SUSE-SU-2026:20125-1: moderate: Security update for python313
SLE-UPDATES
null at suse.de
Wed Jan 28 20:32:55 UTC 2026
# Security update for python313
Announcement ID: SUSE-SU-2026:20125-1
Release Date: 2026-01-22T13:47:27Z
Rating: moderate
References:
* bsc#1244680
* bsc#1244705
* bsc#1247249
* bsc#1251305
* bsc#1252974
* bsc#1254400
* bsc#1254401
* bsc#1254997
Cross-References:
* CVE-2025-12084
* CVE-2025-13836
* CVE-2025-13837
* CVE-2025-6069
* CVE-2025-6075
* CVE-2025-8194
* CVE-2025-8291
CVSS scores:
* CVE-2025-12084 ( SUSE ): 6.3
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2025-12084 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
* CVE-2025-12084 ( NVD ): 6.3
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2025-12084 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2025-13836 ( SUSE ): 6.3
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2025-13836 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2025-13836 ( NVD ): 6.3
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2025-13836 ( NVD ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
* CVE-2025-13837 ( SUSE ): 2.1
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2025-13837 ( SUSE ): 4.0 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2025-13837 ( NVD ): 2.1
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2025-13837 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2025-6069 ( SUSE ): 6.9
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H
* CVE-2025-6069 ( SUSE ): 6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H
* CVE-2025-6069 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
* CVE-2025-6075 ( SUSE ): 1.8
CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2025-6075 ( SUSE ): 2.5 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
* CVE-2025-6075 ( NVD ): 1.8
CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2025-8194 ( SUSE ): 7.1
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2025-8194 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2025-8194 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2025-8291 ( SUSE ): 4.8
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
* CVE-2025-8291 ( SUSE ): 3.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
* CVE-2025-8291 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Affected Products:
* SUSE Linux Enterprise Server 16.0
* SUSE Linux Enterprise Server for SAP Applications 16.0
An update that solves seven vulnerabilities and has one fix can now be
installed.
## Description:
This update for python313 fixes the following issues:
* Update to 3.13.11:
* Security
* CVE-2025-12084: cpython: Fixed quadratic algorithm in xml.dom.minidom leading to denial of service (bsc#1254997)
* CVE-2025-13836: Fixed default Content-Lenght read amount from HTTP response (bsc#1254400)
* CVE-2025-13837: Fixed plistlib module denial of service (bsc#1254401)
* CVE-2025-8291: Fixed validity of the ZIP64 End of Central Directory (EOCD) not checked by the 'zipfile' module (bsc#1251305)
* gh-137836: Add support of the “plaintext” element, RAWTEXT elements “xmp”, “iframe”, “noembed” and “noframes”, and optionally RAWTEXT element “noscript” in html.parser.HTMLParser.
* gh-136063: email.message: ensure linear complexity for legacy HTTP parameters parsing. Patch by Bénédikt Tran.
* CVE-2025-6075: Fixed performance issues caused by user-controller os.path.expandvars() (bsc#1252974)
* Library
* gh-140797: Revert changes to the undocumented re.Scanner class. Capturing groups are still allowed for backward compatibility, although using them can lead to incorrect result. They will be forbidden in future Python versions.
* gh-142206: The resource tracker in the multiprocessing module now uses the original communication protocol, as in Python 3.14.0 and below, by default. This avoids issues with upgrading Python while it is running. (Note that such ‘in-place’ upgrades are not tested.) The tracker remains compatible with subprocesses that use new protocol (that is, subprocesses using Python 3.13.10, 3.14.1 and 3.15).
* Core and Builtins
* gh-142218: Fix crash when inserting into a split table dictionary with a non str key that matches an existing key.
* Update to 3.13.10:
* Tools/Demos
* gh-141442: The iOS testbed now correctly handles test arguments that contain spaces.
* Tests
* gh-140482: Preserve and restore the state of stty echo as part of the test environment.
* gh-140082: Update python -m test to set FORCE_COLOR=1 when being run with color enabled so that unittest which is run by it with redirected output will output in color.
* gh-136442: Use exitcode 1 instead of 5 if unittest.TestCase.setUpClass() raises an exception
* Library
* gh-74389: When the stdin being used by a subprocess.Popen instance is closed, this is now ignored in subprocess.Popen.communicate() instead of leaving the class in an inconsistent state.
* gh-87512: Fix subprocess.Popen.communicate() timeout handling on Windows when writing large input. Previously, the timeout was ignored during stdin writing, causing the method to block indefinitely if the child process did not consume input quickly. The stdin write is now performed in a background thread, allowing the timeout to be properly enforced.
* gh-141473: When subprocess.Popen.communicate() was called with input and a timeout and is called for a second time after a TimeoutExpired exception before the process has died, it should no longer hang.
* gh-59000: Fix pdb breakpoint resolution for class methods when the module defining the class is not imported.
* gh-141570: Support file-like object raising OSError from fileno() in color detection (_colorize.can_colorize()). This can occur when sys.stdout is redirected.
* gh-141659: Fix bad file descriptor errors from _posixsubprocess on AIX.
* gh-141497: ipaddress: ensure that the methods IPv4Network.hosts() and IPv6Network.hosts() always return an iterator.
* gh-140938: The statistics.stdev() and statistics.pstdev() functions now raise a ValueError when the input contains an infinity or a NaN.
* gh-124111: Updated Tcl threading configuration in _tkinter to assume that threads are always available in Tcl 9 and later.
* gh-137109: The os.fork and related forking APIs will no longer warn in the common case where Linux or macOS platform APIs return the number of threads in a process and find the answer to be 1 even when a os.register_at_fork() after_in_parent= callback (re)starts a thread.
* gh-141314: Fix assertion failure in io.TextIOWrapper.tell() when reading files with standalone carriage return (\r) line endings.
* gh-141311: Fix assertion failure in io.BytesIO.readinto() and undefined behavior arising when read position is above capcity in io.BytesIO.
* gh-141141: Fix a thread safety issue with base64.b85decode(). Contributed by Benel Tayar.
* gh-140911: collections: Ensure that the methods UserString.rindex() and UserString.index() accept collections.UserString instances as the sub argument.
* gh-140797: The undocumented re.Scanner class now forbids regular expressions containing capturing groups in its lexicon patterns. Patterns using capturing groups could previously lead to crashes with segmentation fault. Use non-capturing groups (?:…) instead.
* gh-140815: faulthandler now detects if a frame or a code object is invalid or freed. Patch by Victor Stinner.
* gh-100218: Correctly set errno when socket.if_nametoindex() or socket.if_indextoname() raise an OSError. Patch by Bénédikt Tran.
* gh-140875: Fix handling of unclosed character references (named and numerical) followed by the end of file in html.parser.HTMLParser with convert_charrefs=False.
* gh-140734: multiprocessing: fix off-by-one error when checking the length of a temporary socket file path. Patch by Bénédikt Tran.
* gh-140874: Bump the version of pip bundled in ensurepip to version 25.3
* gh-140691: In urllib.request, when opening a FTP URL fails because a data connection cannot be made, the control connection’s socket is now closed to avoid a ResourceWarning.
* gh-103847: Fix hang when cancelling process created by asyncio.create_subprocess_exec() or asyncio.create_subprocess_shell(). Patch by Kumar Aditya.
* gh-140590: Fix arguments checking for the functools.partial. **setstate** () that may lead to internal state corruption and crash. Patch by Sergey Miryanov.
* gh-140634: Fix a reference counting bug in os.sched_param. **reduce** ().
* gh-140633: Ignore AttributeError when setting a module’s **file** attribute when loading an extension module packaged as Apple Framework.
* gh-140593: xml.parsers.expat: Fix a memory leak that could affect users with ElementDeclHandler() set to a custom element declaration handler. Patch by Sebastian Pipping.
* gh-140607: Inside io.RawIOBase.read(), validate that the count of bytes returned by io.RawIOBase.readinto() is valid (inside the provided buffer).
* gh-138162: Fix logging.LoggerAdapter with merge_extra=True and without the extra argument.
* gh-140474: Fix memory leak in array.array when creating arrays from an empty str and the u type code.
* gh-140272: Fix memory leak in the clear() method of the dbm.gnu database.
* gh-140041: Fix import of ctypes on Android and Cygwin when ABI flags are present.
* gh-139905: Add suggestion to error message for typing.Generic subclasses when cls. **parameters** is missing due to a parent class failing to call super(). **init_subclass** () in its **init_subclass**.
* gh-139845: Fix to not print KeyboardInterrupt twice in default asyncio REPL.
* gh-139783: Fix inspect.getsourcelines() for the case when a decorator is followed by a comment or an empty line.
* gh-70765: http.server: fix default handling of HTTP/0.9 requests in BaseHTTPRequestHandler. Previously, BaseHTTPRequestHandler.parse_request() incorrectly waited for headers in the request although those are not supported in HTTP/0.9. Patch by Bénédikt Tran.
* gh-139391: Fix an issue when, on non-Windows platforms, it was not possible to gracefully exit a python -m asyncio process suspended by Ctrl+Z and later resumed by fg other than with kill.
* gh-101828: Fix 'shift_jisx0213', 'shift_jis_2004', 'euc_jisx0213' and 'euc_jis_2004' codecs truncating null chars as they were treated as part of multi-character sequences.
* gh-139246: fix: paste zero-width in default repl width is wrong.
* gh-90949: Add SetAllocTrackerActivationThreshold() and SetAllocTrackerMaximumAmplification() to xmlparser objects to prevent use of disproportional amounts of dynamic memory from within an Expat parser. Patch by Bénédikt Tran.
* gh-139065: Fix trailing space before a wrapped long word if the line length is exactly width in textwrap.
* gh-138993: Dedent credits text.
* gh-138859: Fix generic type parameterization raising a TypeError when omitting a ParamSpec that has a default which is not a list of types.
* gh-138775: Use of python -m with base64 has been fixed to detect input from a terminal so that it properly notices EOF.
* gh-98896: Fix a failure in multiprocessing resource_tracker when SharedMemory names contain colons. Patch by Rani Pinchuk.
* gh-75989: tarfile.TarFile.extractall() and tarfile.TarFile.extract() now overwrite symlinks when extracting hardlinks. (Contributed by Alexander Enrique Urieles Nieto in gh-75989.)
* gh-83424: Allows creating a ctypes.CDLL without name when passing a handle as an argument.
* gh-136234: Fix asyncio.WriteTransport.writelines() to be robust to connection failure, by using the same behavior as write().
* gh-136057: Fixed the bug in pdb and bdb where next and step can’t go over the line if a loop exists in the line.
* gh-135307: email: Fix exception in set_content() when encoding text and max_line_length is set to 0 or None (unlimited).
* gh-134453: Fixed subprocess.Popen.communicate() input= handling of memoryview instances that were non-byte shaped on POSIX platforms. Those are now properly cast to a byte shaped view instead of truncating the input. Windows platforms did not have this bug.
* gh-102431: Clarify constraints for “logical” arguments in methods of decimal.Context.
* IDLE
* gh-96491: Deduplicate version number in IDLE shell title bar after saving to a file.
* Documentation
* gh-141994: xml.sax.handler: Make Documentation of xml.sax.handler.feature_external_ges warn of opening up to external entity attacks. Patch by Sebastian Pipping.
* gh-140578: Remove outdated sencence in the documentation for multiprocessing, that implied that concurrent.futures.ThreadPoolExecutor did not exist.
* Core and Builtins
* gh-142048: Fix quadratically increasing garbage collection delays in free-threaded build.
* gh-141930: When importing a module, use Python’s regular file object to ensure that writes to .pyc files are complete or an appropriate error is raised.
* gh-120158: Fix inconsistent state when enabling or disabling monitoring events too many times.
* gh-141579: Fix sys.activate_stack_trampoline() to properly support the perf_jit backend. Patch by Pablo Galindo.
* gh-141312: Fix the assertion failure in the **setstate** method of the range iterator when a non-integer argument is passed. Patch by Sergey Miryanov.
* gh-140939: Fix memory leak when bytearray or bytes is formated with the %*b format with a large width that results in %a MemoryError.
* gh-140530: Fix a reference leak when raise exc from cause fails. Patch by Bénédikt Tran.
* gh-140576: Fixed crash in tokenize.generate_tokens() in case of specific incorrect input. Patch by Mikhail Efimov.
* gh-140551: Fixed crash in dict if dict.clear() is called at the lookup stage. Patch by Mikhail Efimov and Inada Naoki.
* gh-140471: Fix potential buffer overflow in ast.AST node initialization when encountering malformed _fields containing non-str.
* gh-140406: Fix memory leak when an object’s **hash** () method returns an object that isn’t an int.
* gh-140306: Fix memory leaks in cross-interpreter channel operations and shared namespace handling.
* gh-140301: Fix memory leak of PyConfig in subinterpreters.
* gh-140000: Fix potential memory leak when a reference cycle exists between an instance of typing.TypeAliasType, typing.TypeVar, typing.ParamSpec, or typing.TypeVarTuple and its **name** attribute. Patch by Mikhail Efimov.
* gh-139748: Fix reference leaks in error branches of functions accepting path strings or bytes such as compile() and os.system(). Patch by Bénédikt Tran.
* gh-139516: Fix lambda colon erroneously start format spec in f-string in tokenizer.
* gh-139640: Fix swallowing some syntax warnings in different modules if they accidentally have the same message and are emitted from the same line. Fix duplicated warnings in the finally block.
* gh-137400: Fix a crash in the free threading build when disabling profiling or tracing across all threads with PyEval_SetProfileAllThreads() or PyEval_SetTraceAllThreads() or their Python equivalents threading.settrace_all_threads() and threading.setprofile_all_threads().
* gh-133400: Fixed Ctrl+D (^D) behavior in _pyrepl module to match old pre-3.13 REPL behavior.
* C API
* gh-140042: Removed the sqlite3_shutdown call that could cause closing connections for sqlite when used with multiple sub interpreters.
* gh-140487: Fix Py_RETURN_NOTIMPLEMENTED in limited C API 3.11 and older: don’t treat Py_NotImplemented as immortal. Patch by Victor Stinner.
* Update to 3.13.9:
* Library
* gh-139783: Fix inspect.getsourcelines() for the case when a decorator is followed by a comment or an empty line.
* Update to 3.13.8:
* Tools/Demos
* gh-139330: SBOM generation tool didn’t cross-check the version and checksum values against the Modules/expat/refresh.sh script, leading to the values becoming out-of-date during routine updates.
* gh-137873: The iOS test runner has been simplified, resolving some issues that have been observed using the runner in GitHub Actions and Azure Pipelines test environments.
* Tests
* gh-139208: Fix regrtest --fast-ci --verbose: don’t ignore the \--verbose option anymore. Patch by Victor Stinner.
* Security
* gh-139400: xml.parsers.expat: Make sure that parent Expat parsers are only garbage-collected once they are no longer referenced by subparsers created by ExternalEntityParserCreate(). Patch by Sebastian Pipping.
* gh-139283: sqlite3: correctly handle maximum number of rows to fetch in Cursor.fetchmany and reject negative values for Cursor.arraysize. Patch by Bénédikt Tran.
* gh-135661: Fix CDATA section parsing in html.parser.HTMLParser according to the HTML5 standard: ] ]> and ]] > no longer end the CDATA section. Add private method _set_support_cdata() which can be used to specify how to parse <[CDATA[ — as a CDATA section in foreign content (SVG or MathML) or as a bogus comment in the HTML namespace.
* Library
* gh-139312: Upgrade bundled libexpat to 2.7.3
* gh-139289: Do a real lazy-import on rlcompleter in pdb and restore the existing completer after importing rlcompleter.
* gh-139210: Fix use-after-free when reporting unknown event in xml.etree.ElementTree.iterparse(). Patch by Ken Jin.
* gh-138860: Lazy import rlcompleter in pdb to avoid deadlock in subprocess.
* gh-112729: Fix crash when calling _interpreters.create when the process is out of memory.
* gh-139076: Fix a bug in the pydoc module that was hiding functions in a Python module if they were implemented in an extension module and the module did not have **all**.
* gh-138998: Update bundled libexpat to 2.7.2
* gh-130567: Fix possible crash in locale.strxfrm() due to a platform bug on macOS.
* gh-138779: Support device numbers larger than 2**63-1 for the st_rdev field of the os.stat_result structure.
* gh-128636: Fix crash in PyREPL when os.environ is overwritten with an invalid value for mac
* gh-88375: Fix normalization of the robots.txt rules and URLs in the urllib.robotparser module. No longer ignore trailing ?. Distinguish raw special characters ?, = and & from the percent-encoded ones.
* gh-138515: email is added to Emscripten build.
* gh-111788: Fix parsing errors in the urllib.robotparser module. Don’t fail trying to parse weird paths. Don’t fail trying to decode non-UTF-8 robots.txt files.
* gh-138432: zoneinfo.reset_tzpath() will now convert any os.PathLike objects it receives into strings before adding them to TZPATH. It will raise TypeError if anything other than a string is found after this conversion. If given an os.PathLike object that represents a relative path, it will now raise ValueError instead of TypeError, and present a more informative error message.
* gh-138008: Fix segmentation faults in the ctypes module due to invalid argtypes. Patch by Dung Nguyen.
* gh-60462: Fix locale.strxfrm() on Solaris (and possibly other platforms).
* gh-138204: Forbid expansion of shared anonymous memory maps on Linux, which caused a bus error.
* gh-138010: Fix an issue where defining a class with a @warnings.deprecated-decorated base class may not invoke the correct **init_subclass** () method in cases involving multiple inheritance. Patch by Brian Schubert.
* gh-138133: Prevent infinite traceback loop when sending CTRL^C to Python through strace.
* gh-134869: Fix an issue where pressing Ctrl+C during tab completion in the REPL would leave the autocompletion menu in a corrupted state.
* gh-137317: inspect.signature() now correctly handles classes that use a descriptor on a wrapped **init** () or **new** () method. Contributed by Yongyu Yan.
* gh-137754: Fix import of the zoneinfo module if the C implementation of the datetime module is not available.
* gh-137490: Handle ECANCELED in the same way as EINTR in signal.sigwaitinfo() on NetBSD.
* gh-137477: Fix inspect.getblock(), inspect.getsourcelines() and inspect.getsource() for generator expressions.
* gh-137017: Fix threading.Thread.is_alive to remain True until the underlying OS thread is fully cleaned up. This avoids false negatives in edge cases involving thread monitoring or premature threading.Thread.is_alive calls.
* gh-136134: SMTP.auth_cram_md5() now raises an SMTPException instead of a ValueError if Python has been built without MD5 support. In particular, SMTP clients will not attempt to use this method even if the remote server is assumed to support it. Patch by Bénédikt Tran.
* gh-136134: IMAP4.login_cram_md5 now raises an IMAP4.error if CRAM-MD5 authentication is not supported. Patch by Bénédikt Tran.
* gh-135386: Fix opening a dbm.sqlite3 database for reading from read-only file or directory.
* gh-126631: Fix multiprocessing forkserver bug which prevented **main** from being preloaded.
* gh-123085: In a bare call to importlib.resources.files(), ensure the caller’s frame is properly detected when importlib.resources is itself available as a compiled module only (no source).
* gh-118981: Fix potential hang in multiprocessing.popen_spawn_posix that can happen when the child proc dies early by closing the child fds right away.
* gh-78319: UTF8 support for the IMAP APPEND command has been made RFC compliant.
* bpo-38735: Fix failure when importing a module from the root directory on unix-like platforms with sys.pycache_prefix set.
* bpo-41839: Allow negative priority values from os.sched_get_priority_min() and os.sched_get_priority_max() functions.
* Core and Builtins
* gh-134466: Don’t run PyREPL in a degraded environment where setting termios attributes is not allowed.
* gh-71810: Raise OverflowError for (-1).to_bytes() for signed conversions when bytes count is zero. Patch by Sergey B Kirpichev.
* gh-105487: Remove non-existent **copy** (), **deepcopy** (), and **bases** from the **dir** () entries of types.GenericAlias.
* gh-134163: Fix a hang when the process is out of memory inside an exception handler.
* gh-138479: Fix a crash when a generic object’s **typing_subst** returns an object that isn’t a tuple.
* gh-137576: Fix for incorrect source code being shown in tracebacks from the Basic REPL when PYTHONSTARTUP is given. Patch by Adam Hartz.
* gh-132744: Certain calls now check for runaway recursion and respect the system recursion limit.
* C API
* gh-87135: Attempting to acquire the GIL after runtime finalization has begun in a different thread now causes the thread to hang rather than terminate, which avoids potential crashes or memory corruption caused by attempting to terminate a thread that is running code not specifically designed to support termination. In most cases this hanging is harmless since the process will soon exit anyway. While not officially marked deprecated until 3.14, PyThread_exit_thread is no longer called internally and remains solely for interface compatibility. Its behavior is inconsistent across platforms, and it can only be used safely in the unlikely case that every function in the entire call stack has been designed to support the platform-dependent termination mechanism. It is recommended that users of this function change their design to not require thread termination. In the unlikely case that thread termination is needed and can be done safely, users may migrate to calling platform-specific APIs such as pthread_exit (POSIX) or _endthreadex (Windows) directly.
* Build
* gh-135734: Python can correctly be configured and built with ./configure --enable-optimizations --disable-test-modules. Previously, the profile data generation step failed due to PGO tests where immortalization couldn’t be properly suppressed.
* Update to 3.13.7:
* gh-137583: Fix a deadlock introduced in 3.13.6 when a call to
ssl.SSLSocket.recv was blocked in one thread, and then another method on the
object (such as ssl.SSLSocket.send) was subsequently called in another
thread.
* gh-137044: Return large limit values as positive integers instead of
negative integers in resource.getrlimit(). Accept large values and reject
negative values (except RLIM_INFINITY) for limits in resource.setrlimit().
* gh-136914: Fix retrieval of doctest.DocTest.lineno for objects decorated
with functools.cache() or functools.cached_property.
* gh-131788: Make ResourceTracker.send from multiprocessing re-entrant safe
* gh-136155: We are now checking for fatal errors in EPUB builds in CI.
* gh-137400: Fix a crash in the free threading build when disabling profiling
or tracing across all threads with PyEval_SetProfileAllThreads() or
PyEval_SetTraceAllThreads() or their Python equivalents
threading.settrace_all_threads() and threading.setprofile_all_threads().
* Update to 3.13.6:
* Security
* gh-135661: Fix parsing start and end tags in html.parser.HTMLParser according to the HTML5 standard.
* gh-102555: Fix comment parsing in html.parser.HTMLParser according to the HTML5 standard.
* CVE-2025-6069: Fix quadratic complexity in processing specially crafted input in html.parser.HTMLParser. End-of-file errors are now handled according to the HTML5 specs – comments and declarations are automatically closed, tags are ignored (gh-135462, bsc#1244705).
* CVE-2025-8194: tarfile now validates archives to ensure member offsets are non-negative. (gh-130577, bsc#1247249).
* gh-118350: Fix support of escapable raw text mode (elements “textarea” and “title”) in html.parser.HTMLParser.
* Core and Builtins
* gh-58124: Fix name of the Python encoding in Unicode errors of the code page codec: use “cp65000” and “cp65001” instead of “CP_UTF7” and “CP_UTF8” which are not valid Python code names. Patch by Victor Stinner.
* gh-137314: Fixed a regression where raw f-strings incorrectly interpreted escape sequences in format specifications. Raw f-strings now properly preserve literal backslashes in format specs, matching the behavior from Python 3.11. For example, rf"{obj:\xFF}" now correctly produces '\xFF' instead of 'ÿ'. Patch by Pablo Galindo.
* gh-136541: Fix some issues with the perf trampolines on x86-64 and aarch64. The trampolines were not being generated correctly for some cases, which could lead to the perf integration not working correctly. Patch by Pablo Galindo.
* gh-109700: Fix memory error handling in PyDict_SetDefault().
* gh-78465: Fix error message for cls. **new** (cls, ...) where cls is not instantiable builtin or extension type (with tp_new set to NULL).
* gh-135871: Non-blocking mutex lock attempts now return immediately when the lock is busy instead of briefly spinning in the free threading build.
* gh-135607: Fix potential weakref races in an object’s destructor on the free threaded build.
* gh-135496: Fix typo in the f-string conversion type error (“exclamanation” -> “exclamation”).
* gh-130077: Properly raise custom syntax errors when incorrect syntax containing names that are prefixes of soft keywords is encountered. Patch by Pablo Galindo.
* gh-135148: Fixed a bug where f-string debug expressions (using =) would incorrectly strip out parts of strings containing escaped quotes and # characters. Patch by Pablo Galindo.
* gh-133136: Limit excess memory usage in the free threading build when a large dictionary or list is resized and accessed by multiple threads.
* gh-132617: Fix dict.update() modification check that could incorrectly raise a “dict mutated during update” error when a different dictionary was modified that happens to share the same underlying keys object.
* gh-91153: Fix a crash when a bytearray is concurrently mutated during item assignment.
* gh-127971: Fix off-by-one read beyond the end of a string in string search.
* gh-125723: Fix crash with gi_frame.f_locals when generator frames outlive their generator. Patch by Mikhail Efimov.
* Library
* gh-132710: If possible, ensure that uuid.getnode() returns the same result even across different processes. Previously, the result was constant only within the same process. Patch by Bénédikt Tran.
* gh-137273: Fix debug assertion failure in locale.setlocale() on Windows.
* gh-137257: Bump the version of pip bundled in ensurepip to version 25.2
* gh-81325: tarfile.TarFile now accepts a path-like when working on a tar archive. (Contributed by Alexander Enrique Urieles Nieto in gh-81325.)
* gh-130522: Fix unraisable TypeError raised during interpreter shutdown in the threading module.
* gh-136549: Fix signature of threading.excepthook().
* gh-136523: Fix wave.Wave_write emitting an unraisable when open raises.
* gh-52876: Add missing keepends (default True) parameter to codecs.StreamReaderWriter.readline() and codecs.StreamReaderWriter.readlines().
* gh-85702: If zoneinfo._common.load_tzdata is given a package without a resource a zoneinfo.ZoneInfoNotFoundError is raised rather than a PermissionError. Patch by Victor Stinner.
* gh-134759: Fix UnboundLocalError in email.message.Message.get_payload() when the payload to decode is a bytes object. Patch by Kliment Lamonov.
* gh-136028: Fix parsing month names containing “İ” (U+0130, LATIN CAPITAL LETTER I WITH DOT ABOVE) in time.strptime(). This affects locales az_AZ, ber_DZ, ber_MA and crh_UA.
* gh-135995: In the palmos encoding, make byte 0x9b decode to › (U+203A - SINGLE RIGHT-POINTING ANGLE QUOTATION MARK).
* gh-53203: Fix time.strptime() for %c and %x formats on locales byn_ER, wal_ET and lzh_TW, and for %X format on locales ar_SA, bg_BG and lzh_TW.
* gh-91555: An earlier change, which was introduced in 3.13.4, has been reverted. It disabled logging for a logger during handling of log messages for that logger. Since the reversion, the behaviour should be as it was before 3.13.4.
* gh-135878: Fixes a crash of types.SimpleNamespace on free threading builds, when several threads were calling its **repr** () method at the same time.
* gh-135836: Fix IndexError in asyncio.loop.create_connection() that could occur when non-OSError exception is raised during connection and socket’s close() raises OSError.
* gh-135836: Fix IndexError in asyncio.loop.create_connection() that could occur when the Happy Eyeballs algorithm resulted in an empty exceptions list during connection attempts.
* gh-135855: Raise TypeError instead of SystemError when _interpreters.set ** _main_** attrs() is passed a non-dict object. Patch by Brian Schubert.
* gh-135815: netrc: skip security checks if os.getuid() is missing. Patch by Bénédikt Tran.
* gh-135640: Address bug where it was possible to call xml.etree.ElementTree.ElementTree.write() on an ElementTree object with an invalid root element. This behavior blanked the file passed to write if it already existed.
* gh-135444: Fix asyncio.DatagramTransport.sendto() to account for datagram header size when data cannot be sent.
* gh-135497: Fix os.getlogin() failing for longer usernames on BSD-based platforms.
* gh-135487: Fix reprlib.Repr.repr_int() when given integers with more than sys.get_int_max_str_digits() digits. Patch by Bénédikt Tran.
* gh-135335: multiprocessing: Flush stdout and stderr after preloading modules in the forkserver.
* gh-135244: uuid: when the MAC address cannot be determined, the 48-bit node ID is now generated with a cryptographically-secure pseudo-random number generator (CSPRNG) as per RFC 9562, §6.10.3. This affects uuid1().
* gh-135069: Fix the “Invalid error handling” exception in encodings.idna.IncrementalDecoder to correctly replace the ‘errors’ parameter.
* gh-134698: Fix a crash when calling methods of ssl.SSLContext or ssl.SSLSocket across multiple threads.
* gh-132124: On POSIX-compliant systems, multiprocessing.util.get_temp_dir() now ignores TMPDIR (and similar environment variables) if the path length of AF_UNIX socket files exceeds the platform-specific maximum length when using the forkserver start method. Patch by Bénédikt Tran.
* gh-133439: Fix dot commands with trailing spaces are mistaken for multi-line SQL statements in the sqlite3 command-line interface.
* gh-132969: Prevent the ProcessPoolExecutor executor thread, which remains running when shutdown(wait=False), from attempting to adjust the pool’s worker processes after the object state has already been reset during shutdown. A combination of conditions, including a worker process having terminated abormally, resulted in an exception and a potential hang when the still-running executor thread attempted to replace dead workers within the pool.
* gh-130664: Support the '_' digit separator in formatting of the integral part of Decimal’s. Patch by Sergey B Kirpichev.
* gh-85702: If zoneinfo._common.load_tzdata is given a package without a resource a ZoneInfoNotFoundError is raised rather than a IsADirectoryError.
* gh-130664: Handle corner-case for Fraction’s formatting: treat zero-padding (preceding the width field by a zero ('0') character) as an equivalent to a fill character of '0' with an alignment type of '=', just as in case of float’s.
* Tools/Demos
* gh-135968: Stubs for strip are now provided as part of an iOS install.
* Tests
* gh-135966: The iOS testbed now handles the app_packages folder as a site directory.
* gh-135494: Fix regrtest to support excluding tests from \--pgo tests. Patch by Victor Stinner.
* gh-135489: Show verbose output for failing tests during PGO profiling step with –enable-optimizations.
* Documentation
* gh-135171: Document that the iterator for the leftmost for clause in the generator expression is created immediately.
* Build
* gh-135497: Fix the detection of MAXLOGNAME in the configure.ac script.
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* SUSE Linux Enterprise Server 16.0
zypper in -t patch SUSE-SLES-16.0-170=1
* SUSE Linux Enterprise Server for SAP Applications 16.0
zypper in -t patch SUSE-SLES-16.0-170=1
## Package List:
* SUSE Linux Enterprise Server 16.0 (aarch64 ppc64le s390x x86_64)
* python313-curses-debuginfo-3.13.11-160000.1.1
* python313-debuginfo-3.13.11-160000.1.1
* python313-devel-3.13.11-160000.1.1
* python313-doc-devhelp-3.13.11-160000.1.1
* python313-curses-3.13.11-160000.1.1
* python313-base-debuginfo-3.13.11-160000.1.1
* python313-idle-3.13.11-160000.1.1
* python313-tk-debuginfo-3.13.11-160000.1.1
* python313-core-debugsource-3.13.11-160000.1.1
* python313-devel-debuginfo-3.13.11-160000.1.1
* python313-doc-3.13.11-160000.1.1
* libpython3_13-1_0-3.13.11-160000.1.1
* python313-3.13.11-160000.1.1
* python313-dbm-3.13.11-160000.1.1
* libpython3_13-1_0-debuginfo-3.13.11-160000.1.1
* python313-base-3.13.11-160000.1.1
* python313-debugsource-3.13.11-160000.1.1
* python313-tk-3.13.11-160000.1.1
* python313-dbm-debuginfo-3.13.11-160000.1.1
* python313-tools-3.13.11-160000.1.1
* SUSE Linux Enterprise Server 16.0 (x86_64)
* libpython3_13-1_0-x86-64-v3-3.13.11-160000.1.1
* python313-base-x86-64-v3-debuginfo-3.13.11-160000.1.1
* libpython3_13-1_0-x86-64-v3-debuginfo-3.13.11-160000.1.1
* python313-base-x86-64-v3-3.13.11-160000.1.1
* python313-x86-64-v3-3.13.11-160000.1.1
* python313-x86-64-v3-debuginfo-3.13.11-160000.1.1
* SUSE Linux Enterprise Server for SAP Applications 16.0 (ppc64le x86_64)
* python313-curses-debuginfo-3.13.11-160000.1.1
* python313-debuginfo-3.13.11-160000.1.1
* python313-devel-3.13.11-160000.1.1
* python313-doc-devhelp-3.13.11-160000.1.1
* python313-curses-3.13.11-160000.1.1
* python313-base-debuginfo-3.13.11-160000.1.1
* python313-idle-3.13.11-160000.1.1
* python313-tk-debuginfo-3.13.11-160000.1.1
* python313-core-debugsource-3.13.11-160000.1.1
* python313-devel-debuginfo-3.13.11-160000.1.1
* python313-doc-3.13.11-160000.1.1
* libpython3_13-1_0-3.13.11-160000.1.1
* python313-3.13.11-160000.1.1
* python313-dbm-3.13.11-160000.1.1
* libpython3_13-1_0-debuginfo-3.13.11-160000.1.1
* python313-base-3.13.11-160000.1.1
* python313-debugsource-3.13.11-160000.1.1
* python313-tk-3.13.11-160000.1.1
* python313-dbm-debuginfo-3.13.11-160000.1.1
* python313-tools-3.13.11-160000.1.1
* SUSE Linux Enterprise Server for SAP Applications 16.0 (x86_64)
* libpython3_13-1_0-x86-64-v3-3.13.11-160000.1.1
* python313-base-x86-64-v3-debuginfo-3.13.11-160000.1.1
* libpython3_13-1_0-x86-64-v3-debuginfo-3.13.11-160000.1.1
* python313-base-x86-64-v3-3.13.11-160000.1.1
* python313-x86-64-v3-3.13.11-160000.1.1
* python313-x86-64-v3-debuginfo-3.13.11-160000.1.1
## References:
* https://www.suse.com/security/cve/CVE-2025-12084.html
* https://www.suse.com/security/cve/CVE-2025-13836.html
* https://www.suse.com/security/cve/CVE-2025-13837.html
* https://www.suse.com/security/cve/CVE-2025-6069.html
* https://www.suse.com/security/cve/CVE-2025-6075.html
* https://www.suse.com/security/cve/CVE-2025-8194.html
* https://www.suse.com/security/cve/CVE-2025-8291.html
* https://bugzilla.suse.com/show_bug.cgi?id=1244680
* https://bugzilla.suse.com/show_bug.cgi?id=1244705
* https://bugzilla.suse.com/show_bug.cgi?id=1247249
* https://bugzilla.suse.com/show_bug.cgi?id=1251305
* https://bugzilla.suse.com/show_bug.cgi?id=1252974
* https://bugzilla.suse.com/show_bug.cgi?id=1254400
* https://bugzilla.suse.com/show_bug.cgi?id=1254401
* https://bugzilla.suse.com/show_bug.cgi?id=1254997
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-updates/attachments/20260128/c89baaa2/attachment-0001.htm>
More information about the sle-updates
mailing list