Overview

File _patchinfo of Package patchinfo.38565

<patchinfo incident="38565">
  <issue tracker="bnc" id="1244059">VUL-0: CVE-2025-4138: python: may allow symlink targets to point outside the destination directory, and the modification of some file metadata.</issue>
  <issue tracker="bnc" id="1244032">VUL-0: CVE-2025-4517: python: arbitrary filesystem writes outside the extraction directory during extraction with filter="data"</issue>
  <issue tracker="bnc" id="1244056">VUL-0: CVE-2024-12718: python: Bypass extraction filter to modify file metadata outside extraction directory</issue>
  <issue tracker="bnc" id="1243273">VUL-0: CVE-2025-4516: python, cpython: CPython DecodeError Handling Vulnerability</issue>
  <issue tracker="bnc" id="1244060">VUL-0: CVE-2025-4330: python: Extraction filter bypass for linking outside extraction directory</issue>
  <issue tracker="cve" id="2025-4330"/>
  <issue tracker="cve" id="2025-4138"/>
  <issue tracker="cve" id="2025-4516"/>
  <issue tracker="cve" id="2024-12718"/>
  <issue tracker="cve" id="2025-4517"/>
  <packager>mcepl</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for python312</summary>
  <description>This update for python312 fixes the following issues:

python312 was updated from version 3.12.9 to 3.12.11:

- Security issues fixed:

  * CVE-2025-4516: Fixed blocking DecodeError handling vulnerability, which could lead to DoS (bsc#1243273)
  * CVE-2024-12718, CVE-2025-4138, CVE-2025-4330, CVE-2025-4517: Fixed multiple issues that allowed tarfile 
    extraction filters to be bypassed using crafted symlinks and hard links
    (bsc#1244056, bsc#1244059, bsc#1244060, bsc#1244032)

- Other changes and bugs fixed:

  * Added --single-process option to the Python test runner (regrtest).
  * Added support for text/x-rst MIME type.
  * Corrected issues in various modules.
  * Fixed bugs in the in the folding of rfc2047 encoded-words and in the folding of quoted strings when flattening an
    email message using a modern email policy.
  * Fixed f-string handling of lambda expressions with non-ASCII characters.
  * Fixed ipaddress.IPv6Address.reverse_pointer output according to RFC 3596.
  * Fixed parsing long IPv6 addresses with embedded IPv4 address.
  * Fixed resource leaks in gzip and multiprocessing Resource Tracker.
  * Improved IDLE's documentation display.
  * Improved the textual representation of IPv4-mapped IPv6 addresses in ipaddress.
  * ipaddress: fixed hash collisions for IPv4Network and IPv6Network objects
  * Made from __future__ import barry_as_FLUFL work in more contexts.
  * Resolved potential crashes in contextvars, xml.etree.ElementTree, sqlite3, and the sys module.
  * Scheduled deprecation of the check_home argument in sysconfig.is_python_build() for Python 3.15.
  * Stop the processing of long IPv6 addresses early in ipaddress to prevent excessive memory consumption and a minor
    denial-of-service.
  * Undeprecated functional API for importlib.resources and added Anchor.
  * Updated bundled libexpat to 2.7.1
  * Updated bundled pip to version 25.0.1.
  * Updated documentation for generic classes, wheel tags, and the C API.
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places