SUSE-SU-2025:3706-1: moderate: Security update for python313
SLE-UPDATES
null at suse.de
Tue Oct 21 16:32:53 UTC 2025
# Security update for python313
Announcement ID: SUSE-SU-2025:3706-1
Release Date: 2025-10-21T15:07:42Z
Rating: moderate
References:
* bsc#1244705
* bsc#1247249
Cross-References:
* CVE-2025-6069
* CVE-2025-8194
CVSS scores:
* CVE-2025-6069 ( SUSE ): 6.9
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H
* CVE-2025-6069 ( SUSE ): 6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H
* CVE-2025-6069 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
* CVE-2025-8194 ( SUSE ): 7.1
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2025-8194 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2025-8194 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:
* Python 3 Module 15-SP7
* SUSE Linux Enterprise Desktop 15 SP7
* SUSE Linux Enterprise Server 15 SP7
* SUSE Linux Enterprise Server for SAP Applications 15 SP7
An update that solves two vulnerabilities can now be installed.
## Description:
This update for python313 fixes the following issues:
Update to version 3.13.7.
* Fixes in 3.13.7:
* gh-137583: Fix a deadlock introduced in 3.13.6 when a call to
ssl.SSLSocket.recv was blocked in one thread, and then another method on the
object (such as ssl.SSLSocket.send) was subsequently called in another
thread.
* gh-137044: Return large limit values as positive integers instead of
negative integers in resource.getrlimit(). Accept large values and reject
negative values (except RLIM_INFINITY) for limits in resource.setrlimit().
* gh-136914: Fix retrieval of doctest.DocTest.lineno for objects decorated
with functools.cache() or functools.cached_property.
* gh-131788: Make ResourceTracker.send from multiprocessing re-entrant safe
* gh-136155: We are now checking for fatal errors in EPUB builds in CI.
* gh-137400: Fix a crash in the free threading build when disabling profiling
or tracing across all threads with PyEval_SetProfileAllThreads() or
PyEval_SetTraceAllThreads() or their Python equivalents
threading.settrace_all_threads() and threading.setprofile_all_threads().
* Fixes in 3.13.6:
* Security
* gh-135661: Fix parsing start and end tags in html.parser.HTMLParser according to the HTML5 standard.
* Whitespaces no longer accepted between </ and the tag name. E.g. </ script> does not end the script section.
* Vertical tabulation (\v) and non-ASCII whitespaces no longer recognized as whitespaces. The only whitespaces are \t\n\r\f and space.
* Null character (U+0000) no longer ends the tag name.
* Attributes and slashes after the tag name in end tags are now ignored, instead of terminating after the first > in quoted attribute value. E.g. </script/foo=">"/>.
* Multiple slashes and whitespaces between the last attribute and closing > are now ignored in both start and end tags. E.g. <a foo=bar/ //>.
* Multiple = between attribute name and value are no longer collapsed. E.g. <a foo==bar> produces attribute “foo” with value “=bar”.
* gh-102555: Fix comment parsing in html.parser.HTMLParser according to the HTML5 standard. --!> now ends the comment. \-- > no longer ends the comment. Support abnormally ended empty comments <\--> and <\--->.
* gh-135462: Fix quadratic complexity in processing specially crafted input in html.parser.HTMLParser. End-of-file errors are now handled according to the HTML5 specs – comments and declarations are automatically closed, tags are ignored (CVE-2025-6069, bsc#1244705).
* gh-118350: Fix support of escapable raw text mode (elements “textarea” and “title”) in html.parser.HTMLParser.
* Core and Builtins
* gh-58124: Fix name of the Python encoding in Unicode errors of the code page codec: use “cp65000” and “cp65001” instead of “CP_UTF7” and “CP_UTF8” which are not valid Python code names. Patch by Victor Stinner.
* gh-137314: Fixed a regression where raw f-strings incorrectly interpreted escape sequences in format specifications. Raw f-strings now properly preserve literal backslashes in format specs, matching the behavior from Python 3.11. For example, rf"{obj:\xFF}" now correctly produces '\xFF' instead of 'ÿ'. Patch by Pablo Galindo.
* gh-136541: Fix some issues with the perf trampolines on x86-64 and aarch64. The trampolines were not being generated correctly for some cases, which could lead to the perf integration not working correctly. Patch by Pablo Galindo.
* gh-109700: Fix memory error handling in PyDict_SetDefault().
* gh-78465: Fix error message for cls. **new** (cls, ...) where cls is not instantiable builtin or extension type (with tp_new set to NULL).
* gh-135871: Non-blocking mutex lock attempts now return immediately when the lock is busy instead of briefly spinning in the free threading build.
* gh-135607: Fix potential weakref races in an object’s destructor on the free threaded build.
* gh-135496: Fix typo in the f-string conversion type error (“exclamanation” -> “exclamation”).
* gh-130077: Properly raise custom syntax errors when incorrect syntax containing names that are prefixes of soft keywords is encountered. Patch by Pablo Galindo.
* gh-135148: Fixed a bug where f-string debug expressions (using =) would incorrectly strip out parts of strings containing escaped quotes and # characters. Patch by Pablo Galindo.
* gh-133136: Limit excess memory usage in the free threading build when a large dictionary or list is resized and accessed by multiple threads.
* gh-132617: Fix dict.update() modification check that could incorrectly raise a “dict mutated during update” error when a different dictionary was modified that happens to share the same underlying keys object.
* gh-91153: Fix a crash when a bytearray is concurrently mutated during item assignment.
* gh-127971: Fix off-by-one read beyond the end of a string in string search.
* gh-125723: Fix crash with gi_frame.f_locals when generator frames outlive their generator. Patch by Mikhail Efimov.
* Library
* gh-132710: If possible, ensure that uuid.getnode() returns the same result even across different processes. Previously, the result was constant only within the same process. Patch by Bénédikt Tran.
* gh-137273: Fix debug assertion failure in locale.setlocale() on Windows.
* gh-137257: Bump the version of pip bundled in ensurepip to version 25.2
* gh-81325: tarfile.TarFile now accepts a path-like when working on a tar archive. (Contributed by Alexander Enrique Urieles Nieto in gh-81325.)
* gh-130522: Fix unraisable TypeError raised during interpreter shutdown in the threading module.
* gh-130577: tarfile now validates archives to ensure member offsets are non-negative. (Contributed by Alexander Enrique Urieles Nieto in gh-130577; CVE-2025-8194, bsc#1247249).
* gh-136549: Fix signature of threading.excepthook().
* gh-136523: Fix wave.Wave_write emitting an unraisable when open raises.
* gh-52876: Add missing keepends (default True) parameter to codecs.StreamReaderWriter.readline() and codecs.StreamReaderWriter.readlines().
* gh-85702: If zoneinfo._common.load_tzdata is given a package without a resource a zoneinfo.ZoneInfoNotFoundError is raised rather than a PermissionError. Patch by Victor Stinner.
* gh-134759: Fix UnboundLocalError in email.message.Message.get_payload() when the payload to decode is a bytes object. Patch by Kliment Lamonov.
* gh-136028: Fix parsing month names containing “İ” (U+0130, LATIN CAPITAL LETTER I WITH DOT ABOVE) in time.strptime(). This affects locales az_AZ, ber_DZ, ber_MA and crh_UA.
* gh-135995: In the palmos encoding, make byte 0x9b decode to › (U+203A - SINGLE RIGHT-POINTING ANGLE QUOTATION MARK).
* gh-53203: Fix time.strptime() for %c and %x formats on locales byn_ER, wal_ET and lzh_TW, and for %X format on locales ar_SA, bg_BG and lzh_TW.
* gh-91555: An earlier change, which was introduced in 3.13.4, has been reverted. It disabled logging for a logger during handling of log messages for that logger. Since the reversion, the behaviour should be as it was before 3.13.4.
* gh-135878: Fixes a crash of types.SimpleNamespace on free threading builds, when several threads were calling its **repr** () method at the same time.
* gh-135836: Fix IndexError in asyncio.loop.create_connection() that could occur when non-OSError exception is raised during connection and socket’s close() raises OSError.
* gh-135836: Fix IndexError in asyncio.loop.create_connection() that could occur when the Happy Eyeballs algorithm resulted in an empty exceptions list during connection attempts.
* gh-135855: Raise TypeError instead of SystemError when _interpreters.set ** _main_** attrs() is passed a non-dict object. Patch by Brian Schubert.
* gh-135815: netrc: skip security checks if os.getuid() is missing. Patch by Bénédikt Tran.
* gh-135640: Address bug where it was possible to call xml.etree.ElementTree.ElementTree.write() on an ElementTree object with an invalid root element. This behavior blanked the file passed to write if it already existed.
* gh-135444: Fix asyncio.DatagramTransport.sendto() to account for datagram header size when data cannot be sent.
* gh-135497: Fix os.getlogin() failing for longer usernames on BSD-based platforms.
* gh-135487: Fix reprlib.Repr.repr_int() when given integers with more than sys.get_int_max_str_digits() digits. Patch by Bénédikt Tran.
* gh-135335: multiprocessing: Flush stdout and stderr after preloading modules in the forkserver.
* gh-135244: uuid: when the MAC address cannot be determined, the 48-bit node ID is now generated with a cryptographically-secure pseudo-random number generator (CSPRNG) as per RFC 9562, §6.10.3. This affects uuid1().
* gh-135069: Fix the “Invalid error handling” exception in encodings.idna.IncrementalDecoder to correctly replace the ‘errors’ parameter.
* gh-134698: Fix a crash when calling methods of ssl.SSLContext or ssl.SSLSocket across multiple threads.
* gh-132124: On POSIX-compliant systems, multiprocessing.util.get_temp_dir() now ignores TMPDIR (and similar environment variables) if the path length of AF_UNIX socket files exceeds the platform-specific maximum length when using the forkserver start method. Patch by Bénédikt Tran.
* gh-133439: Fix dot commands with trailing spaces are mistaken for multi-line SQL statements in the sqlite3 command-line interface.
* gh-132969: Prevent the ProcessPoolExecutor executor thread, which remains running when shutdown(wait=False), from attempting to adjust the pool’s worker processes after the object state has already been reset during shutdown. A combination of conditions, including a worker process having terminated abormally, resulted in an exception and a potential hang when the still-running executor thread attempted to replace dead workers within the pool.
* gh-130664: Support the '_' digit separator in formatting of the integral part of Decimal’s. Patch by Sergey B Kirpichev.
* gh-85702: If zoneinfo._common.load_tzdata is given a package without a resource a ZoneInfoNotFoundError is raised rather than a IsADirectoryError.
* gh-130664: Handle corner-case for Fraction’s formatting: treat zero-padding (preceding the width field by a zero ('0') character) as an equivalent to a fill character of '0' with an alignment type of '=', just as in case of float’s.
* Tools/Demos
* gh-135968: Stubs for strip are now provided as part of an iOS install.
* Tests
* gh-135966: The iOS testbed now handles the app_packages folder as a site directory.
* gh-135494: Fix regrtest to support excluding tests from \--pgo tests. Patch by Victor Stinner.
* gh-135489: Show verbose output for failing tests during PGO profiling step with –enable-optimizations.
* Documentation
* gh-135171: Document that the iterator for the leftmost for clause in the generator expression is created immediately.
* Build
* gh-135497: Fix the detection of MAXLOGNAME in the configure.ac script.
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* Python 3 Module 15-SP7
zypper in -t patch SUSE-SLE-Module-Python3-15-SP7-2025-3706=1
## Package List:
* Python 3 Module 15-SP7 (aarch64 ppc64le s390x x86_64)
* python313-idle-3.13.7-150700.4.23.1
* python313-curses-debuginfo-3.13.7-150700.4.23.1
* python313-base-debuginfo-3.13.7-150700.4.23.1
* python313-core-debugsource-3.13.7-150700.4.23.1
* python313-debugsource-3.13.7-150700.4.23.1
* python313-dbm-debuginfo-3.13.7-150700.4.23.1
* python313-debuginfo-3.13.7-150700.4.23.1
* python313-devel-3.13.7-150700.4.23.1
* libpython3_13-1_0-debuginfo-3.13.7-150700.4.23.1
* python313-base-3.13.7-150700.4.23.1
* python313-3.13.7-150700.4.23.1
* python313-tk-debuginfo-3.13.7-150700.4.23.1
* python313-curses-3.13.7-150700.4.23.1
* python313-dbm-3.13.7-150700.4.23.1
* python313-tk-3.13.7-150700.4.23.1
* libpython3_13-1_0-3.13.7-150700.4.23.1
* python313-tools-3.13.7-150700.4.23.1
## References:
* https://www.suse.com/security/cve/CVE-2025-6069.html
* https://www.suse.com/security/cve/CVE-2025-8194.html
* https://bugzilla.suse.com/show_bug.cgi?id=1244705
* https://bugzilla.suse.com/show_bug.cgi?id=1247249
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-updates/attachments/20251021/c5fad8a7/attachment.htm>
More information about the sle-updates
mailing list