File _patchinfo of Package patchinfo.42323

<patchinfo incident="42323">
  <issue tracker="cve" id="2025-4517"/>
  <issue tracker="cve" id="2025-4330"/>
  <issue tracker="cve" id="2007-4559"/>
  <issue tracker="cve" id="2024-12718"/>
  <issue tracker="cve" id="2025-4138"/>
  <issue tracker="cve" id="2025-4435"/>
  <issue tracker="bnc" id="1244056">VUL-0: CVE-2024-12718: python: Bypass extraction filter to modify file metadata outside extraction directory</issue>
  <issue tracker="bnc" id="1244060">VUL-0: CVE-2025-4330: python: Extraction filter bypass for linking outside extraction directory</issue>
  <issue tracker="bnc" id="1203750">VUL-0: CVE-2007-4559: python36,python3,python39,python310,python,python27: python tarfile module directory traversal</issue>
  <issue tracker="bnc" id="1244032">VUL-0: CVE-2025-4517: python: arbitrary filesystem writes outside the extraction directory during extraction with filter="data"</issue>
  <issue tracker="bnc" id="1251841">CVE-L3: SLE12-SP2: python3 - CVE-2025-4517 (x86-64)</issue>
  <issue tracker="bnc" id="1244061">VUL-0: CVE-2025-4435: python: Tarfile extracts filtered members when errorlevel=0</issue>
  <issue tracker="bnc" id="1244059">VUL-0: CVE-2025-4138: python: may allow symlink targets to point outside the destination directory, and the modification of some file metadata.</issue>
  <packager>mcepl</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for python3</summary>
  <description>This update for python3 fixes the following issues:

Security fixes:

- CVE-2025-4517: Fixed arbitrary filesystem writes outside the extraction directory during extraction 
  with filter="data" (bsc#1244032)
- CVE-2025-4330: Fixed extraction filter bypass for linking outside extraction directory (bsc#1244060)
- CVE-2007-4559: Fixed python tarfile module directory traversal (bsc#1203750)
- CVE-2024-12718: Fixed bypass extraction filter to modify file metadata outside extraction directory 
  (bsc#1244056)
- CVE-2025-4138: Fixed symlinking targets to not point outside the destination directory, and the modification 
  of some file metadata (bsc#1244059)
- CVE-2025-4435: Fixed tarfile extracting filtered members when errorlevel=0 (bsc#1244061)

Other fixes:

- Fixed two shebangs with /usr/local/bin/python
</description>
</patchinfo>