SUSE-SU-2025:20374-1: important: Security update for python311
SLE-UPDATES
null at suse.de
Wed Jun 4 16:30:43 UTC 2025
# Security update for python311
Announcement ID: SUSE-SU-2025:20374-1
Release Date: 2025-06-03T09:05:30Z
Rating: important
References:
* bsc#1210638
* bsc#1219559
* bsc#1219666
* bsc#1221854
* bsc#1225660
* bsc#1226447
* bsc#1226448
* bsc#1227378
* bsc#1227999
* bsc#1228165
* bsc#1228780
* bsc#1229596
* bsc#1229704
* bsc#1230227
* bsc#1230906
* bsc#1231795
* bsc#1232241
* bsc#1236705
* bsc#1238450
* bsc#1239210
* bsc#1241067
* bsc#1243273
Cross-References:
* CVE-2022-25236
* CVE-2023-27043
* CVE-2023-52425
* CVE-2023-6597
* CVE-2024-0397
* CVE-2024-0450
* CVE-2024-4030
* CVE-2024-4032
* CVE-2024-6232
* CVE-2024-6923
* CVE-2024-7592
* CVE-2024-8088
* CVE-2024-9287
* CVE-2025-0938
* CVE-2025-1795
* CVE-2025-4516
CVSS scores:
* CVE-2022-25236 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2022-25236 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2022-25236 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2023-27043 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
* CVE-2023-27043 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
* CVE-2023-52425 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
* CVE-2023-52425 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2023-6597 ( SUSE ): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2024-0397 ( SUSE ): 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
* CVE-2024-0397 ( NVD ): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H
* CVE-2024-0450 ( SUSE ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2024-0450 ( NVD ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2024-4030 ( SUSE ): 4.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
* CVE-2024-4032 ( SUSE ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2024-6232 ( SUSE ): 8.2
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2024-6232 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2024-6232 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2024-6232 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2024-6923 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
* CVE-2024-6923 ( NVD ): 5.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
* CVE-2024-7592 ( SUSE ): 2.6 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L
* CVE-2024-7592 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2024-7592 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2024-8088 ( SUSE ): 5.9
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2024-8088 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2024-9287 ( SUSE ): 5.3
CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Green
* CVE-2024-9287 ( SUSE ): 6.5 CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
* CVE-2024-9287 ( NVD ): 5.3
CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Green
* CVE-2024-9287 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-0938 ( SUSE ): 6.3
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N
* CVE-2025-0938 ( SUSE ): 4.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N
* CVE-2025-0938 ( NVD ): 6.3
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2025-1795 ( SUSE ): 2.3
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2025-1795 ( SUSE ): 3.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
* CVE-2025-1795 ( NVD ): 2.3
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2025-4516 ( SUSE ): 5.9
CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2025-4516 ( SUSE ): 5.1 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2025-4516 ( NVD ): 5.9
CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Affected Products:
* SUSE Linux Micro 6.1
An update that solves 16 vulnerabilities and has six fixes can now be installed.
## Description:
This update for python311 fixes the following issues:
* CVE-2025-4516: Fixed blocking DecodeError handling vulnerability, which
could lead to DoS. (bsc#1243273)
Update to 3.11.12:
* gh-105704: When using urllib.parse.urlsplit() and urllib.parse.urlparse()
host parsing would not reject domain names containing square brackets ([ and
]). Square brackets are only valid for IPv6 and IPvFuture hosts according to
RFC 3986 Section 3.2.2 (bsc#1236705, CVE-2025-0938,
gh#python/cpython#105704).
* gh-121284: Fix bug in the folding of rfc2047 encoded-words when flattening
an email message using a modern email policy. Previously when an encoded-
word was too long for a line, it would be decoded, split across lines, and
re-encoded. But commas and other special characters in the original text
could be left unencoded and unquoted. This could theoretically be used to
spoof header lines using a carefully constructed encoded-word if the
resulting rendered email was transmitted or re-parsed.
* gh-80222: Fix bug in the folding of quoted strings when flattening an email
message using a modern email policy. Previously when a quoted string was
folded so that it spanned more than one line, the surrounding quotes and
internal escapes would be omitted. This could theoretically be used to spoof
header lines using a carefully constructed quoted string if the resulting
rendered email was transmitted or re-parsed.
* gh-119511: Fix a potential denial of service in the imaplib module. When
connecting to a malicious server, it could cause an arbitrary amount of
memory to be allocated. On many systems this is harmless as unused virtual
memory is only a mapping, but if this hit a virtual address size limit it
could lead to a MemoryError or other process crash. On unusual systems or
builds where all allocated memory is touched and backed by actual ram or
storage it could’ve consumed resources doing so until similarly crashing.
* gh-127257: In ssl, system call failures that OpenSSL reports using
ERR_LIB_SYS are now raised as OSError.
* gh-121277: Writers of CPython’s documentation can now use next as the
version for the versionchanged, versionadded, deprecated directives.
* gh-106883: Disable GC during the _PyThread_CurrentFrames() and
_PyThread_CurrentExceptions() calls to avoid the interpreter to deadlock.
* CVE-2025-0938: disallow square brackets ([ and ]) in domain names for parsed
URLs (bsc#1236705, gh#python/cpython#105704)
Update to 3.11.11:
* Tools/Demos
* gh-123418: Update GitHub CI workflows to use OpenSSL 3.0.15 and multissltests to use 3.0.15, 3.1.7, and 3.2.3.
* Security
* gh-122792: Changed IPv4-mapped ipaddress.IPv6Address to consistently use the mapped IPv4 address value for deciding properties. Properties which have their behavior fixed are is_multicast, is_reserved, is_link_local, is_global, and is_unspecified.
* Library
* gh-124651: Properly quote template strings in venv activation scripts (bsc#1232241, CVE-2024-9287).
* Remove -IVendor/ from python-config bsc#1231795
* CVE-2024-9287: Properly quote path names provided when creating a virtual
environment (bsc#1232241,
* Drop .pyc files from docdir for reproducible builds (bsc#1230906).
Update to 3.11.10:
* Security
* gh-121957: Fixed missing audit events around interactive use of Python, now also properly firing for `python -i`, as well as for `python -m asyncio`. The event in question is `cpython.run_stdin`.
* gh-122133: Authenticate the socket connection for the `socket.socketpair()` fallback on platforms where `AF_UNIX` is not available like Windows. Patch by Gregory P. Smith <greg at krypto.org> and Seth Larson <seth at python.org>. Reported by Ellie <el at horse64.org>
* gh-121285: Remove backtracking from tarfile header parsing for `hdrcharset`, PAX, and GNU sparse headers (bsc#1230227, CVE-2024-6232).
* gh-118486: :func:`os.mkdir` on Windows now accepts _mode_ of `0o700` to restrict the new directory to the current user. This fixes CVE-2024-4030 affecting :func:`tempfile.mkdtemp` in scenarios where the base temporary directory is more permissive than the default.
* Library
* gh-123270: Applied a more surgical fix for malformed payloads in :class:`zipfile.Path` causing infinite loops (gh-122905) without breaking contents using legitimate characters (bsc#1229704, CVE-2024-8088).
* gh-123067: Fix quadratic complexity in parsing `"`-quoted cookie values with backslashes by :mod:`http.cookies` (bsc#1229596, CVE-2024-7592).
* gh-122905: :class:`zipfile.Path` objects now sanitize names from the zipfile.
* gh-121650: :mod:`email` headers with embedded newlines are now quoted on output. The :mod:`~email.generator` will now refuse to serialize (write) headers that are unsafely folded or delimited; see :attr:`~email.policy.Policy.verify_generated_headers`. (Contributed by Bas Bloemsaat and Petr Viktorin in :gh:`121650`; CVE-2024-6923, bsc#1228780).
* gh-119506: Fix :meth:`!io.TextIOWrapper.write` method breaks internal buffer when the method is called again during flushing internal buffer.
* gh-118643: Fix an AttributeError in the :mod:`email` module when re-fold a long address list. Also fix more cases of incorrect encoding of the address separator in the address list.
* gh-113171: Fixed various false positives and false negatives in * :attr:`ipaddress.IPv4Address.is_private` (see these docs for details) * :attr:`ipaddress.IPv4Address.is_global` * :attr:`ipaddress.IPv6Address.is_private` * :attr:`ipaddress.IPv6Address.is_global` Also in the corresponding :class:`ipaddress.IPv4Network` and :class:`ipaddress.IPv6Network` attributes. Fixes bsc#1226448 (CVE-2024-4032).
* gh-102988: :func:`email.utils.getaddresses` and :func:`email.utils.parseaddr` now return `('', '')` 2-tuples in more situations where invalid email addresses are encountered instead of potentially inaccurate values. Add optional _strict_ parameter to these two functions: use `strict=False` to get the old behavior, accept malformed inputs. `getattr(email.utils, 'supports_strict_parsing', False)` can be use to check if the _strict_ paramater is available. Patch by Thomas Dwyer and Victor Stinner to improve the CVE-2023-27043 fix (bsc#1210638).
* gh-67693: Fix :func:`urllib.parse.urlunparse` and :func:`urllib.parse.urlunsplit` for URIs with path starting with multiple slashes and no authority. Based on patch by Ashwin Ramaswami.
* Core and Builtins
* gh-112275: A deadlock involving `pystate.c`'s `HEAD_LOCK` in `posixmodule.c` at fork is now fixed. Patch by ChuBoning based on previous Python 3.12 fix by Victor Stinner.
* gh-109120: Added handle of incorrect star expressions, e.g `f(3, *)`. Patch by Grigoryev Semyon
* CVE-2024-8088: Prevent malformed payload to cause infinite loops in
zipfile.Path (bsc#1229704)
* Make pip and modern tools install directly in /usr/local when used by the
user. (bsc#1225660)
* CVE-2024-4032: Fix rearranging definition of private v global IP addresses.
(bsc#1226448)
Update to 3.11.9:
* Security
* gh-115398: Allow controlling Expat >=2.6.0 reparse deferral (CVE-2023-52425, bsc#1219559) by adding five new methods: xml.etree.ElementTree.XMLParser.flush() xml.etree.ElementTree.XMLPullParser.flush() xml.parsers.expat.xmlparser.GetReparseDeferralEnabled() xml.parsers.expat.xmlparser.SetReparseDeferralEnabled() xml.sax.expatreader.ExpatParser.flush()
* gh-115399: Update bundled libexpat to 2.6.0
* gh-115243: Fix possible crashes in collections.deque.index() when the deque is concurrently modified.
* gh-114572: ssl.SSLContext.cert_store_stats() and ssl.SSLContext.get_ca_certs() now correctly lock access to the certificate store, when the ssl.SSLContext is shared across multiple threads (bsc#1226447, CVE-2024-0397).
* Core and Builtins
* gh-116296: Fix possible refleak in object. **reduce** () internal error handling.
* gh-116034: Fix location of the error on a failed assertion.
* gh-115823: Properly calculate error ranges in the parser when raising SyntaxError exceptions caused by invalid byte sequences. Patch by Pablo Galindo
* gh-112087: For an empty reverse iterator for list will be reduced to reversed(). Patch by Donghee Na.
* gh-115011: Setters for members with an unsigned integer type now support the same range of valid values for objects that has a **index** () method as for int.
* gh-96497: Fix incorrect resolution of mangled class variables used in assignment expressions in comprehensions.
* Library
* gh-117310: Fixed an unlikely early & extra Py_DECREF triggered crash in ssl when creating a new _ssl._SSLContext if CPython was built implausibly such that the default cipher list is empty or the SSL library it was linked against reports a failure from its C SSL_CTX_set_cipher_list() API.
* gh-117178: Fix regression in lazy loading of self-referential modules, introduced in gh-114781.
* gh-117084: Fix zipfile extraction for directory entries with the name containing backslashes on Windows.
* gh-117110: Fix a bug that prevents subclasses of typing.Any to be instantiated with arguments. Patch by Chris Fu.
* gh-90872: On Windows, subprocess.Popen.wait() no longer calls WaitForSingleObject() with a negative timeout: pass 0 ms if the timeout is negative. Patch by Victor Stinner.
* gh-116957: configparser: Don’t leave ConfigParser values in an invalid state (stored as a list instead of a str) after an earlier read raised DuplicateSectionError or DuplicateOptionError.
* gh-90095: Ignore empty lines and comments in .pdbrc
* gh-116764: Restore support of None and other false values in urllib.parse functions parse_qs() and parse_qsl(). Also, they now raise a TypeError for non-zero integers and non-empty sequences.
* gh-116811: In PathFinder.invalidate_caches, delegate to MetadataPathFinder.invalidate_caches.
* gh-116600: Fix repr() for global Flag members.
* gh-116484: Change automatically generated tkinter.Checkbutton widget names to avoid collisions with automatically generated tkinter.ttk.Checkbutton widget names within the same parent widget.
* gh-116401: Fix blocking os.fwalk() and shutil.rmtree() on opening named pipe.
* gh-116143: Fix a race in pydoc _start_server, eliminating a window in which _start_server can return a thread that is “serving” but without a docserver set.
* gh-116325: typing: raise SyntaxError instead of AttributeError on forward references as empty strings.
* gh-90535: Fix support of interval values > 1 in logging.TimedRotatingFileHandler for when='MIDNIGHT' and when='Wx'.
* gh-115978: Disable preadv(), readv(), pwritev(), and writev() on WASI.
* Under wasmtime for WASI 0.2, these functions don’t pass test_posix (https://github.com/bytecodealliance/wasmtime/issues/7830).
* gh-88352: Fix the computation of the next rollover time in the logging.TimedRotatingFileHandler handler. computeRollover() now always returns a timestamp larger than the specified time and works correctly during the DST change. doRollover() no longer overwrite the already rolled over file, saving from data loss when run at midnight or during repeated time at the DST change.
* gh-87115: Set **main**. **spec** to None when running a script with pdb
* gh-76511: Fix UnicodeEncodeError in email.Message.as_string() that results when a message that claims to be in the ascii character set actually has non-ascii characters. Non-ascii characters are now replaced with the U+FFFD replacement character, like in the replace error handler.
* gh-75988: Fixed unittest.mock.create_autospec() to pass the call through to the wrapped object to return the real result.
* gh-115881: Fix issue where ast.parse() would incorrectly flag conditional context managers (such as with (x() if y else z()): ...) as invalid syntax if feature_version=(3, 8) was passed. This reverts changes to the grammar made as part of gh-94949.
* gh-115886: Fix silent truncation of the name with an embedded null character in multiprocessing.shared_memory.SharedMemory.
* gh-115809: Improve algorithm for computing which rolled-over log files to delete in logging.TimedRotatingFileHandler. It is now reliable for handlers without namer and with arbitrary deterministic namer that leaves the datetime part in the file name unmodified.
* gh-74668: urllib.parse functions parse_qs() and parse_qsl() now support bytes arguments containing raw and percent-encoded non-ASCII data.
* gh-67044: csv.writer() now always quotes or escapes '\r' and '\n', regardless of lineterminator value.
* gh-115712: csv.writer() now quotes empty fields if delimiter is a space and skipinitialspace is true and raises exception if quoting is not possible.
* gh-115618: Fix improper decreasing the reference count for None argument in property methods getter(), setter() and deleter().
* gh-115570: A DeprecationWarning is no longer omitted on access to the **doc** attributes of the deprecated typing.io and typing.re pseudo-modules.
* gh-112006: Fix inspect.unwrap() for types with the **wrapper** data descriptor.
* gh-101293: Support callables with the **call** () method and types with **new** () and **init** () methods set to class methods, static methods, bound methods, partial functions, and other types of methods and descriptors in inspect.Signature.from_callable().
* gh-115392: Fix a bug in doctest where incorrect line numbers would be reported for decorated functions.
* gh-114563: Fix several format() bugs when using the C implementation of Decimal: * memory leak in some rare cases when using the z format option (coerce negative 0) * incorrect output when applying the z format option to type F (fixed-point with capital NAN / INF) * incorrect output when applying the # format option (alternate form)
* gh-115197: urllib.request no longer resolves the hostname before checking it against the system’s proxy bypass list on macOS and Windows.
* gh-115198: Fix support of Docutils >= 0.19 in distutils.
* gh-115165: Most exceptions are now ignored when attempting to set the **orig_class** attribute on objects returned when calling typing generic aliases (including generic aliases created using typing.Annotated). Previously only AttributeError was ignored. Patch by Dave Shawley.
* gh-115133: Fix tests for XMLPullParser with Expat 2.6.0.
* gh-115059: io.BufferedRandom.read1() now flushes the underlying write buffer.
* gh-79382: Trailing ** no longer allows to match files and non-existing paths in recursive glob().
* gh-114763: Protect modules loaded with importlib.util.LazyLoader from race conditions when multiple threads try to access attributes before the loading is complete.
* gh-97959: Fix rendering class methods, bound methods, method and function aliases in pydoc. Class methods no longer have “method of builtins.type instance” note. Corresponding notes are now added for class and unbound methods. Method and function aliases now have references to the module or the class where the origin was defined if it differs from the current. Bound methods are now listed in the static methods section. Methods of builtin classes are now supported as well as methods of Python classes.
* gh-112281: Allow creating union of types for typing.Annotated with unhashable metadata.
* gh-111775: Fix importlib.resources.simple.ResourceHandle.open() for text mode, added missed stream argument.
* gh-90095: Make .pdbrc and -c work with any valid pdb commands.
* gh-107155: Fix incorrect output of help(x) where x is a lambda function, which has an **annotations** dictionary attribute with a "return" key.
* gh-105866: Fixed _get_slots bug which caused error when defining dataclasses with slots and a weakref_slot.
* gh-60346: Fix ArgumentParser inconsistent with parse_known_args.
* gh-100985: Update HTTPSConnection to consistently wrap IPv6 Addresses when using a proxy.
* gh-100884: email: fix misfolding of comma in address-lists over multiple lines in combination with unicode encoding (bsc#1238450 CVE-2025-1795)
* gh-95782: Fix io.BufferedReader.tell(), io.BufferedReader.seek(), _pyio.BufferedReader.tell(), io.BufferedRandom.tell(), io.BufferedRandom.seek() and _pyio.BufferedRandom.tell() being able to return negative offsets.
* gh-96310: Fix a traceback in argparse when all options in a mutually exclusive group are suppressed.
* gh-93205: Fixed a bug in logging.handlers.TimedRotatingFileHandler where multiple rotating handler instances pointing to files with the same name but different extensions would conflict and not delete the correct files.
* bpo-44865: Add missing call to localization function in argparse.
* bpo-43952: Fix multiprocessing.connection.Listener.accept() to accept empty bytes as authkey. Not accepting empty bytes as key causes it to hang indefinitely.
* bpo-42125: linecache: get module name from **spec** if available. This allows getting source code for the **main** module when a custom loader is used.
* gh-66543: Make mimetypes.guess_type() properly parsing of URLs with only a host name, URLs containing fragment or query, and filenames with only a UNC sharepoint on Windows. Based on patch by Dong-hee Na.
* bpo-33775: Add ‘default’ and ‘version’ help text for localization in argparse.
* Documentation
* gh-115399: Document CVE-2023-52425 of Expat <2.6.0 under “XML vulnerabilities”.
* gh-115233: Fix an example for LoggerAdapter in the Logging Cookbook.
* IDLE
* gh-88516: On macOS show a proxy icon in the title bar of editor windows to match platform behaviour.
* Tools/Demos
* gh-113516: Don’t set LDSHARED when building for WASI.
* C API
* gh-117021: Fix integer overflow in PyLong_AsPid() on non-Windows 64-bit platforms.
* Add reference to CVE-2024-0450 (bsc#1221854) to changelog.
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* SUSE Linux Micro 6.1
zypper in -t patch SUSE-SLE-Micro-6.1-128=1
## Package List:
* SUSE Linux Micro 6.1 (aarch64 ppc64le s390x x86_64)
* python311-curses-3.11.12-slfo.1.1_1.1
* python311-debuginfo-3.11.12-slfo.1.1_1.1
* python311-base-debuginfo-3.11.12-slfo.1.1_1.1
* python311-debugsource-3.11.12-slfo.1.1_1.1
* libpython3_11-1_0-3.11.12-slfo.1.1_1.1
* python311-core-debugsource-3.11.12-slfo.1.1_1.1
* libpython3_11-1_0-debuginfo-3.11.12-slfo.1.1_1.1
* python311-base-3.11.12-slfo.1.1_1.1
* python311-curses-debuginfo-3.11.12-slfo.1.1_1.1
* python311-3.11.12-slfo.1.1_1.1
## References:
* https://www.suse.com/security/cve/CVE-2022-25236.html
* https://www.suse.com/security/cve/CVE-2023-27043.html
* https://www.suse.com/security/cve/CVE-2023-52425.html
* https://www.suse.com/security/cve/CVE-2023-6597.html
* https://www.suse.com/security/cve/CVE-2024-0397.html
* https://www.suse.com/security/cve/CVE-2024-0450.html
* https://www.suse.com/security/cve/CVE-2024-4030.html
* https://www.suse.com/security/cve/CVE-2024-4032.html
* https://www.suse.com/security/cve/CVE-2024-6232.html
* https://www.suse.com/security/cve/CVE-2024-6923.html
* https://www.suse.com/security/cve/CVE-2024-7592.html
* https://www.suse.com/security/cve/CVE-2024-8088.html
* https://www.suse.com/security/cve/CVE-2024-9287.html
* https://www.suse.com/security/cve/CVE-2025-0938.html
* https://www.suse.com/security/cve/CVE-2025-1795.html
* https://www.suse.com/security/cve/CVE-2025-4516.html
* https://bugzilla.suse.com/show_bug.cgi?id=1210638
* https://bugzilla.suse.com/show_bug.cgi?id=1219559
* https://bugzilla.suse.com/show_bug.cgi?id=1219666
* https://bugzilla.suse.com/show_bug.cgi?id=1221854
* https://bugzilla.suse.com/show_bug.cgi?id=1225660
* https://bugzilla.suse.com/show_bug.cgi?id=1226447
* https://bugzilla.suse.com/show_bug.cgi?id=1226448
* https://bugzilla.suse.com/show_bug.cgi?id=1227378
* https://bugzilla.suse.com/show_bug.cgi?id=1227999
* https://bugzilla.suse.com/show_bug.cgi?id=1228165
* https://bugzilla.suse.com/show_bug.cgi?id=1228780
* https://bugzilla.suse.com/show_bug.cgi?id=1229596
* https://bugzilla.suse.com/show_bug.cgi?id=1229704
* https://bugzilla.suse.com/show_bug.cgi?id=1230227
* https://bugzilla.suse.com/show_bug.cgi?id=1230906
* https://bugzilla.suse.com/show_bug.cgi?id=1231795
* https://bugzilla.suse.com/show_bug.cgi?id=1232241
* https://bugzilla.suse.com/show_bug.cgi?id=1236705
* https://bugzilla.suse.com/show_bug.cgi?id=1238450
* https://bugzilla.suse.com/show_bug.cgi?id=1239210
* https://bugzilla.suse.com/show_bug.cgi?id=1241067
* https://bugzilla.suse.com/show_bug.cgi?id=1243273
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-updates/attachments/20250604/fdbe4973/attachment.htm>
More information about the sle-updates
mailing list