SUSE-CU-2026:571-1: Security update of suse/sles/16.0/toolbox
sle-container-updates at lists.suse.com
sle-container-updates at lists.suse.com
Sat Jan 31 08:16:46 UTC 2026
SUSE Container Update Advisory: suse/sles/16.0/toolbox
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2026:571-1
Container Tags : suse/sles/16.0/toolbox:16.3 , suse/sles/16.0/toolbox:16.3-1.17 , suse/sles/16.0/toolbox:latest
Container Release : 1.17
Severity : important
Type : security
References : 1232351 1236282 1240874 1244680 1244705 1245667 1246011 1246025
1247249 1249657 1250224 1251305 1252318 1252974 1254400 1254401
1254425 1254997 1255715 1255731 1255732 1255733 1255734 1255765
1256105 1256244 1256246 1256389 1256390 1256436 1256766 1256822
1257005 1257395 1257396 CVE-2025-0395 CVE-2025-11961 CVE-2025-12084
CVE-2025-13836 CVE-2025-13837 CVE-2025-14017 CVE-2025-14524 CVE-2025-14819
CVE-2025-15079 CVE-2025-15224 CVE-2025-15281 CVE-2025-6069 CVE-2025-6075
CVE-2025-68973 CVE-2025-8194 CVE-2025-8291 CVE-2026-0861 CVE-2026-0915
CVE-2026-24882 CVE-2026-24883
-----------------------------------------------------------------
The container suse/sles/16.0/toolbox was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: 138
Released: Wed Jan 14 11:23:16 2026
Summary: Security update for gpg2
Type: security
Severity: important
References: 1255715,1256244,1256246,1256390,CVE-2025-68973
This update for gpg2 fixes the following issues:
- CVE-2025-68973: out-of-bounds write when processing specially crafted input in the armor parser can lead to memory corruption (bsc#1255715).
Other security fixes:
- gpg: Avoid potential downgrade to SHA1 in 3rd party key signatures (bsc#1256246).
- gpg: Error out on unverified output for non-detached signatures (bsc#1256244).
- gpg: Deprecate the option --not-dash-escaped (bsc#1256390).
-----------------------------------------------------------------
Advisory ID: 140
Released: Wed Jan 14 12:01:44 2026
Summary: Security update for curl
Type: security
Severity: moderate
References: 1255731,1255732,1255733,1255734,1256105,CVE-2025-14017,CVE-2025-14524,CVE-2025-14819,CVE-2025-15079,CVE-2025-15224
This update for curl fixes the following issues:
This update for curl fixes the following issues:
- CVE-2025-14017: broken TLS options for threaded LDAPS (bsc#1256105).
- CVE-2025-14524: bearer token leak on cross-protocol redirect (bsc#1255731).
- CVE-2025-14819: libssh global knownhost override (bsc#1255732).
- CVE-2025-15079: libssh key passphrase bypass without agent set (bsc#1255733).
- CVE-2025-15224: OpenSSL partial chain store policy bypass (bsc#1255734).
-----------------------------------------------------------------
Advisory ID: 164
Released: Thu Jan 22 11:13:12 2026
Summary: Security update for libpcap
Type: security
Severity: low
References: 1255765,CVE-2025-11961
This update for libpcap fixes the following issues:
- CVE-2025-11961: missing validation of provided MAC-48 address string in `pcap_ether_aton()` can lead to out-of-bounds
read and write (bsc#1255765).
-----------------------------------------------------------------
Advisory ID: 170
Released: Thu Jan 22 14:47:27 2026
Summary: Security update for python313
Type: security
Severity: moderate
References: 1244680,1244705,1247249,1251305,1252974,1254400,1254401,1254997,CVE-2025-12084,CVE-2025-13836,CVE-2025-13837,CVE-2025-6069,CVE-2025-6075,CVE-2025-8194,CVE-2025-8291
This update for python313 fixes the following issues:
- Update to 3.13.11:
- Security
- CVE-2025-12084: cpython: Fixed quadratic algorithm in
xml.dom.minidom leading to denial of service (bsc#1254997)
- CVE-2025-13836: Fixed default Content-Lenght read amount
from HTTP response (bsc#1254400)
- CVE-2025-13837: Fixed plistlib module denial of service (bsc#1254401)
- CVE-2025-8291: Fixed validity of the ZIP64 End of Central Directory
(EOCD) not checked by the 'zipfile' module (bsc#1251305)
- gh-137836: Add support of the “plaintext†element, RAWTEXT
elements “xmpâ€, “iframeâ€, “noembed†and “noframesâ€, and
optionally RAWTEXT element “noscript†in
html.parser.HTMLParser.
- gh-136063: email.message: ensure linear complexity for
legacy HTTP parameters parsing. Patch by Bénédikt Tran.
- CVE-2025-6075: Fixed performance issues caused by user-controller
os.path.expandvars() (bsc#1252974)
- Library
- gh-140797: Revert changes to the undocumented re.Scanner
class. Capturing groups are still allowed for backward
compatibility, although using them can lead to incorrect
result. They will be forbidden in future Python versions.
- gh-142206: The resource tracker in the multiprocessing
module now uses the original communication protocol, as in
Python 3.14.0 and below, by default. This avoids issues
with upgrading Python while it is running. (Note that such
‘in-place’ upgrades are not tested.) The tracker remains
compatible with subprocesses that use new protocol (that
is, subprocesses using Python 3.13.10, 3.14.1 and 3.15).
- Core and Builtins
- gh-142218: Fix crash when inserting into a split table
dictionary with a non str key that matches an existing key.
- Update to 3.13.10:
- Tools/Demos
- gh-141442: The iOS testbed now correctly handles test
arguments that contain spaces.
- Tests
- gh-140482: Preserve and restore the state of stty echo as
part of the test environment.
- gh-140082: Update python -m test to set FORCE_COLOR=1 when
being run with color enabled so that unittest which is run
by it with redirected output will output in color.
- gh-136442: Use exitcode 1 instead of 5 if
unittest.TestCase.setUpClass() raises an exception
- Library
- gh-74389: When the stdin being used by a subprocess.Popen
instance is closed, this is now ignored in
subprocess.Popen.communicate() instead of leaving the class
in an inconsistent state.
- gh-87512: Fix subprocess.Popen.communicate() timeout
handling on Windows when writing large input. Previously,
the timeout was ignored during stdin writing, causing the
method to block indefinitely if the child process did not
consume input quickly. The stdin write is now performed in
a background thread, allowing the timeout to be properly
enforced.
- gh-141473: When subprocess.Popen.communicate() was called
with input and a timeout and is called for a second time
after a TimeoutExpired exception before the process has
died, it should no longer hang.
- gh-59000: Fix pdb breakpoint resolution for class methods
when the module defining the class is not imported.
- gh-141570: Support file-like object raising OSError from
fileno() in color detection (_colorize.can_colorize()).
This can occur when sys.stdout is redirected.
- gh-141659: Fix bad file descriptor errors from
_posixsubprocess on AIX.
- gh-141497: ipaddress: ensure that the methods
IPv4Network.hosts() and IPv6Network.hosts() always return
an iterator.
- gh-140938: The statistics.stdev() and statistics.pstdev()
functions now raise a ValueError when the input contains an
infinity or a NaN.
- gh-124111: Updated Tcl threading configuration in _tkinter
to assume that threads are always available in Tcl 9 and
later.
- gh-137109: The os.fork and related forking APIs will no
longer warn in the common case where Linux or macOS
platform APIs return the number of threads in a process and
find the answer to be 1 even when a os.register_at_fork()
after_in_parent= callback (re)starts a thread.
- gh-141314: Fix assertion failure in io.TextIOWrapper.tell()
when reading files with standalone carriage return (\r)
line endings.
- gh-141311: Fix assertion failure in io.BytesIO.readinto()
and undefined behavior arising when read position is above
capcity in io.BytesIO.
- gh-141141: Fix a thread safety issue with
base64.b85decode(). Contributed by Benel Tayar.
- gh-140911: collections: Ensure that the methods
UserString.rindex() and UserString.index() accept
collections.UserString instances as the sub argument.
- gh-140797: The undocumented re.Scanner class now forbids
regular expressions containing capturing groups in its
lexicon patterns. Patterns using capturing groups could
previously lead to crashes with segmentation fault. Use
non-capturing groups (?:…) instead.
- gh-140815: faulthandler now detects if a frame or a code
object is invalid or freed. Patch by Victor Stinner.
- gh-100218: Correctly set errno when socket.if_nametoindex()
or socket.if_indextoname() raise an OSError. Patch by
Bénédikt Tran.
- gh-140875: Fix handling of unclosed character references
(named and numerical) followed by the end of file in
html.parser.HTMLParser with convert_charrefs=False.
- gh-140734: multiprocessing: fix off-by-one error when
checking the length of a temporary socket file path. Patch
by Bénédikt Tran.
- gh-140874: Bump the version of pip bundled in ensurepip to
version 25.3
- gh-140691: In urllib.request, when opening a FTP URL fails
because a data connection cannot be made, the control
connection’s socket is now closed to avoid
a ResourceWarning.
- gh-103847: Fix hang when cancelling process created by
asyncio.create_subprocess_exec() or
asyncio.create_subprocess_shell(). Patch by Kumar Aditya.
- gh-140590: Fix arguments checking for the
functools.partial.__setstate__() that may lead to internal
state corruption and crash. Patch by Sergey Miryanov.
- gh-140634: Fix a reference counting bug in
os.sched_param.__reduce__().
- gh-140633: Ignore AttributeError when setting a module’s
__file__ attribute when loading an extension module
packaged as Apple Framework.
- gh-140593: xml.parsers.expat: Fix a memory leak that could
affect users with ElementDeclHandler() set to a custom
element declaration handler. Patch by Sebastian Pipping.
- gh-140607: Inside io.RawIOBase.read(), validate that the
count of bytes returned by io.RawIOBase.readinto() is valid
(inside the provided buffer).
- gh-138162: Fix logging.LoggerAdapter with merge_extra=True
and without the extra argument.
- gh-140474: Fix memory leak in array.array when creating
arrays from an empty str and the u type code.
- gh-140272: Fix memory leak in the clear() method of the
dbm.gnu database.
- gh-140041: Fix import of ctypes on Android and Cygwin when
ABI flags are present.
- gh-139905: Add suggestion to error message for
typing.Generic subclasses when cls.__parameters__ is
missing due to a parent class failing to call
super().__init_subclass__() in its __init_subclass__.
- gh-139845: Fix to not print KeyboardInterrupt twice in
default asyncio REPL.
- gh-139783: Fix inspect.getsourcelines() for the case when
a decorator is followed by a comment or an empty line.
- gh-70765: http.server: fix default handling of HTTP/0.9
requests in BaseHTTPRequestHandler. Previously,
BaseHTTPRequestHandler.parse_request() incorrectly waited
for headers in the request although those are not supported
in HTTP/0.9. Patch by Bénédikt Tran.
- gh-139391: Fix an issue when, on non-Windows platforms, it
was not possible to gracefully exit a python -m asyncio
process suspended by Ctrl+Z and later resumed by fg other
than with kill.
- gh-101828: Fix 'shift_jisx0213', 'shift_jis_2004',
'euc_jisx0213' and 'euc_jis_2004' codecs truncating null
chars as they were treated as part of multi-character
sequences.
- gh-139246: fix: paste zero-width in default repl width is
wrong.
- gh-90949: Add SetAllocTrackerActivationThreshold() and
SetAllocTrackerMaximumAmplification() to xmlparser objects
to prevent use of disproportional amounts of dynamic memory
from within an Expat parser. Patch by Bénédikt Tran.
- gh-139065: Fix trailing space before a wrapped long word if
the line length is exactly width in textwrap.
- gh-138993: Dedent credits text.
- gh-138859: Fix generic type parameterization raising
a TypeError when omitting a ParamSpec that has a default
which is not a list of types.
- gh-138775: Use of python -m with base64 has been fixed to
detect input from a terminal so that it properly notices
EOF.
- gh-98896: Fix a failure in multiprocessing resource_tracker
when SharedMemory names contain colons. Patch by Rani
Pinchuk.
- gh-75989: tarfile.TarFile.extractall() and
tarfile.TarFile.extract() now overwrite symlinks when
extracting hardlinks. (Contributed by Alexander Enrique
Urieles Nieto in gh-75989.)
- gh-83424: Allows creating a ctypes.CDLL without name when
passing a handle as an argument.
- gh-136234: Fix asyncio.WriteTransport.writelines() to be
robust to connection failure, by using the same behavior as
write().
- gh-136057: Fixed the bug in pdb and bdb where next and step
can’t go over the line if a loop exists in the line.
- gh-135307: email: Fix exception in set_content() when
encoding text and max_line_length is set to 0 or None
(unlimited).
- gh-134453: Fixed subprocess.Popen.communicate() input=
handling of memoryview instances that were non-byte shaped
on POSIX platforms. Those are now properly cast to a byte
shaped view instead of truncating the input. Windows
platforms did not have this bug.
- gh-102431: Clarify constraints for “logical†arguments in
methods of decimal.Context.
- IDLE
- gh-96491: Deduplicate version number in IDLE shell title
bar after saving to a file.
- Documentation
- gh-141994: xml.sax.handler: Make Documentation of
xml.sax.handler.feature_external_ges warn of opening up to
external entity attacks. Patch by Sebastian Pipping.
- gh-140578: Remove outdated sencence in the documentation
for multiprocessing, that implied that
concurrent.futures.ThreadPoolExecutor did not exist.
- Core and Builtins
- gh-142048: Fix quadratically increasing garbage collection
delays in free-threaded build.
- gh-141930: When importing a module, use Python’s regular
file object to ensure that writes to .pyc files are
complete or an appropriate error is raised.
- gh-120158: Fix inconsistent state when enabling or
disabling monitoring events too many times.
- gh-141579: Fix sys.activate_stack_trampoline() to properly
support the perf_jit backend. Patch by Pablo Galindo.
- gh-141312: Fix the assertion failure in the __setstate__
method of the range iterator when a non-integer argument is
passed. Patch by Sergey Miryanov.
- gh-140939: Fix memory leak when bytearray or bytes is
formated with the
%*b format with a large width that results in
%a MemoryError.
- gh-140530: Fix a reference leak when raise exc from cause
fails. Patch by Bénédikt Tran.
- gh-140576: Fixed crash in tokenize.generate_tokens() in
case of specific incorrect input. Patch by Mikhail Efimov.
- gh-140551: Fixed crash in dict if dict.clear() is called at
the lookup stage. Patch by Mikhail Efimov and Inada Naoki.
- gh-140471: Fix potential buffer overflow in ast.AST node
initialization when encountering malformed _fields
containing non-str.
- gh-140406: Fix memory leak when an object’s __hash__()
method returns an object that isn’t an int.
- gh-140306: Fix memory leaks in cross-interpreter channel
operations and shared namespace handling.
- gh-140301: Fix memory leak of PyConfig in subinterpreters.
- gh-140000: Fix potential memory leak when a reference cycle
exists between an instance of typing.TypeAliasType,
typing.TypeVar, typing.ParamSpec, or typing.TypeVarTuple
and its __name__ attribute. Patch by Mikhail Efimov.
- gh-139748: Fix reference leaks in error branches of
functions accepting path strings or bytes such as compile()
and os.system(). Patch by Bénédikt Tran.
- gh-139516: Fix lambda colon erroneously start format spec
in f-string in tokenizer.
- gh-139640: Fix swallowing some syntax warnings in different
modules if they accidentally have the same message and are
emitted from the same line. Fix duplicated warnings in the
finally block.
- gh-137400: Fix a crash in the free threading build when
disabling profiling or tracing across all threads with
PyEval_SetProfileAllThreads() or
PyEval_SetTraceAllThreads() or their Python equivalents
threading.settrace_all_threads() and
threading.setprofile_all_threads().
- gh-133400: Fixed Ctrl+D (^D) behavior in _pyrepl module to
match old pre-3.13 REPL behavior.
- C API
- gh-140042: Removed the sqlite3_shutdown call that could
cause closing connections for sqlite when used with
multiple sub interpreters.
- gh-140487: Fix Py_RETURN_NOTIMPLEMENTED in limited C API
3.11 and older: don’t treat Py_NotImplemented as immortal.
Patch by Victor Stinner.
- Update to 3.13.9:
- Library
- gh-139783: Fix inspect.getsourcelines() for the case when a
decorator is followed by a comment or an empty line.
- Update to 3.13.8:
- Tools/Demos
- gh-139330: SBOM generation tool didn’t cross-check the version
and checksum values against the Modules/expat/refresh.sh script,
leading to the values becoming out-of-date during routine
updates.
- gh-137873: The iOS test runner has been simplified, resolving
some issues that have been observed using the runner in GitHub
Actions and Azure Pipelines test environments.
- Tests
- gh-139208: Fix regrtest --fast-ci --verbose: don’t ignore the
--verbose option anymore. Patch by Victor Stinner.
- Security
- gh-139400: xml.parsers.expat: Make sure that parent Expat
parsers are only garbage-collected once they are no longer
referenced by subparsers created by
ExternalEntityParserCreate(). Patch by Sebastian Pipping.
- gh-139283: sqlite3: correctly handle maximum number of rows to
fetch in Cursor.fetchmany and reject negative values for
Cursor.arraysize. Patch by Bénédikt Tran.
- gh-135661: Fix CDATA section parsing in html.parser.HTMLParser
according to the HTML5 standard: ] ]> and ]] > no longer end the
CDATA section. Add private method _set_support_cdata() which can
be used to specify how to parse <[CDATA[ — as a CDATA section in
foreign content (SVG or MathML) or as a bogus comment in the
HTML namespace.
- Library
- gh-139312: Upgrade bundled libexpat to 2.7.3
- gh-139289: Do a real lazy-import on rlcompleter in pdb and
restore the existing completer after importing rlcompleter.
- gh-139210: Fix use-after-free when reporting unknown event in
xml.etree.ElementTree.iterparse(). Patch by Ken Jin.
- gh-138860: Lazy import rlcompleter in pdb to avoid deadlock in
subprocess.
- gh-112729: Fix crash when calling _interpreters.create when the
process is out of memory.
- gh-139076: Fix a bug in the pydoc module that was hiding
functions in a Python module if they were implemented in an
extension module and the module did not have __all__.
- gh-138998: Update bundled libexpat to 2.7.2
- gh-130567: Fix possible crash in locale.strxfrm() due to a
platform bug on macOS.
- gh-138779: Support device numbers larger than 2**63-1 for the
st_rdev field of the os.stat_result structure.
- gh-128636: Fix crash in PyREPL when os.environ is overwritten
with an invalid value for mac
- gh-88375: Fix normalization of the robots.txt rules and URLs in
the urllib.robotparser module. No longer ignore trailing ?.
Distinguish raw special characters ?, = and & from the
percent-encoded ones.
- gh-138515: email is added to Emscripten build.
- gh-111788: Fix parsing errors in the urllib.robotparser module.
Don’t fail trying to parse weird paths. Don’t fail trying to
decode non-UTF-8 robots.txt files.
- gh-138432: zoneinfo.reset_tzpath() will now convert any
os.PathLike objects it receives into strings before adding them
to TZPATH. It will raise TypeError if anything other than a
string is found after this conversion. If given an os.PathLike
object that represents a relative path, it will now raise
ValueError instead of TypeError, and present a more informative
error message.
- gh-138008: Fix segmentation faults in the ctypes module due to
invalid argtypes. Patch by Dung Nguyen.
- gh-60462: Fix locale.strxfrm() on Solaris (and possibly other
platforms).
- gh-138204: Forbid expansion of shared anonymous memory maps on
Linux, which caused a bus error.
- gh-138010: Fix an issue where defining a class with a
@warnings.deprecated-decorated base class may not invoke the
correct __init_subclass__() method in cases involving multiple
inheritance. Patch by Brian Schubert.
- gh-138133: Prevent infinite traceback loop when sending CTRL^C
to Python through strace.
- gh-134869: Fix an issue where pressing Ctrl+C during tab
completion in the REPL would leave the autocompletion menu in a
corrupted state.
- gh-137317: inspect.signature() now correctly handles classes
that use a descriptor on a wrapped __init__() or __new__()
method. Contributed by Yongyu Yan.
- gh-137754: Fix import of the zoneinfo module if the C
implementation of the datetime module is not available.
- gh-137490: Handle ECANCELED in the same way as EINTR in
signal.sigwaitinfo() on NetBSD.
- gh-137477: Fix inspect.getblock(), inspect.getsourcelines() and
inspect.getsource() for generator expressions.
- gh-137017: Fix threading.Thread.is_alive to remain True until
the underlying OS thread is fully cleaned up. This avoids false
negatives in edge cases involving thread monitoring or premature
threading.Thread.is_alive calls.
- gh-136134: SMTP.auth_cram_md5() now raises an SMTPException
instead of a ValueError if Python has been built without MD5
support. In particular, SMTP clients will not attempt to use
this method even if the remote server is assumed to support it.
Patch by Bénédikt Tran.
- gh-136134: IMAP4.login_cram_md5 now raises an IMAP4.error if
CRAM-MD5 authentication is not supported. Patch by Bénédikt
Tran.
- gh-135386: Fix opening a dbm.sqlite3 database for reading from
read-only file or directory.
- gh-126631: Fix multiprocessing forkserver bug which prevented
__main__ from being preloaded.
- gh-123085: In a bare call to importlib.resources.files(), ensure
the caller’s frame is properly detected when importlib.resources
is itself available as a compiled module only (no source).
- gh-118981: Fix potential hang in
multiprocessing.popen_spawn_posix that can happen when the child
proc dies early by closing the child fds right away.
- gh-78319: UTF8 support for the IMAP APPEND command has been made
RFC compliant.
- bpo-38735: Fix failure when importing a module from the root
directory on unix-like platforms with sys.pycache_prefix set.
- bpo-41839: Allow negative priority values from
os.sched_get_priority_min() and os.sched_get_priority_max()
functions.
- Core and Builtins
- gh-134466: Don’t run PyREPL in a degraded environment where
setting termios attributes is not allowed.
- gh-71810: Raise OverflowError for (-1).to_bytes() for signed
conversions when bytes count is zero. Patch by Sergey B
Kirpichev.
- gh-105487: Remove non-existent __copy__(), __deepcopy__(), and
__bases__ from the __dir__() entries of types.GenericAlias.
- gh-134163: Fix a hang when the process is out of memory inside
an exception handler.
- gh-138479: Fix a crash when a generic object’s __typing_subst__
returns an object that isn’t a tuple.
- gh-137576: Fix for incorrect source code being shown in
tracebacks from the Basic REPL when PYTHONSTARTUP is given.
Patch by Adam Hartz.
- gh-132744: Certain calls now check for runaway recursion and
respect the system recursion limit.
- C API
- gh-87135: Attempting to acquire the GIL after runtime
finalization has begun in a different thread now causes the
thread to hang rather than terminate, which avoids potential
crashes or memory corruption caused by attempting to terminate a
thread that is running code not specifically designed to support
termination. In most cases this hanging is harmless since the
process will soon exit anyway.
While not officially marked deprecated until 3.14,
PyThread_exit_thread is no longer called internally and remains
solely for interface compatibility. Its behavior is inconsistent
across platforms, and it can only be used safely in the unlikely
case that every function in the entire call stack has been
designed to support the platform-dependent termination
mechanism. It is recommended that users of this function change
their design to not require thread termination. In the unlikely
case that thread termination is needed and can be done safely,
users may migrate to calling platform-specific APIs such as
pthread_exit (POSIX) or _endthreadex (Windows) directly.
- Build
- gh-135734: Python can correctly be configured and built with
./configure --enable-optimizations --disable-test-modules.
Previously, the profile data generation step failed due to PGO
tests where immortalization couldn’t be properly suppressed.
- Update to 3.13.7:
- gh-137583: Fix a deadlock introduced in 3.13.6 when a call
to ssl.SSLSocket.recv was blocked in one thread, and then
another method on the object (such as ssl.SSLSocket.send) was
subsequently called in another thread.
- gh-137044: Return large limit values as positive integers
instead of negative integers in resource.getrlimit().
Accept large values and reject negative values (except
RLIM_INFINITY) for limits in resource.setrlimit().
- gh-136914: Fix retrieval of doctest.DocTest.lineno
for objects decorated with functools.cache() or
functools.cached_property.
- gh-131788: Make ResourceTracker.send from multiprocessing
re-entrant safe
- gh-136155: We are now checking for fatal errors in EPUB
builds in CI.
- gh-137400: Fix a crash in the free threading build when
disabling profiling or tracing across all threads with
PyEval_SetProfileAllThreads() or PyEval_SetTraceAllThreads()
or their Python equivalents threading.settrace_all_threads()
and threading.setprofile_all_threads().
- Update to 3.13.6:
- Security
- gh-135661: Fix parsing start and end tags in
html.parser.HTMLParser according to the HTML5 standard.
- gh-102555: Fix comment parsing in html.parser.HTMLParser
according to the HTML5 standard.
- CVE-2025-6069: Fix quadratic complexity in processing specially
crafted input in html.parser.HTMLParser. End-of-file errors
are now handled according to the HTML5 specs – comments and
declarations are automatically closed, tags are ignored
(gh-135462, bsc#1244705).
- CVE-2025-8194: tarfile now validates archives to ensure member
offsets are non-negative. (gh-130577, bsc#1247249).
- gh-118350: Fix support of escapable raw text mode (elements
“textarea†and “titleâ€) in html.parser.HTMLParser.
- Core and Builtins
- gh-58124: Fix name of the Python encoding in Unicode errors
of the code page codec: use “cp65000†and “cp65001†instead
of “CP_UTF7†and “CP_UTF8†which are not valid Python code
names. Patch by Victor Stinner.
- gh-137314: Fixed a regression where raw f-strings
incorrectly interpreted escape sequences in format
specifications. Raw f-strings now properly preserve literal
backslashes in format specs, matching the behavior from
Python 3.11. For example, rf'{obj:\xFF}' now correctly
produces '\\xFF' instead of 'ÿ'. Patch by Pablo Galindo.
- gh-136541: Fix some issues with the perf trampolines
on x86-64 and aarch64. The trampolines were not being
generated correctly for some cases, which could lead to
the perf integration not working correctly. Patch by Pablo
Galindo.
- gh-109700: Fix memory error handling in
PyDict_SetDefault().
- gh-78465: Fix error message for cls.__new__(cls, ...) where
cls is not instantiable builtin or extension type (with
tp_new set to NULL).
- gh-135871: Non-blocking mutex lock attempts now return
immediately when the lock is busy instead of briefly
spinning in the free threading build.
- gh-135607: Fix potential weakref races in an object’s
destructor on the free threaded build.
- gh-135496: Fix typo in the f-string conversion type error
(“exclamanation†-> “exclamationâ€).
- gh-130077: Properly raise custom syntax errors when
incorrect syntax containing names that are prefixes of soft
keywords is encountered. Patch by Pablo Galindo.
- gh-135148: Fixed a bug where f-string debug expressions
(using =) would incorrectly strip out parts of strings
containing escaped quotes and # characters. Patch by Pablo
Galindo.
- gh-133136: Limit excess memory usage in the free threading
build when a large dictionary or list is resized and
accessed by multiple threads.
- gh-132617: Fix dict.update() modification check that could
incorrectly raise a “dict mutated during update†error when
a different dictionary was modified that happens to share
the same underlying keys object.
- gh-91153: Fix a crash when a bytearray is concurrently
mutated during item assignment.
- gh-127971: Fix off-by-one read beyond the end of a string
in string search.
- gh-125723: Fix crash with gi_frame.f_locals when generator
frames outlive their generator. Patch by Mikhail Efimov.
- Library
- gh-132710: If possible, ensure that uuid.getnode()
returns the same result even across different processes.
Previously, the result was constant only within the same
process. Patch by Bénédikt Tran.
- gh-137273: Fix debug assertion failure in
locale.setlocale() on Windows.
- gh-137257: Bump the version of pip bundled in ensurepip to
version 25.2
- gh-81325: tarfile.TarFile now accepts a path-like when
working on a tar archive. (Contributed by Alexander Enrique
Urieles Nieto in gh-81325.)
- gh-130522: Fix unraisable TypeError raised during
interpreter shutdown in the threading module.
- gh-136549: Fix signature of threading.excepthook().
- gh-136523: Fix wave.Wave_write emitting an unraisable when
open raises.
- gh-52876: Add missing keepends (default True)
parameter to codecs.StreamReaderWriter.readline() and
codecs.StreamReaderWriter.readlines().
- gh-85702: If zoneinfo._common.load_tzdata is given a
package without a resource a zoneinfo.ZoneInfoNotFoundError
is raised rather than a PermissionError. Patch by Victor
Stinner.
- gh-134759: Fix UnboundLocalError in
email.message.Message.get_payload() when the payload to
decode is a bytes object. Patch by Kliment Lamonov.
- gh-136028: Fix parsing month names containing “݆(U+0130,
LATIN CAPITAL LETTER I WITH DOT ABOVE) in time.strptime().
This affects locales az_AZ, ber_DZ, ber_MA and crh_UA.
- gh-135995: In the palmos encoding, make byte 0x9b decode to
› (U+203A - SINGLE RIGHT-POINTING ANGLE QUOTATION MARK).
- gh-53203: Fix time.strptime() for %c and %x formats on
locales byn_ER, wal_ET and lzh_TW, and for %X format on
locales ar_SA, bg_BG and lzh_TW.
- gh-91555: An earlier change, which was introduced in
3.13.4, has been reverted. It disabled logging for a logger
during handling of log messages for that logger. Since the
reversion, the behaviour should be as it was before 3.13.4.
- gh-135878: Fixes a crash of types.SimpleNamespace on free
threading builds, when several threads were calling its
__repr__() method at the same time.
- gh-135836: Fix IndexError in
asyncio.loop.create_connection() that could occur when
non-OSError exception is raised during connection and
socket’s close() raises OSError.
- gh-135836: Fix IndexError in
asyncio.loop.create_connection() that could occur when the
Happy Eyeballs algorithm resulted in an empty exceptions
list during connection attempts.
- gh-135855: Raise TypeError instead of SystemError when
_interpreters.set___main___attrs() is passed a non-dict
object. Patch by Brian Schubert.
- gh-135815: netrc: skip security checks if os.getuid() is
missing. Patch by Bénédikt Tran.
- gh-135640: Address bug where it was possible to call
xml.etree.ElementTree.ElementTree.write() on an ElementTree
object with an invalid root element. This behavior blanked
the file passed to write if it already existed.
- gh-135444: Fix asyncio.DatagramTransport.sendto() to
account for datagram header size when data cannot be sent.
- gh-135497: Fix os.getlogin() failing for longer usernames
on BSD-based platforms.
- gh-135487: Fix reprlib.Repr.repr_int() when given integers
with more than sys.get_int_max_str_digits() digits. Patch
by Bénédikt Tran.
- gh-135335: multiprocessing: Flush stdout and stderr after
preloading modules in the forkserver.
- gh-135244: uuid: when the MAC address cannot be
determined, the 48-bit node ID is now generated with a
cryptographically-secure pseudo-random number generator
(CSPRNG) as per RFC 9562, §6.10.3. This affects uuid1().
- gh-135069: Fix the “Invalid error handling†exception in
encodings.idna.IncrementalDecoder to correctly replace the
‘errors’ parameter.
- gh-134698: Fix a crash when calling methods of
ssl.SSLContext or ssl.SSLSocket across multiple threads.
- gh-132124: On POSIX-compliant systems,
multiprocessing.util.get_temp_dir() now ignores TMPDIR
(and similar environment variables) if the path length of
AF_UNIX socket files exceeds the platform-specific maximum
length when using the forkserver start method. Patch by
Bénédikt Tran.
- gh-133439: Fix dot commands with trailing spaces are
mistaken for multi-line SQL statements in the sqlite3
command-line interface.
- gh-132969: Prevent the ProcessPoolExecutor executor thread,
which remains running when shutdown(wait=False), from
attempting to adjust the pool’s worker processes after
the object state has already been reset during shutdown.
A combination of conditions, including a worker process
having terminated abormally, resulted in an exception and
a potential hang when the still-running executor thread
attempted to replace dead workers within the pool.
- gh-130664: Support the '_' digit separator in formatting
of the integral part of Decimal’s. Patch by Sergey B
Kirpichev.
- gh-85702: If zoneinfo._common.load_tzdata is given a
package without a resource a ZoneInfoNotFoundError is
raised rather than a IsADirectoryError.
- gh-130664: Handle corner-case for Fraction’s formatting:
treat zero-padding (preceding the width field by a zero
('0') character) as an equivalent to a fill character of
'0' with an alignment type of '=', just as in case of
float’s.
- Tools/Demos
- gh-135968: Stubs for strip are now provided as part of an
iOS install.
- Tests
- gh-135966: The iOS testbed now handles the app_packages
folder as a site directory.
- gh-135494: Fix regrtest to support excluding tests from
--pgo tests. Patch by Victor Stinner.
- gh-135489: Show verbose output for failing tests during PGO
profiling step with –enable-optimizations.
- Documentation
- gh-135171: Document that the iterator for the leftmost for
clause in the generator expression is created immediately.
- Build
- gh-135497: Fix the detection of MAXLOGNAME in the
configure.ac script.
-----------------------------------------------------------------
Advisory ID: 183
Released: Fri Jan 23 10:02:18 2026
Summary: Recommended update for supportutils
Type: recommended
Severity: important
References: 1232351,1245667,1246011,1246025,1249657,1250224,1252318,1254425
This update for supportutils fixes the following issues:
- Optimized lsof usage and honors OPTION_OFILES (bsc#1232351)
- Run in containers without errors (bsc#1245667)
- Removed pmap PID from memory.txt (bsc#1246011)
- Added missing /proc/pagetypeinfo to memory.txt (bsc#1246025)
- Improved database perforce with kGraft patching (bsc#1249657)
- Using last boot for journalctl for optimization (bsc#1250224)
- Fixed extraction failures (bsc#1252318)
- Update supportconfig.conf path in docs (bsc#1254425)
- drm_sub_info: Catch error when dir doesn't exist
- Replace remaining `egrep` with `grep -E`
- Add process affinity to slert logs
- Reintroduce cgroup statistics (and v2)
- Minor changes to basic-health-check: improve information level
- Collect important machine health counters
- powerpc: collect hot-pluggable PCI and PHB slots
- podman: collect podman disk usage
- Exclude binary files in crondir
- kexec/kdump: collect everything under /sys/kernel/kexec dir
- Use short-iso for journalctl
-----------------------------------------------------------------
Advisory ID: 186
Released: Fri Jan 23 15:16:57 2026
Summary: Recommended update for man
Type: recommended
Severity: moderate
References: 1240874
This update for man fixes the following issues:
- Do not masked out the already existing %ghost file entry
- Extend tmpfiles template man-db.conf (jsc#PED-14862)
* Create cache directories with systemd tmpfiles service
- Update to man-db 2.13.1:
* Update various manual page translation
* Fix various minor formatting issues in manual pages.
* Tolerate additional spaces in preprocessor strings.
* Fix check for generated source files in out-of-tree builds.
* Fix building with the `musl` C library.
* Recognize another Ukrainian translation of the `NAME` section.
* Increase the maximum size of the `NAME` section from 8192 to 16384 bytes.
- Port patches
- Avoid latest gettextize as it breaks build now
- If a section is specified do not show the list (bsc#1240874)
- Wait 15 seconds instead of 7 instead for a choice
- Explicit mention `export' instead of `set' for MAN_POSIXLY_CORRECT
-----------------------------------------------------------------
Advisory ID: 221
Released: Thu Jan 29 17:14:38 2026
Summary: Security update for gpg2
Type: security
Severity: important
References: 1256389,1257395,1257396,CVE-2026-24882,CVE-2026-24883
This update for gpg2 fixes the following issues:
- CVE-2026-24882: stack-based buffer overflow in TPM2 PKDECRYPT for TPM-backed RSA and ECC keys (bsc#1257396).
- CVE-2026-24883: denial of service due to long signature packet length causing parse_signature to return success with sig->data[] set to a NULL value (bsc#1257395).
- gpg.fail/filename: GnuPG Accepts Path Separators and Path Traversals in Literal Data 'Filename' Field (bsc#1256389).
-----------------------------------------------------------------
Advisory ID: 218
Released: Thu Jan 29 18:44:57 2026
Summary: Security update for glibc
Type: security
Severity: important
References: 1236282,1256436,1256766,1256822,1257005,CVE-2025-0395,CVE-2025-15281,CVE-2026-0861,CVE-2026-0915
This update for glibc fixes the following issues:
Security fixes:
- CVE-2025-0395: Fixed buffer overflow in the assert() function (bsc#1236282).
- CVE-2026-0861: Fixed inadequate size check in the memalign suite may result in an integer overflow (bsc#1256766).
- CVE-2026-0915: Fixed uninitialized stack buffer used as DNS query name when net==0 in _nss_dns_getnetbyaddr_r (bsc#1256822).
- CVE-2025-15281: Fixed uninitialized memory may cause the process abort (bsc#1257005).
Other fixes:
- NPTL: Optimize trylock for high cache contention workloads (bsc#1256436)
The following package changes have been done:
- curl-8.14.1-160000.4.1 updated
- file-5.46-160000.2.2 added
- findutils-4.10.0-160000.2.2 added
- glibc-locale-base-2.40-160000.3.1 updated
- glibc-locale-2.40-160000.3.1 updated
- glibc-2.40-160000.3.1 updated
- gpg2-2.5.5-160000.4.1 updated
- libcurl-mini4-8.14.1-160000.4.1 updated
- libpcap1-1.10.5-160000.4.1 updated
- libpython3_13-1_0-3.13.11-160000.1.1 updated
- libseccomp2-2.6.0-160000.2.2 added
- man-2.13.1-160000.1.1 updated
- python313-base-3.13.11-160000.1.1 updated
- supportutils-3.2.12.2-160000.1.1 updated
- iproute2-6.12-160000.2.2 removed
- libbpf1-1.6.1-160000.1.2 removed
- libmnl0-1.0.5-160000.2.2 removed
- libxtables12-1.8.11-160000.2.2 removed
- which-2.23-160000.2.2 removed
More information about the sle-container-updates
mailing list