File _patchinfo of Package patchinfo.43465

<patchinfo incident="43465">
  <issue tracker="cve" id="2026-4224"/>
  <issue tracker="cve" id="2026-3644"/>
  <issue tracker="cve" id="2026-4519"/>
  <issue tracker="cve" id="2025-13462"/>
  <issue tracker="bnc" id="1259735">VUL-0: CVE-2026-4224: python,python3,python310,python311,python312,python313,python314,python36,python39: C stack overflow when parsing XML with deeply nested DTD content models</issue>
  <issue tracker="bnc" id="1259734">VUL-0: CVE-2026-3644: python,python3,python310,python311,python312,python313,python314,python36,python39: incomplete control character validation in http.cookies</issue>
  <issue tracker="bnc" id="1259611">VUL-0: CVE-2025-13462: python,python: incorrect parsing of TarInfo header when GNU long name and type AREGTYPE are combined</issue>
  <issue tracker="bnc" id="1260026">VUL-0: CVE-2026-4519: python,python3,python310,python311,python312,python313,python314,python36,python39: leading dashes in URLs are accepted by the `webbrowser.open()` API and allow for web browser command line option injection</issue>
  <packager>mcepl</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for python</summary>
  <description>This update for python fixes the following issues:

- CVE-2025-13462: incorrect parsing of TarInfo when GNU long name and type AREGTYPE are combined can lead to
  misinterpretation of tar archives (bsc#1259611).
- CVE-2026-3644: incomplete control character validation in http.cookies can lead to input validation bypass
  (bsc#1259734).
- CVE-2026-4224: parsing XML with deeply nested DTD content models can lead to C stack overflow (bsc#1259735).
- CVE-2026-4519: failure to sanitize leading dashes in URLs in the `webbrowser.open()` API can lead to web browser
  command line option injection (bsc#1260026).
</description>
</patchinfo>