File _patchinfo of Package patchinfo.18772
<patchinfo incident="18772">
  <issue tracker="bnc" id="1236405">VUL-0: CVE-2025-24359: python-asteval: sandbox escape due to use of the format method of the str class with untrusted user input</issue>
  <issue tracker="cve" id="2025-24359"/>
  <packager>mcepl</packager>
  <rating>moderate</rating>
  <category>security</category>
  <summary>Security update for python-asteval</summary>
  <description>This update for python-asteval fixes the following issues:
Update to 1.0.6:
  * drop testing and support for Python3.8, add Python 3.13,
    change document to reflect this.
  * implement safe_getattr and safe_format functions; fix bugs
    in UNSAFE_ATTRS and UNSAFE_ATTRS_DTYPES usage (boo#1236405,
    CVE-2025-24359)
  * make all procedure attributes private to curb access to AST
    nodes, which can be exploited
  * improvements to error messages, including use ast functions
    to construct better error messages
  * remove import of numpy.linalg, as documented
  * update doc description for security advisory
Update to 1.0.5:
  * more work on handling errors, including fixing #133 and
    adding more comprehensive tests for #129 and #132
Update to 1.0.4:
  * fix error handling that might result in null exception
Update to 1.0.3:
  * functions ("Procedures") defined within asteval have a `
    _signature()` method, now use in repr
  * add support for deleting subscript
  * nested symbol tables now have a  Group() function
  * update coverage config
  * cleanups of exception handling :  errors must now have an
    exception
  * several related fixes to suppress repeated exceptions: see GH
    #132 and #129
  * make non-boolean return values from comparison operators
    behave like Python - not immediately testing as bool
- update to 1.0.2:
  * fix NameError handling in expression code
  * make exception messages more Python-like
- update to 1.0.1:
  * security fixes, based on audit by Andrew Effenhauser, Ayman
    Hammad, and Daniel Crowley, IBM X-Force Security Research
    division
  * remove numpy modules polynomial, fft, linalg by default for
    security concerns
  * disallow string.format(), improve security of f-string
    evaluation
- update to 1.0.0:
  * fix (again) nested list comprehension (Issues #127 and #126).
  * add more testing of multiple list comprehensions.
  * more complete support for Numpy 2, and removal of many Numpy
    symbols that have been long deprecated.
  * remove AST nodes deprecated in Python 3.8.
  * clean up build files and outdated tests.
  * fixes to codecov configuration.
  * update docs.
- update to 0.9.33:
  * fixes for multiple list comprehensions (addressing #126)
  * add testing with optionally installed numpy_financial to CI
  * test existence of all numpy imports to better safeguard
    against missing functions (for safer numpy 2 transition)
  * update rendered doc to include PDF and zipped HTML
- update to 0.9.32:
  * add deprecations message for numpy functions to be removed in
    numpy 2.0
  * comparison operations use try/except for short-circuiting
    instead of checking for numpy arrays (addressing #123)
  * add Python 3.12 to testing
  * move repository from "newville" to "lmfit" organization
  * update doc theme, GitHub locations pointed to by docs, other
    doc tweaks.
- Update to 0.9.31:
  * cleanup numpy imports to avoid deprecated functions, add financial
  functions from numpy_financial module, if installed.
  * prefer 'user_symbols' when initializing Interpreter, but still support
  'usersyms' argument. Will deprecate and remove eventually.
  * add support of optional (off-by default) "nested symbol table".
  * update tests to run most tests with symbol tables of dict and nested
  group type.
  * general code and testing cleanup.
  * add config argument to Interpreter to more fully control which nodes are supported
  * add support for import and importfrom -- off by default
  * add support for with blocks
  * add support for f-strings
  * add support of set and dict comprehension
  * fix bug with 'int**int' not returning a float.
- update to 0.9.29:
  * bug fixes
- Update to 0.9.28
  * add support for Python 3.11
  * add support for multiple list comprehensions
  * improve performance of making the initial symbol table,
    and Interpreter creation, including better checking for index_tricks attributes
- update to 0.9.27:
  * more cleanups
- update to 0.9.26:
  * fix setup.py again
- update to 0.9.25:
  * fixes import errors for Py3.6 and 3.7, setting version with
    importlib_metadata.version if available.
  * use setuptools_scm and importlib for version
  * treat all __dunder__ attributes of all objects as inherently unsafe.
- Update to 0.9.22
  * another important but small fix for Python 3.9
  * Merge branch 'nested_interrupts_returns'
- Drop hard numpy requirement, don't test on python36
- update to 0.9.18
  * drop python2
  * few fixes
</description>
</patchinfo>