Overview

File _patchinfo of Package patchinfo.39172

<patchinfo incident="39172">
  <issue tracker="cve" id="2024-12718"/>
  <issue tracker="cve" id="2025-4517"/>
  <issue tracker="cve" id="2025-4330"/>
  <issue tracker="cve" id="2025-6069"/>
  <issue tracker="cve" id="2025-4516"/>
  <issue tracker="cve" id="2025-4435"/>
  <issue tracker="cve" id="2025-4138"/>
  <issue tracker="cve" id="2025-8194"/>
  <issue tracker="bnc" id="1247249">VUL-0: CVE-2025-8194: python: cpython: tar archives with negative offsets may lead to infinite loop and deadlock</issue>
  <issue tracker="bnc" id="1244059">VUL-0: CVE-2025-4138: python: may allow symlink targets to point outside the destination directory, and the modification of some file metadata.</issue>
  <issue tracker="bnc" id="1233012">[Build 36.1] openQA test fails in zypper_migration: files conflict from python3-base</issue>
  <issue tracker="bnc" id="1244401">IPv6 address parsing doesn't limit buffer size (Python 3.6 only)</issue>
  <issue tracker="bnc" id="831629">python3-base test test_faulthandler fails on ppc64</issue>
  <issue tracker="bnc" id="1244060">VUL-0: CVE-2025-4330: python: Extraction filter bypass for linking outside extraction directory</issue>
  <issue tracker="bnc" id="1244032">VUL-0: CVE-2025-4517: python: arbitrary filesystem writes outside the extraction directory during extraction with filter="data"</issue>
  <issue tracker="bnc" id="1244056">VUL-0: CVE-2024-12718: python: Bypass extraction filter to modify file metadata outside extraction directory</issue>
  <issue tracker="bnc" id="1244061">VUL-0: CVE-2025-4435: python: Tarfile extracts filtered members when errorlevel=0</issue>
  <issue tracker="bnc" id="1244059">VUL-0: CVE-2025-4138: python: may allow symlink targets to point outside the destination directory, and the modification of some file metadata.</issue>
  <issue tracker="bnc" id="1244705">VUL-0: CVE-2025-6069: python,python3,python310,python311,python312,python313,python36,python39: worst case quadratic complexity when processing certain crafted malformed inputs with HTMLParser</issue>
  <issue tracker="bnc" id="1243273">VUL-0: CVE-2025-4516: python, cpython: CPython DecodeError Handling Vulnerability</issue>
  <packager>mcepl</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for python3</summary>
  <description>This update for python3 fixes the following issues:

- CVE-2025-4516: use-after-free in the unicode-escape decoder when using the error handler (bsc#1243273).
- CVE-2024-12718: Fixed extraction filter bypass that allowed file metadata modification outside extraction directory (bsc#1244056)
- CVE-2025-4138: Fixed issue that might allow symlink targets to point outside the destination directory, and the modification of some file metadata (bsc#1244059)
- CVE-2025-4330: Fixed extraction filter bypass that allowed linking outside extraction directory (bsc#1244060)
- CVE-2025-4435: Fixed Tarfile extracts filtered members when errorlevel=0 (bsc#1244061)
- CVE-2025-4517: Fixed arbitrary filesystem writes outside the extraction directory during extraction with filter="data" (bsc#1244032)
- CVE-2025-6069: Fixed worst case quadratic complexity when processing certain crafted malformed inputs with HTMLParser (bsc#1244705)
- CVE-2025-8194: Fixed denial of service caused by tar archives with negative offsets (bsc#1247249)
    
Other fixes:
- Limit buffer size for IPv6 address parsing (bsc#1244401).
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places