Overview

File _patchinfo of Package patchinfo.42869

<patchinfo incident="42869">
  <!--generated  with prepare-update from request 402029-->
  <issue tracker="bnc" id="1257029">VUL-0: CVE-2025-11468: python3: header injection when folding a long comment in an email header containing exclusively unfoldable characters</issue>
  <issue tracker="bnc" id="1257031">VUL-0: CVE-2026-0672: python3: HTTP header injection via user-controlled cookie values and parameters when using http.cookies.Morsel</issue>
  <issue tracker="bnc" id="1257041">VUL-0: CVE-2025-15367: python: control characters may allow the injection of additional commands</issue>
  <issue tracker="bnc" id="1257042">VUL-0: CVE-2026-0865: python: user-controlled header containing newlines can allow injecting HTTP headers</issue>
  <issue tracker="bnc" id="1257044">VUL-0: CVE-2025-15366: python: user-controlled command can allow additional commands injected using newlines</issue>
  <issue tracker="bnc" id="1257046">VUL-0: CVE-2025-15282: python: user-controlled data URLs parsed may allow injecting headers</issue>
  <issue tracker="bnc" id="1257108">VUL-0: CVE-2025-12781: python: inadequate parameter check can cause data integrity issues</issue>
  <issue tracker="cve" id="2025-11468"/>
  <issue tracker="cve" id="2025-12781"/>
  <issue tracker="cve" id="2025-15282"/>
  <issue tracker="cve" id="2025-15366"/>
  <issue tracker="cve" id="2025-15367"/>
  <issue tracker="cve" id="2026-0672"/>
  <issue tracker="cve" id="2026-0865"/>
  <category>security</category>
  <rating>important</rating>
  <packager>mcepl</packager>
  <summary>Security update for python311</summary>
  <description>This update for python311 fixes the following issues:

- CVE-2025-11468: header injection when folding a long comment in an email header containing exclusively unfoldable
  characters (bsc#1257029).
- CVE-2025-12781: inadequate parameter check can cause data integrity issues (bsc#1257108).
- CVE-2025-15282: user-controlled data URLs parsed may allow injecting headers (bsc#1257046).
- CVE-2025-15366: user-controlled command can allow additional commands injected using newlines (bsc#1257044).
- CVE-2025-15367: control characters may allow the injection of additional commands (bsc#1257041).
- CVE-2026-0672: HTTP header injection via user-controlled cookie values and parameters when using http.cookies.Morsel
  (bsc#1257031).
- CVE-2026-0865: user-controlled header containing newlines can allow injecting HTTP headers (bsc#1257042).
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places