SUSE-CU-2026:4808-1: Security update of suse/manager/4.3/proxy-httpd

sle-container-updates at lists.suse.com sle-container-updates at lists.suse.com
Fri May 8 08:14:43 UTC 2026 

SUSE Container Update Advisory: suse/manager/4.3/proxy-httpd
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2026:4808-1
Container Tags        : suse/manager/4.3/proxy-httpd:4.3.17 , suse/manager/4.3/proxy-httpd:4.3.17.9.76.17 , suse/manager/4.3/proxy-httpd:latest
Container Release     : 9.76.17
Severity              : important
Type                  : security
References            : 1259611 1259734 1259735 1259989 1260026 1261969 1261970 1262098
                        1262319 1262654 CVE-2025-13462 CVE-2026-1502 CVE-2026-3446 CVE-2026-3479
                        CVE-2026-3644 CVE-2026-4224 CVE-2026-4519 CVE-2026-4786 CVE-2026-6019
                        CVE-2026-6100 
-----------------------------------------------------------------

The container suse/manager/4.3/proxy-httpd was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:1715-1
Released:    Wed May  6 14:09:30 2026
Summary:     Security update for python3
Type:        security
Severity:    important
References:  1259611,1259734,1259735,1259989,1260026,1261969,1261970,1262098,1262319,1262654,CVE-2025-13462,CVE-2026-1502,CVE-2026-3446,CVE-2026-3479,CVE-2026-3644,CVE-2026-4224,CVE-2026-4519,CVE-2026-4786,CVE-2026-6019,CVE-2026-6100
This update for python3 fixes the following issues:

- CVE-2025-13462: incorrect parsing of TarInfo when GNU long name and type AREGTYPE are combined can lead to
  misinterpretation of tar archives (bsc#1259611).
- CVE-2026-1502: HTTP client proxy tunnel headers not validated for CR/LF (bsc#1261969).
- CVE-2026-3446: base64 decoding stops at first padded quad by default and ignores other information that could be
  processed (bsc#1261970).
- CVE-2026-3479: improper resource argument validation in `pkgutil.get_data()` can lead to path traversal (bsc#1259989).
- CVE-2026-3644: incomplete control character validation in http.cookies can lead to input validation bypass
  (bsc#1259734).
- CVE-2026-4224: parsing XML with deeply nested DTD content models can lead to C stack overflow (bsc#1259735).
- CVE-2026-4519: failure to sanitize leading dashes in URLs in the `webbrowser.open()` API can lead to web browser
  command line option injection (bsc#1260026).
- CVE-2026-4786: URLs prefixed with `%action` can pass the dash-prefix safety check and allow for command injection
  (bsc#1262319).
- CVE-2026-6019: `BaseCookie.js_output()` does not neutralize characters in cookie values embedded in JS (bsc#1262654).
- CVE-2026-6100: use-after-free in `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when process is
  under memory pressure(bsc#1262098).


The following package changes have been done:

- python3-base-3.6.15-150300.10.118.1 updated
- libpython3_6m1_0-3.6.15-150300.10.118.1 updated
- python3-3.6.15-150300.10.118.1 updated

More information about the sle-container-updates mailing list