Security update for python-ldap SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:3714-1 Final 1 1 2025-10-22T07:10:58Z current 2025-10-22T07:10:58Z 2025-10-22T07:10:58Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for python-ldap This update for python-ldap fixes the following issues: - CVE-2025-61911: Enforce str for escape_filter_chars (bsc#1251912). - CVE-2025-61912: Escape NULs as per RFC 4514 in escape_dn_chars (bsc#1251913). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Container suse/389-ds:latest-2025-3714,SUSE-2025-3714,SUSE-SLE-Module-Packagehub-Subpackages-15-SP6-2025-3714,openSUSE-SLE-15.6-2025-3714 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-20253714-1/ Link for SUSE-SU-2025:3714-1 https://lists.suse.com/pipermail/sle-security-updates/2025-October/022964.html E-Mail link for SUSE-SU-2025:3714-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1251912 SUSE Bug 1251912 https://bugzilla.suse.com/1251913 SUSE Bug 1251913 https://www.suse.com/security/cve/CVE-2025-61911/ SUSE CVE CVE-2025-61911 page https://www.suse.com/security/cve/CVE-2025-61912/ SUSE CVE CVE-2025-61912 page Container suse/389-ds:latest SUSE Linux Enterprise Module for Package Hub 15 SP6 openSUSE Leap 15.6 python3-ldap-3.4.0-150400.3.3.1 python3-ldap-3.4.0-150400.3.3.1 as a component of Container suse/389-ds:latest python-ldap is a lightweight directory access protocol (LDAP) client API for Python. In versions prior to 3.4.5, the sanitization method `ldap.filter.escape_filter_chars` can be tricked to skip escaping of special characters when a crafted `list` or `dict` is supplied as the `assertion_value` parameter, and the non-default `escape_mode=1` is configured. The method `ldap.filter.escape_filter_chars` supports 3 different escaping modes. `escape_mode=0` (default) and `escape_mode=2` happen to raise exceptions when a `list` or `dict` object is supplied as the `assertion_value` parameter. However, `escape_mode=1` computes without performing adequate logic to ensure a fully escaped return value. If an application relies on the vulnerable method in the `python-ldap` library to escape untrusted user input, an attacker might be able to abuse the vulnerability to launch ldap injection attacks which could potentially disclose or manipulate ldap data meant to be inaccessible to them. Version 3.4.5 fixes the issue by adding a type check at the start of the `ldap.filter.escape_filter_chars` method to raise an exception when the supplied `assertion_value` parameter is not of type `str`. CVE-2025-61911 Container suse/389-ds:latest:python3-ldap-3.4.0-150400.3.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20253714-1/ https://www.suse.com/security/cve/CVE-2025-61911.html CVE-2025-61911 https://bugzilla.suse.com/1251912 SUSE Bug 1251912 python-ldap is a lightweight directory access protocol (LDAP) client API for Python. In versions prior to 3.4.5, ldap.dn.escape_dn_chars() escapes \x00 incorrectly by emitting a backslash followed by a literal NUL byte instead of the RFC-4514 hex form \00. Any application that uses this helper to construct DNs from untrusted input can be made to consistently fail before a request is sent to the LDAP server (e.g., AD), resulting in a client-side denial of service. Version 3.4.5 contains a patch for the issue. CVE-2025-61912 Container suse/389-ds:latest:python3-ldap-3.4.0-150400.3.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20253714-1/ https://www.suse.com/security/cve/CVE-2025-61912.html CVE-2025-61912 https://bugzilla.suse.com/1251913 SUSE Bug 1251913