Overview

File _patchinfo of Package patchinfo.42384

<patchinfo incident="42384">
  <issue tracker="cve" id="2025-13836"/>
  <issue tracker="cve" id="2025-12084"/>
  <issue tracker="cve" id="2025-6075"/>
  <issue tracker="cve" id="2025-15366"/>
  <issue tracker="cve" id="2025-15367"/>
  <issue tracker="cve" id="2026-0865"/>
  <issue tracker="cve" id="2026-0672"/>
  <issue tracker="bnc" id="1257031">VUL-0: CVE-2026-0672: python3: HTTP header injection via user-controlled cookie values and parameters when using http.cookies.Morsel</issue>
  <issue tracker="bnc" id="1257041">VUL-0: CVE-2025-15367: python: control characters may allow the injection of additional commands</issue>
  <issue tracker="bnc" id="1257044">VUL-0: CVE-2025-15366: python: user-controlled command can allow additional commands injected using newlines</issue>
  <issue tracker="bnc" id="1254867">VUL-0: CVE-2025-66471: python-urllib3,python-urllib3_1,python36-urllib3: excessive resource consumption via decompression of highly compressed data in Streaming API</issue>
  <issue tracker="bnc" id="1257042">VUL-0: CVE-2026-0865: python: user-controlled header containing newlines can allow injecting HTTP headers</issue>
  <issue tracker="bnc" id="1257064">L3: Regression: python-base-2.7.18-28.134.1 breaks Python 2.7 - re.ASCII AttributeError</issue>
  <issue tracker="bnc" id="1254997">VUL-0: CVE-2025-12084: python,python3,python310,python311,python312,python313,python36,python39: cpython: python: cpython: Quadratic algorithm in xml.dom.minidom leads to denial of service</issue>
  <issue tracker="bnc" id="1254400">VUL-0: CVE-2025-13836: python,python3,python310,python311,python312,python313,python36,python39: When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length.</issue>
  <packager>mcepl</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for python</summary>
  <description>This update for python fixes the following issues:

Security fixes:
    
- CVE-2025-13836: Fixed reading an HTTP response from a server, if no read amount is specified, with using Content-Length per default as the length. (bsc#1254400)
- CVE-2025-12084: Fixed Denial of Service due to quadratic algorithm in xml.dom.minidom. (bsc#1254997)
- CVE-2026-0672: Fixed a HTTP header injection via user-controlled cookie values and parameters when using http.cookies.Morsel. (bsc#1257031)
- CVE-2026-0865: Fixed a bug where a user-controlled header containing newlines can allow injecting HTTP headers. (bsc#1257042)
- CVE-2025-15366: Fixed a bug wherer a user-controlled command can allow additional commands injected using newlines. (bsc#1257044)
- CVE-2025-15367: Fixed control characters which may allow the injection of additional commands. (bsc#1257041)


Other fixes:

- Modified CVE-2025-6075 fix to not use `re.ASCII` flag (not available in Python 2.7) (bsc#1257064).
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places