SUSE-CU-2025:7592-1: Security update of bci/python
sle-container-updates at lists.suse.com
sle-container-updates at lists.suse.com
Sun Oct 26 08:10:44 UTC 2025
SUSE Container Update Advisory: bci/python
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2025:7592-1
Container Tags : bci/python:3 , bci/python:3.13 , bci/python:3.13.7 , bci/python:3.13.7-79.3 , bci/python:latest
Container Release : 79.3
Severity : moderate
Type : security
References : 1241219 1244705 1247249 1251264 CVE-2025-3576 CVE-2025-6069 CVE-2025-8194
-----------------------------------------------------------------
The container bci/python was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2025:3596-1
Released: Wed Oct 15 09:51:21 2025
Summary: Recommended update for curl
Type: recommended
Severity: moderate
References: 1251264
This update for curl fixes the following issue:
- rebuilds it against a newer nghttp2 to fix handling 2 or more whitespaces in headers. (bsc#1251264)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:3699-1
Released: Tue Oct 21 12:07:47 2025
Summary: Security update for krb5
Type: security
Severity: moderate
References: 1241219,CVE-2025-3576
This update for krb5 fixes the following issues:
- CVE-2025-3576: weakness in the MD5 checksum design allows for spoofing of GSSAPI-protected messages that are using
RC4-HMAC-MD5 (bsc#1241219).
Krb5 as very old protocol supported quite a number of ciphers
that are not longer up to current cryptographic standards.
To avoid problems with those, SUSE has by default now disabled
those alorithms.
The following algorithms have been removed from valid krb5 enctypes:
- des3-cbc-sha1
- arcfour-hmac-md5
To reenable those algorithms, you can use allow options in krb5.conf:
[libdefaults]
allow_des3 = true
allow_rc4 = true
to reenable them.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:3706-1
Released: Tue Oct 21 17:07:32 2025
Summary: Security update for python313
Type: security
Severity: moderate
References: 1244705,1247249,CVE-2025-6069,CVE-2025-8194
This update for python313 fixes the following issues:
Update to version 3.13.7.
- Fixes in 3.13.7:
* gh-137583: Fix a deadlock introduced in 3.13.6 when a call
to ssl.SSLSocket.recv was blocked in one thread, and then
another method on the object (such as ssl.SSLSocket.send) was
subsequently called in another thread.
* gh-137044: Return large limit values as positive integers
instead of negative integers in resource.getrlimit().
Accept large values and reject negative values (except
RLIM_INFINITY) for limits in resource.setrlimit().
* gh-136914: Fix retrieval of doctest.DocTest.lineno
for objects decorated with functools.cache() or
functools.cached_property.
* gh-131788: Make ResourceTracker.send from multiprocessing
re-entrant safe
* gh-136155: We are now checking for fatal errors in EPUB
builds in CI.
* gh-137400: Fix a crash in the free threading build when
disabling profiling or tracing across all threads with
PyEval_SetProfileAllThreads() or PyEval_SetTraceAllThreads()
or their Python equivalents threading.settrace_all_threads()
and threading.setprofile_all_threads().
- Fixes in 3.13.6:
* Security
- gh-135661: Fix parsing start and end tags in
html.parser.HTMLParser according to the HTML5 standard.
- Whitespaces no longer accepted between </ and the tag
name. E.g. </ script> does not end the script section.
- Vertical tabulation (\v) and non-ASCII whitespaces no
longer recognized as whitespaces. The only whitespaces
are \t\n\r\f and space.
- Null character (U+0000) no longer ends the tag name.
- Attributes and slashes after the tag name in end tags
are now ignored, instead of terminating after the first
> in quoted attribute value. E.g. </script/foo='>'/>.
- Multiple slashes and whitespaces between the last
attribute and closing > are now ignored in both start
and end tags. E.g. <a foo=bar/ //>.
- Multiple = between attribute name and value are no
longer collapsed. E.g. <a foo==bar> produces attribute
“foo†with value “=barâ€.
- gh-102555: Fix comment parsing in html.parser.HTMLParser
according to the HTML5 standard. --!> now ends the comment.
-- > no longer ends the comment. Support abnormally ended
empty comments <--> and <--->.
- gh-135462: Fix quadratic complexity in processing specially
crafted input in html.parser.HTMLParser. End-of-file errors
are now handled according to the HTML5 specs – comments and
declarations are automatically closed, tags are ignored
(CVE-2025-6069, bsc#1244705).
- gh-118350: Fix support of escapable raw text mode (elements
“textarea†and “titleâ€) in html.parser.HTMLParser.
* Core and Builtins
- gh-58124: Fix name of the Python encoding in Unicode errors
of the code page codec: use “cp65000†and “cp65001†instead
of “CP_UTF7†and “CP_UTF8†which are not valid Python code
names. Patch by Victor Stinner.
- gh-137314: Fixed a regression where raw f-strings
incorrectly interpreted escape sequences in format
specifications. Raw f-strings now properly preserve literal
backslashes in format specs, matching the behavior from
Python 3.11. For example, rf'{obj:\xFF}' now correctly
produces '\\xFF' instead of 'ÿ'. Patch by Pablo Galindo.
- gh-136541: Fix some issues with the perf trampolines
on x86-64 and aarch64. The trampolines were not being
generated correctly for some cases, which could lead to
the perf integration not working correctly. Patch by Pablo
Galindo.
- gh-109700: Fix memory error handling in
PyDict_SetDefault().
- gh-78465: Fix error message for cls.__new__(cls, ...) where
cls is not instantiable builtin or extension type (with
tp_new set to NULL).
- gh-135871: Non-blocking mutex lock attempts now return
immediately when the lock is busy instead of briefly
spinning in the free threading build.
- gh-135607: Fix potential weakref races in an object’s
destructor on the free threaded build.
- gh-135496: Fix typo in the f-string conversion type error
(“exclamanation†-> “exclamationâ€).
- gh-130077: Properly raise custom syntax errors when
incorrect syntax containing names that are prefixes of soft
keywords is encountered. Patch by Pablo Galindo.
- gh-135148: Fixed a bug where f-string debug expressions
(using =) would incorrectly strip out parts of strings
containing escaped quotes and # characters. Patch by Pablo
Galindo.
- gh-133136: Limit excess memory usage in the free threading
build when a large dictionary or list is resized and
accessed by multiple threads.
- gh-132617: Fix dict.update() modification check that could
incorrectly raise a “dict mutated during update†error when
a different dictionary was modified that happens to share
the same underlying keys object.
- gh-91153: Fix a crash when a bytearray is concurrently
mutated during item assignment.
- gh-127971: Fix off-by-one read beyond the end of a string
in string search.
- gh-125723: Fix crash with gi_frame.f_locals when generator
frames outlive their generator. Patch by Mikhail Efimov.
* Library
- gh-132710: If possible, ensure that uuid.getnode()
returns the same result even across different processes.
Previously, the result was constant only within the same
process. Patch by Bénédikt Tran.
- gh-137273: Fix debug assertion failure in
locale.setlocale() on Windows.
- gh-137257: Bump the version of pip bundled in ensurepip to
version 25.2
- gh-81325: tarfile.TarFile now accepts a path-like when
working on a tar archive. (Contributed by Alexander Enrique
Urieles Nieto in gh-81325.)
- gh-130522: Fix unraisable TypeError raised during
interpreter shutdown in the threading module.
- gh-130577: tarfile now validates archives to ensure member
offsets are non-negative. (Contributed by Alexander Enrique
Urieles Nieto in gh-130577; CVE-2025-8194, bsc#1247249).
- gh-136549: Fix signature of threading.excepthook().
- gh-136523: Fix wave.Wave_write emitting an unraisable when
open raises.
- gh-52876: Add missing keepends (default True)
parameter to codecs.StreamReaderWriter.readline() and
codecs.StreamReaderWriter.readlines().
- gh-85702: If zoneinfo._common.load_tzdata is given a
package without a resource a zoneinfo.ZoneInfoNotFoundError
is raised rather than a PermissionError. Patch by Victor
Stinner.
- gh-134759: Fix UnboundLocalError in
email.message.Message.get_payload() when the payload to
decode is a bytes object. Patch by Kliment Lamonov.
- gh-136028: Fix parsing month names containing “݆(U+0130,
LATIN CAPITAL LETTER I WITH DOT ABOVE) in time.strptime().
This affects locales az_AZ, ber_DZ, ber_MA and crh_UA.
- gh-135995: In the palmos encoding, make byte 0x9b decode to
› (U+203A - SINGLE RIGHT-POINTING ANGLE QUOTATION MARK).
- gh-53203: Fix time.strptime() for %c and %x formats on
locales byn_ER, wal_ET and lzh_TW, and for %X format on
locales ar_SA, bg_BG and lzh_TW.
- gh-91555: An earlier change, which was introduced in
3.13.4, has been reverted. It disabled logging for a logger
during handling of log messages for that logger. Since the
reversion, the behaviour should be as it was before 3.13.4.
- gh-135878: Fixes a crash of types.SimpleNamespace on free
threading builds, when several threads were calling its
__repr__() method at the same time.
- gh-135836: Fix IndexError in
asyncio.loop.create_connection() that could occur when
non-OSError exception is raised during connection and
socket’s close() raises OSError.
- gh-135836: Fix IndexError in
asyncio.loop.create_connection() that could occur when the
Happy Eyeballs algorithm resulted in an empty exceptions
list during connection attempts.
- gh-135855: Raise TypeError instead of SystemError when
_interpreters.set___main___attrs() is passed a non-dict
object. Patch by Brian Schubert.
- gh-135815: netrc: skip security checks if os.getuid() is
missing. Patch by Bénédikt Tran.
- gh-135640: Address bug where it was possible to call
xml.etree.ElementTree.ElementTree.write() on an ElementTree
object with an invalid root element. This behavior blanked
the file passed to write if it already existed.
- gh-135444: Fix asyncio.DatagramTransport.sendto() to
account for datagram header size when data cannot be sent.
- gh-135497: Fix os.getlogin() failing for longer usernames
on BSD-based platforms.
- gh-135487: Fix reprlib.Repr.repr_int() when given integers
with more than sys.get_int_max_str_digits() digits. Patch
by Bénédikt Tran.
- gh-135335: multiprocessing: Flush stdout and stderr after
preloading modules in the forkserver.
- gh-135244: uuid: when the MAC address cannot be
determined, the 48-bit node ID is now generated with a
cryptographically-secure pseudo-random number generator
(CSPRNG) as per RFC 9562, §6.10.3. This affects uuid1().
- gh-135069: Fix the “Invalid error handling†exception in
encodings.idna.IncrementalDecoder to correctly replace the
‘errors’ parameter.
- gh-134698: Fix a crash when calling methods of
ssl.SSLContext or ssl.SSLSocket across multiple threads.
- gh-132124: On POSIX-compliant systems,
multiprocessing.util.get_temp_dir() now ignores TMPDIR
(and similar environment variables) if the path length of
AF_UNIX socket files exceeds the platform-specific maximum
length when using the forkserver start method. Patch by
Bénédikt Tran.
- gh-133439: Fix dot commands with trailing spaces are
mistaken for multi-line SQL statements in the sqlite3
command-line interface.
- gh-132969: Prevent the ProcessPoolExecutor executor thread,
which remains running when shutdown(wait=False), from
attempting to adjust the pool’s worker processes after
the object state has already been reset during shutdown.
A combination of conditions, including a worker process
having terminated abormally, resulted in an exception and
a potential hang when the still-running executor thread
attempted to replace dead workers within the pool.
- gh-130664: Support the '_' digit separator in formatting
of the integral part of Decimal’s. Patch by Sergey B
Kirpichev.
- gh-85702: If zoneinfo._common.load_tzdata is given a
package without a resource a ZoneInfoNotFoundError is
raised rather than a IsADirectoryError.
- gh-130664: Handle corner-case for Fraction’s formatting:
treat zero-padding (preceding the width field by a zero
('0') character) as an equivalent to a fill character of
'0' with an alignment type of '=', just as in case of
float’s.
* Tools/Demos
- gh-135968: Stubs for strip are now provided as part of an
iOS install.
* Tests
- gh-135966: The iOS testbed now handles the app_packages
folder as a site directory.
- gh-135494: Fix regrtest to support excluding tests from
--pgo tests. Patch by Victor Stinner.
- gh-135489: Show verbose output for failing tests during PGO
profiling step with –enable-optimizations.
* Documentation
- gh-135171: Document that the iterator for the leftmost for
clause in the generator expression is created immediately.
* Build
- gh-135497: Fix the detection of MAXLOGNAME in the
configure.ac script.
The following package changes have been done:
- krb5-1.20.1-150600.11.14.1 updated
- libcurl4-8.14.1-150700.7.2.1 updated
- curl-8.14.1-150700.7.2.1 updated
- libpython3_13-1_0-3.13.7-150700.4.23.1 updated
- python313-base-3.13.7-150700.4.23.1 updated
- python313-3.13.7-150700.4.23.1 updated
- python313-devel-3.13.7-150700.4.23.1 updated
- container:registry.suse.com-bci-bci-base-15.7-231a93ad62347ed0484baa9242d06c7c7fc48241452613423a9c25e30102fb8f-0 updated
More information about the sle-container-updates
mailing list