SUSE-SU-2026:0024-1: moderate: Security update for python313
SLE-SECURITY-UPDATES
null at suse.de
Mon Jan 5 20:30:26 UTC 2026
# Security update for python313
Announcement ID: SUSE-SU-2026:0024-1
Release Date: 2026-01-05T12:10:26Z
Rating: moderate
References:
* bsc#1254400
* bsc#1254401
* bsc#1254997
Cross-References:
* CVE-2025-12084
* CVE-2025-13836
* CVE-2025-13837
CVSS scores:
* CVE-2025-12084 ( SUSE ): 6.3
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2025-12084 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
* CVE-2025-12084 ( NVD ): 6.3
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2025-12084 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2025-13836 ( SUSE ): 6.3
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2025-13836 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2025-13836 ( NVD ): 6.3
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2025-13836 ( NVD ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
* CVE-2025-13837 ( SUSE ): 2.1
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2025-13837 ( SUSE ): 4.0 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2025-13837 ( NVD ): 2.1
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Affected Products:
* Python 3 Module 15-SP7
* SUSE Linux Enterprise Desktop 15 SP7
* SUSE Linux Enterprise Server 15 SP7
* SUSE Linux Enterprise Server for SAP Applications 15 SP7
An update that solves three vulnerabilities can now be installed.
## Description:
This update for python313 fixes the following issues:
Update to version 3.13.11.
Security issues fixed:
* CVE-2025-12084: quadratic complexity when building nested elements using
`xml.dom.minidom` methods that depend on `_clear_id_cache()` can lead to
availability issues when building excessively nested documents
(bsc#1254997).
* CVE-2025-13836: use of `Content-Length` by default when reading an HTTP
response with no read amount specified can lead to OOM issues and DoS when a
client deals with a malicious server (bsc#1254400).
* CVE-2025-13837: data read by the plistlib module according to the size
specified by the file itself can lead to OOM issues and DoS (bsc#1254401).
Other updates and bugfixes:
* Version 3.13.11:
* Library
* gh-140797: Revert changes to the undocumented re.Scanner class. Capturing groups are still allowed for backward compatibility, although using them can lead to incorrect result. They will be forbidden in future Python versions.
* gh-142206: The resource tracker in the multiprocessing module now uses the original communication protocol, as in Python 3.14.0 and below, by default. This avoids issues with upgrading Python while it is running. (Note that such ‘in-place’ upgrades are not tested.) The tracker remains compatible with subprocesses that use new protocol (that is, subprocesses using Python 3.13.10, 3.14.1 and 3.15).
* Core and Builtins
* gh-142218: Fix crash when inserting into a split table dictionary with a non str key that matches an existing key.
* Version to 3.13.10:
* Security
* gh-137836: Add support of the “plaintext” element, RAWTEXT elements “xmp”, “iframe”, “noembed” and “noframes”, and optionally RAWTEXT element “noscript” in html.parser.HTMLParser.
* gh-136063: email.message: ensure linear complexity for legacy HTTP parameters parsing. Patch by Bénédikt Tran.
* Library
* gh-74389: When the stdin being used by a subprocess.Popen instance is closed, this is now ignored in subprocess.Popen.communicate() instead of leaving the class in an inconsistent state.
* gh-87512: Fix subprocess.Popen.communicate() timeout handling on Windows when writing large input. Previously, the timeout was ignored during stdin writing, causing the method to block indefinitely if the child process did not consume input quickly. The stdin write is now performed in a background thread, allowing the timeout to be properly enforced.
* gh-141473: When subprocess.Popen.communicate() was called with input and a timeout and is called for a second time after a TimeoutExpired exception before the process has died, it should no longer hang.
* gh-59000: Fix pdb breakpoint resolution for class methods when the module defining the class is not imported.
* gh-141570: Support file-like object raising OSError from fileno() in color detection (_colorize.can_colorize()). This can occur when sys.stdout is redirected.
* gh-141659: Fix bad file descriptor errors from _posixsubprocess on AIX.
* gh-141497: ipaddress: ensure that the methods IPv4Network.hosts() and IPv6Network.hosts() always return an iterator.
* gh-140938: The statistics.stdev() and statistics.pstdev() functions now raise a ValueError when the input contains an infinity or a NaN.
* gh-124111: Updated Tcl threading configuration in _tkinter to assume that threads are always available in Tcl 9 and later.
* gh-137109: The os.fork and related forking APIs will no longer warn in the common case where Linux or macOS platform APIs return the number of threads in a process and find the answer to be 1 even when a os.register_at_fork() after_in_parent= callback (re)starts a thread.
* gh-141314: Fix assertion failure in io.TextIOWrapper.tell() when reading files with standalone carriage return (\r) line endings.
* gh-141311: Fix assertion failure in io.BytesIO.readinto() and undefined behavior arising when read position is above capcity in io.BytesIO.
* gh-141141: Fix a thread safety issue with base64.b85decode(). Contributed by Benel Tayar.
* gh-140911: collections: Ensure that the methods UserString.rindex() and UserString.index() accept collections.UserString instances as the sub argument.
* gh-140797: The undocumented re.Scanner class now forbids regular expressions containing capturing groups in its lexicon patterns. Patterns using capturing groups could previously lead to crashes with segmentation fault. Use non-capturing groups (?:…) instead.
* gh-140815: faulthandler now detects if a frame or a code object is invalid or freed. Patch by Victor Stinner.
* gh-100218: Correctly set errno when socket.if_nametoindex() or socket.if_indextoname() raise an OSError. Patch by Bénédikt Tran.
* gh-140875: Fix handling of unclosed character references (named and numerical) followed by the end of file in html.parser.HTMLParser with convert_charrefs=False.
* gh-140734: multiprocessing: fix off-by-one error when checking the length of a temporary socket file path. Patch by Bénédikt Tran.
* gh-140874: Bump the version of pip bundled in ensurepip to version 25.3
* gh-140691: In urllib.request, when opening a FTP URL fails because a data connection cannot be made, the control connection’s socket is now closed to avoid a ResourceWarning.
* gh-103847: Fix hang when cancelling process created by asyncio.create_subprocess_exec() or asyncio.create_subprocess_shell(). Patch by Kumar Aditya.
* gh-140590: Fix arguments checking for the functools.partial. **setstate** () that may lead to internal state corruption and crash. Patch by Sergey Miryanov.
* gh-140634: Fix a reference counting bug in os.sched_param. **reduce** ().
* gh-140633: Ignore AttributeError when setting a module’s **file** attribute when loading an extension module packaged as Apple Framework.
* gh-140593: xml.parsers.expat: Fix a memory leak that could affect users with ElementDeclHandler() set to a custom element declaration handler. Patch by Sebastian Pipping.
* gh-140607: Inside io.RawIOBase.read(), validate that the count of bytes returned by io.RawIOBase.readinto() is valid (inside the provided buffer).
* gh-138162: Fix logging.LoggerAdapter with merge_extra=True and without the extra argument.
* gh-140474: Fix memory leak in array.array when creating arrays from an empty str and the u type code.
* gh-140272: Fix memory leak in the clear() method of the dbm.gnu database.
* gh-140041: Fix import of ctypes on Android and Cygwin when ABI flags are present.
* gh-139905: Add suggestion to error message for typing.Generic subclasses when cls. **parameters** is missing due to a parent class failing to call super(). **init_subclass** () in its **init_subclass**.
* gh-139845: Fix to not print KeyboardInterrupt twice in default asyncio REPL.
* gh-139783: Fix inspect.getsourcelines() for the case when a decorator is followed by a comment or an empty line.
* gh-70765: http.server: fix default handling of HTTP/0.9 requests in BaseHTTPRequestHandler. Previously, BaseHTTPRequestHandler.parse_request() incorrectly waited for headers in the request although those are not supported in HTTP/0.9. Patch by Bénédikt Tran.
* gh-139391: Fix an issue when, on non-Windows platforms, it was not possible to gracefully exit a python -m asyncio process suspended by Ctrl+Z and later resumed by fg other than with kill.
* gh-101828: Fix 'shift_jisx0213', 'shift_jis_2004', 'euc_jisx0213' and 'euc_jis_2004' codecs truncating null chars as they were treated as part of multi-character sequences.
* gh-139246: fix: paste zero-width in default repl width is wrong.
* gh-90949: Add SetAllocTrackerActivationThreshold() and SetAllocTrackerMaximumAmplification() to xmlparser objects to prevent use of disproportional amounts of dynamic memory from within an Expat parser. Patch by Bénédikt Tran.
* gh-139065: Fix trailing space before a wrapped long word if the line length is exactly width in textwrap.
* gh-138993: Dedent credits text.
* gh-138859: Fix generic type parameterization raising a TypeError when omitting a ParamSpec that has a default which is not a list of types.
* gh-138775: Use of python -m with base64 has been fixed to detect input from a terminal so that it properly notices EOF.
* gh-98896: Fix a failure in multiprocessing resource_tracker when SharedMemory names contain colons. Patch by Rani Pinchuk.
* gh-75989: tarfile.TarFile.extractall() and tarfile.TarFile.extract() now overwrite symlinks when extracting hardlinks. (Contributed by Alexander Enrique Urieles Nieto in gh-75989.)
* gh-83424: Allows creating a ctypes.CDLL without name when passing a handle as an argument.
* gh-136234: Fix asyncio.WriteTransport.writelines() to be robust to connection failure, by using the same behavior as write().
* gh-136057: Fixed the bug in pdb and bdb where next and step can’t go over the line if a loop exists in the line.
* gh-135307: email: Fix exception in set_content() when encoding text and max_line_length is set to 0 or None (unlimited).
* gh-134453: Fixed subprocess.Popen.communicate() input= handling of memoryview instances that were non-byte shaped on POSIX platforms. Those are now properly cast to a byte shaped view instead of truncating the input. Windows platforms did not have this bug.
* gh-102431: Clarify constraints for “logical” arguments in methods of decimal.Context.
* IDLE
* gh-96491: Deduplicate version number in IDLE shell title bar after saving to a file.
* Core and Builtins
* gh-142048: Fix quadratically increasing garbage collection delays in free-threaded build.
* gh-141930: When importing a module, use Python’s regular file object to ensure that writes to .pyc files are complete or an appropriate error is raised.
* gh-120158: Fix inconsistent state when enabling or disabling monitoring events too many times.
* gh-141579: Fix sys.activate_stack_trampoline() to properly support the perf_jit backend. Patch by Pablo Galindo.
* gh-141312: Fix the assertion failure in the **setstate** method of the range iterator when a non-integer argument is passed. Patch by Sergey Miryanov.
* gh-140939: Fix memory leak when bytearray or bytes is formated with the %*b format with a large width that results in %a MemoryError.
* gh-140530: Fix a reference leak when raise exc from cause fails. Patch by Bénédikt Tran.
* gh-140576: Fixed crash in tokenize.generate_tokens() in case of specific incorrect input. Patch by Mikhail Efimov.
* gh-140551: Fixed crash in dict if dict.clear() is called at the lookup stage. Patch by Mikhail Efimov and Inada Naoki.
* gh-140471: Fix potential buffer overflow in ast.AST node initialization when encountering malformed _fields containing non-str.
* gh-140406: Fix memory leak when an object’s **hash** () method returns an object that isn’t an int.
* gh-140306: Fix memory leaks in cross-interpreter channel operations and shared namespace handling.
* gh-140301: Fix memory leak of PyConfig in subinterpreters.
* gh-140000: Fix potential memory leak when a reference cycle exists between an instance of typing.TypeAliasType, typing.TypeVar, typing.ParamSpec, or typing.TypeVarTuple and its **name** attribute. Patch by Mikhail Efimov.
* gh-139748: Fix reference leaks in error branches of functions accepting path strings or bytes such as compile() and os.system(). Patch by Bénédikt Tran.
* gh-139516: Fix lambda colon erroneously start format spec in f-string in tokenizer.
* gh-139640: Fix swallowing some syntax warnings in different modules if they accidentally have the same message and are emitted from the same line. Fix duplicated warnings in the finally block.
* gh-137400: Fix a crash in the free threading build when disabling profiling or tracing across all threads with PyEval_SetProfileAllThreads() or PyEval_SetTraceAllThreads() or their Python equivalents threading.settrace_all_threads() and threading.setprofile_all_threads().
* gh-133400: Fixed Ctrl+D (^D) behavior in _pyrepl module to match old pre-3.13 REPL behavior.
* C API
* gh-140042: Removed the sqlite3_shutdown call that could cause closing connections for sqlite when used with multiple sub interpreters.
* gh-140487: Fix Py_RETURN_NOTIMPLEMENTED in limited C API 3.11 and older: don’t treat Py_NotImplemented as immortal. Patch by Victor Stinner.
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* Python 3 Module 15-SP7
zypper in -t patch SUSE-SLE-Module-Python3-15-SP7-2026-24=1
## Package List:
* Python 3 Module 15-SP7 (aarch64 ppc64le s390x x86_64)
* python313-debugsource-3.13.11-150700.4.36.1
* python313-base-debuginfo-3.13.11-150700.4.36.1
* python313-3.13.11-150700.4.36.1
* python313-curses-3.13.11-150700.4.36.1
* python313-base-3.13.11-150700.4.36.1
* libpython3_13-1_0-debuginfo-3.13.11-150700.4.36.1
* python313-tk-3.13.11-150700.4.36.1
* python313-tools-3.13.11-150700.4.36.1
* python313-curses-debuginfo-3.13.11-150700.4.36.1
* python313-idle-3.13.11-150700.4.36.1
* python313-core-debugsource-3.13.11-150700.4.36.1
* libpython3_13-1_0-3.13.11-150700.4.36.1
* python313-debuginfo-3.13.11-150700.4.36.1
* python313-devel-3.13.11-150700.4.36.1
* python313-dbm-debuginfo-3.13.11-150700.4.36.1
* python313-tk-debuginfo-3.13.11-150700.4.36.1
* python313-dbm-3.13.11-150700.4.36.1
## References:
* https://www.suse.com/security/cve/CVE-2025-12084.html
* https://www.suse.com/security/cve/CVE-2025-13836.html
* https://www.suse.com/security/cve/CVE-2025-13837.html
* https://bugzilla.suse.com/show_bug.cgi?id=1254400
* https://bugzilla.suse.com/show_bug.cgi?id=1254401
* https://bugzilla.suse.com/show_bug.cgi?id=1254997
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-security-updates/attachments/20260105/07bad21c/attachment.htm>
More information about the sle-security-updates
mailing list