gh-115554: The installer now has more strict rules about updating the Python Launcher for Windows. In general, most users only have a single launcher installed and will see no difference. When multiple launchers have been installed, the option to install the launcher is disabled until all but one have been removed. Downgrading the launcher (which was never allowed) is now more obviously blocked. - gh-115543: Python Launcher for Windows can now detect Python 3.13 when installed from the Microsoft Store, and will install Python 3.12 by default when PYLAUNCHER_ALLOW_INSTALL is set. - gh-115009: Update Windows installer to use SQLite 3.45.1. * IDLE - gh-88516: On macOS show a proxy icon in the title bar of editor windows to match platform behaviour. * Tools/Demos - gh-113516: Don’t set LDSHARED when building for WASI. * C API - gh-117021: Fix integer overflow in PyLong_AsPid() on non-Windows 64-bit platforms. - Add reference to CVE-2024-0450 (bsc#1221854) to changelog. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-Micro-6.0-253 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-202520154-1/ Link for SUSE-SU-2025:20154-1 https://lists.suse.com/pipermail/sle-security-updates/2025-June/021184.html E-Mail link for SUSE-SU-2025:20154-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1174091 SUSE Bug 1174091 https://bugzilla.suse.com/1210638 SUSE Bug 1210638 https://bugzilla.suse.com/1219559 SUSE Bug 1219559 https://bugzilla.suse.com/1219666 SUSE Bug 1219666 https://bugzilla.suse.com/1221854 SUSE Bug 1221854 https://bugzilla.suse.com/1225660 SUSE Bug 1225660 https://bugzilla.suse.com/1226447 SUSE Bug 1226447 https://bugzilla.suse.com/1226448 SUSE Bug 1226448 https://bugzilla.suse.com/1227378 SUSE Bug 1227378 https://bugzilla.suse.com/1227999 SUSE Bug 1227999 https://bugzilla.suse.com/1228165 SUSE Bug 1228165 https://bugzilla.suse.com/1228780 SUSE Bug 1228780 https://bugzilla.suse.com/1229596 SUSE Bug 1229596 https://bugzilla.suse.com/1229704 SUSE Bug 1229704 https://bugzilla.suse.com/1230227 SUSE Bug 1230227 https://bugzilla.suse.com/1230906 SUSE Bug 1230906 https://bugzilla.suse.com/1231795 SUSE Bug 1231795 https://bugzilla.suse.com/1232241 SUSE Bug 1232241 https://bugzilla.suse.com/1236705 SUSE Bug 1236705 https://bugzilla.suse.com/1238450 SUSE Bug 1238450 https://bugzilla.suse.com/1239210 SUSE Bug 1239210 https://bugzilla.suse.com/831629 SUSE Bug 831629 https://www.suse.com/security/cve/CVE-2019-20907/ SUSE CVE CVE-2019-20907 page https://www.suse.com/security/cve/CVE-2019-9947/ SUSE CVE CVE-2019-9947 page https://www.suse.com/security/cve/CVE-2020-15523/ SUSE CVE CVE-2020-15523 page https://www.suse.com/security/cve/CVE-2020-15801/ SUSE CVE CVE-2020-15801 page https://www.suse.com/security/cve/CVE-2022-25236/ SUSE CVE CVE-2022-25236 page https://www.suse.com/security/cve/CVE-2023-27043/ SUSE CVE CVE-2023-27043 page https://www.suse.com/security/cve/CVE-2023-52425/ SUSE CVE CVE-2023-52425 page https://www.suse.com/security/cve/CVE-2023-6597/ SUSE CVE CVE-2023-6597 page https://www.suse.com/security/cve/CVE-2024-0397/ SUSE CVE CVE-2024-0397 page https://www.suse.com/security/cve/CVE-2024-0450/ SUSE CVE CVE-2024-0450 page https://www.suse.com/security/cve/CVE-2024-4030/ SUSE CVE CVE-2024-4030 page https://www.suse.com/security/cve/CVE-2024-4032/ SUSE CVE CVE-2024-4032 page https://www.suse.com/security/cve/CVE-2024-6232/ SUSE CVE CVE-2024-6232 page https://www.suse.com/security/cve/CVE-2024-6923/ SUSE CVE CVE-2024-6923 page https://www.suse.com/security/cve/CVE-2024-7592/ SUSE CVE CVE-2024-7592 page https://www.suse.com/security/cve/CVE-2024-8088/ SUSE CVE CVE-2024-8088 page https://www.suse.com/security/cve/CVE-2024-9287/ SUSE CVE CVE-2024-9287 page https://www.suse.com/security/cve/CVE-2025-0938/ SUSE CVE CVE-2025-0938 page https://www.suse.com/security/cve/CVE-2025-1795/ SUSE CVE CVE-2025-1795 page SUSE Linux Micro 6.0 libpython3_11-1_0-3.11.11-1.1 python311-3.11.11-1.1 python311-base-3.11.11-1.1 python311-curses-3.11.11-1.1 libpython3_11-1_0-3.11.11-1.1 as a component of SUSE Linux Micro 6.0 python311-3.11.11-1.1 as a component of SUSE Linux Micro 6.0 python311-base-3.11.11-1.1 as a component of SUSE Linux Micro 6.0 python311-curses-3.11.11-1.1 as a component of SUSE Linux Micro 6.0 In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation. CVE-2019-20907 SUSE Linux Micro 6.0:libpython3_11-1_0-3.11.11-1.1 SUSE Linux Micro 6.0:python311-3.11.11-1.1 SUSE Linux Micro 6.0:python311-base-3.11.11-1.1 SUSE Linux Micro 6.0:python311-curses-3.11.11-1.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520154-1/ https://www.suse.com/security/cve/CVE-2019-20907.html CVE-2019-20907 https://bugzilla.suse.com/1174091 SUSE Bug 1174091 An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9. CVE-2019-9947 SUSE Linux Micro 6.0:libpython3_11-1_0-3.11.11-1.1 SUSE Linux Micro 6.0:python311-3.11.11-1.1 SUSE Linux Micro 6.0:python311-base-3.11.11-1.1 SUSE Linux Micro 6.0:python311-curses-3.11.11-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520154-1/ https://www.suse.com/security/cve/CVE-2019-9947.html CVE-2019-9947 https://bugzilla.suse.com/1130840 SUSE Bug 1130840 https://bugzilla.suse.com/1136184 SUSE Bug 1136184 https://bugzilla.suse.com/1155094 SUSE Bug 1155094 https://bugzilla.suse.com/1201559 SUSE Bug 1201559 In Python 3.6 through 3.6.10, 3.7 through 3.7.8, 3.8 through 3.8.4rc1, and 3.9 through 3.9.0b4 on Windows, a Trojan horse python3.dll might be used in cases where CPython is embedded in a native application. This occurs because python3X.dll may use an invalid search path for python3.dll loading (after Py_SetPath has been used). NOTE: this issue CANNOT occur when using python.exe from a standard (non-embedded) Python installation on Windows. CVE-2020-15523 SUSE Linux Micro 6.0:libpython3_11-1_0-3.11.11-1.1 SUSE Linux Micro 6.0:python311-3.11.11-1.1 SUSE Linux Micro 6.0:python311-base-3.11.11-1.1 SUSE Linux Micro 6.0:python311-curses-3.11.11-1.1 important 6.9 AV:L/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520154-1/ https://www.suse.com/security/cve/CVE-2020-15523.html CVE-2020-15523 https://bugzilla.suse.com/1173745 SUSE Bug 1173745 In Python 3.8.4, sys.path restrictions specified in a python38._pth file are ignored, allowing code to be loaded from arbitrary locations. The <executable-name>._pth file (e.g., the python._pth file) is not affected. CVE-2020-15801 SUSE Linux Micro 6.0:libpython3_11-1_0-3.11.11-1.1 SUSE Linux Micro 6.0:python311-3.11.11-1.1 SUSE Linux Micro 6.0:python311-base-3.11.11-1.1 SUSE Linux Micro 6.0:python311-curses-3.11.11-1.1 critical 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520154-1/ https://www.suse.com/security/cve/CVE-2020-15801.html CVE-2020-15801 https://bugzilla.suse.com/1174241 SUSE Bug 1174241 xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs. CVE-2022-25236 SUSE Linux Micro 6.0:libpython3_11-1_0-3.11.11-1.1 SUSE Linux Micro 6.0:python311-3.11.11-1.1 SUSE Linux Micro 6.0:python311-base-3.11.11-1.1 SUSE Linux Micro 6.0:python311-curses-3.11.11-1.1 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520154-1/ https://www.suse.com/security/cve/CVE-2022-25236.html CVE-2022-25236 https://bugzilla.suse.com/1196025 SUSE Bug 1196025 https://bugzilla.suse.com/1196784 SUSE Bug 1196784 https://bugzilla.suse.com/1197217 SUSE Bug 1197217 https://bugzilla.suse.com/1200038 SUSE Bug 1200038 https://bugzilla.suse.com/1201735 SUSE Bug 1201735 The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python. CVE-2023-27043 SUSE Linux Micro 6.0:libpython3_11-1_0-3.11.11-1.1 SUSE Linux Micro 6.0:python311-3.11.11-1.1 SUSE Linux Micro 6.0:python311-base-3.11.11-1.1 SUSE Linux Micro 6.0:python311-curses-3.11.11-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520154-1/ https://www.suse.com/security/cve/CVE-2023-27043.html CVE-2023-27043 https://bugzilla.suse.com/1210638 SUSE Bug 1210638 https://bugzilla.suse.com/1222537 SUSE Bug 1222537 libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed. CVE-2023-52425 SUSE Linux Micro 6.0:libpython3_11-1_0-3.11.11-1.1 SUSE Linux Micro 6.0:python311-3.11.11-1.1 SUSE Linux Micro 6.0:python311-base-3.11.11-1.1 SUSE Linux Micro 6.0:python311-curses-3.11.11-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520154-1/ https://www.suse.com/security/cve/CVE-2023-52425.html CVE-2023-52425 https://bugzilla.suse.com/1219559 SUSE Bug 1219559 An issue was found in the CPython `tempfile.TemporaryDirectory` class affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged programs are potentially able to modify permissions of files referenced by symlinks in some circumstances. CVE-2023-6597 SUSE Linux Micro 6.0:libpython3_11-1_0-3.11.11-1.1 SUSE Linux Micro 6.0:python311-3.11.11-1.1 SUSE Linux Micro 6.0:python311-base-3.11.11-1.1 SUSE Linux Micro 6.0:python311-curses-3.11.11-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520154-1/ https://www.suse.com/security/cve/CVE-2023-6597.html CVE-2023-6597 https://bugzilla.suse.com/1219666 SUSE Bug 1219666 https://bugzilla.suse.com/1221854 SUSE Bug 1221854 https://bugzilla.suse.com/1224879 SUSE Bug 1224879 https://bugzilla.suse.com/1225185 SUSE Bug 1225185 A defect was discovered in the Python "ssl" module where there is a memory race condition with the ssl.SSLContext methods "cert_store_stats()" and "get_ca_certs()". The race condition can be triggered if the methods are called at the same time as certificates are loaded into the SSLContext, such as during the TLS handshake with a certificate directory configured. This issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5. CVE-2024-0397 SUSE Linux Micro 6.0:libpython3_11-1_0-3.11.11-1.1 SUSE Linux Micro 6.0:python311-3.11.11-1.1 SUSE Linux Micro 6.0:python311-base-3.11.11-1.1 SUSE Linux Micro 6.0:python311-curses-3.11.11-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520154-1/ https://www.suse.com/security/cve/CVE-2024-0397.html CVE-2024-0397 https://bugzilla.suse.com/1226447 SUSE Bug 1226447 An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The zipfile module is vulnerable to "quoted-overlap" zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive. CVE-2024-0450 SUSE Linux Micro 6.0:libpython3_11-1_0-3.11.11-1.1 SUSE Linux Micro 6.0:python311-3.11.11-1.1 SUSE Linux Micro 6.0:python311-base-3.11.11-1.1 SUSE Linux Micro 6.0:python311-curses-3.11.11-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520154-1/ https://www.suse.com/security/cve/CVE-2024-0450.html CVE-2024-0450 https://bugzilla.suse.com/1221854 SUSE Bug 1221854 On Windows a directory returned by tempfile.mkdtemp() would not always have permissions set to restrict reading and writing to the temporary directory by other users, instead usually inheriting the correct permissions from the default location. Alternate configurations or users without a profile directory may not have the intended permissions. If you're not using Windows or haven't changed the temporary directory location then you aren't affected by this vulnerability. On other platforms the returned directory is consistently readable and writable only by the current user. This issue was caused by Python not supporting Unix permissions on Windows. The fix adds support for Unix "700" for the mkdir function on Windows which is used by mkdtemp() to ensure the newly created directory has the proper permissions. CVE-2024-4030 SUSE Linux Micro 6.0:libpython3_11-1_0-3.11.11-1.1 SUSE Linux Micro 6.0:python311-3.11.11-1.1 SUSE Linux Micro 6.0:python311-base-3.11.11-1.1 SUSE Linux Micro 6.0:python311-curses-3.11.11-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520154-1/ https://www.suse.com/security/cve/CVE-2024-4030.html CVE-2024-4030 https://bugzilla.suse.com/1227152 SUSE Bug 1227152 The "ipaddress" module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as "globally reachable" or "private". This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn't be returned in accordance with the latest information from the IANA Special-Purpose Address Registries. CPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior. CVE-2024-4032 SUSE Linux Micro 6.0:libpython3_11-1_0-3.11.11-1.1 SUSE Linux Micro 6.0:python311-3.11.11-1.1 SUSE Linux Micro 6.0:python311-base-3.11.11-1.1 SUSE Linux Micro 6.0:python311-curses-3.11.11-1.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520154-1/ https://www.suse.com/security/cve/CVE-2024-4032.html CVE-2024-4032 https://bugzilla.suse.com/1226448 SUSE Bug 1226448 There is a MEDIUM severity vulnerability affecting CPython. Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives. CVE-2024-6232 SUSE Linux Micro 6.0:libpython3_11-1_0-3.11.11-1.1 SUSE Linux Micro 6.0:python311-3.11.11-1.1 SUSE Linux Micro 6.0:python311-base-3.11.11-1.1 SUSE Linux Micro 6.0:python311-curses-3.11.11-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520154-1/ https://www.suse.com/security/cve/CVE-2024-6232.html CVE-2024-6232 https://bugzilla.suse.com/1230227 SUSE Bug 1230227 There is a MEDIUM severity vulnerability affecting CPython. The email module didn't properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized. CVE-2024-6923 SUSE Linux Micro 6.0:libpython3_11-1_0-3.11.11-1.1 SUSE Linux Micro 6.0:python311-3.11.11-1.1 SUSE Linux Micro 6.0:python311-base-3.11.11-1.1 SUSE Linux Micro 6.0:python311-curses-3.11.11-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520154-1/ https://www.suse.com/security/cve/CVE-2024-6923.html CVE-2024-6923 https://bugzilla.suse.com/1228780 SUSE Bug 1228780 There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value. CVE-2024-7592 SUSE Linux Micro 6.0:libpython3_11-1_0-3.11.11-1.1 SUSE Linux Micro 6.0:python311-3.11.11-1.1 SUSE Linux Micro 6.0:python311-base-3.11.11-1.1 SUSE Linux Micro 6.0:python311-curses-3.11.11-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520154-1/ https://www.suse.com/security/cve/CVE-2024-7592.html CVE-2024-7592 https://bugzilla.suse.com/1229596 SUSE Bug 1229596 There is a HIGH severity vulnerability affecting the CPython "zipfile" module affecting "zipfile.Path". Note that the more common API "zipfile.ZipFile" class is unaffected. When iterating over names of entries in a zip archive (for example, methods of "zipfile.Path" like "namelist()", "iterdir()", etc) the process can be put into an infinite loop with a maliciously crafted zip archive. This defect applies when reading only metadata or extracting the contents of the zip archive. Programs that are not handling user-controlled zip archives are not affected. CVE-2024-8088 SUSE Linux Micro 6.0:libpython3_11-1_0-3.11.11-1.1 SUSE Linux Micro 6.0:python311-3.11.11-1.1 SUSE Linux Micro 6.0:python311-base-3.11.11-1.1 SUSE Linux Micro 6.0:python311-curses-3.11.11-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520154-1/ https://www.suse.com/security/cve/CVE-2024-8088.html CVE-2024-8088 https://bugzilla.suse.com/1229704 SUSE Bug 1229704 A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie "./venv/bin/python") are not affected. CVE-2024-9287 SUSE Linux Micro 6.0:libpython3_11-1_0-3.11.11-1.1 SUSE Linux Micro 6.0:python311-3.11.11-1.1 SUSE Linux Micro 6.0:python311-base-3.11.11-1.1 SUSE Linux Micro 6.0:python311-curses-3.11.11-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520154-1/ https://www.suse.com/security/cve/CVE-2024-9287.html CVE-2024-9287 https://bugzilla.suse.com/1232241 SUSE Bug 1232241 The Python standard library functions `urllib.parse.urlsplit` and `urlparse` accepted domain names that included square brackets which isn't valid according to RFC 3986. Square brackets are only meant to be used as delimiters for specifying IPv6 and IPvFuture hosts in URLs. This could result in differential parsing across the Python URL parser and other specification-compliant URL parsers. CVE-2025-0938 SUSE Linux Micro 6.0:libpython3_11-1_0-3.11.11-1.1 SUSE Linux Micro 6.0:python311-3.11.11-1.1 SUSE Linux Micro 6.0:python311-base-3.11.11-1.1 SUSE Linux Micro 6.0:python311-curses-3.11.11-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520154-1/ https://www.suse.com/security/cve/CVE-2025-0938.html CVE-2025-0938 https://bugzilla.suse.com/1236705 SUSE Bug 1236705 During an address list folding when a separating comma ends up on a folded line and that line is to be unicode-encoded then the separator itself is also unicode-encoded. Expected behavior is that the separating comma remains a plan comma. This can result in the address header being misinterpreted by some mail servers. CVE-2025-1795 SUSE Linux Micro 6.0:libpython3_11-1_0-3.11.11-1.1 SUSE Linux Micro 6.0:python311-3.11.11-1.1 SUSE Linux Micro 6.0:python311-base-3.11.11-1.1 SUSE Linux Micro 6.0:python311-curses-3.11.11-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520154-1/ https://www.suse.com/security/cve/CVE-2025-1795.html CVE-2025-1795 https://bugzilla.suse.com/1238450 SUSE Bug 1238450