<div class="container">
<h1>Security update for python313</h1>
<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-SU-2025:3706-1</td>
</tr>
<tr>
<th>Release Date:</th>
<td>2025-10-21T15:07:42Z</td>
</tr>
<tr>
<th>Rating:</th>
<td>moderate</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1244705">bsc#1244705</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1247249">bsc#1247249</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>
Cross-References:
</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2025-6069.html">CVE-2025-6069</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2025-8194.html">CVE-2025-8194</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>CVSS scores:</th>
<td>
<ul class="list-group">
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-6069</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">6.9</span>
<span class="cvss-vector">CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-6069</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">6.8</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-6069</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">4.3</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-8194</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">7.1</span>
<span class="cvss-vector">CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-8194</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">6.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-8194</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">7.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</span>
</li>
</ul>
</td>
</tr>
<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">
<li class="list-group-item">Python 3 Module 15-SP7</li>
<li class="list-group-item">SUSE Linux Enterprise Desktop 15 SP7</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP7</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 15 SP7</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>An update that solves two vulnerabilities can now be installed.</p>
<h2>Description:</h2>
<p>This update for python313 fixes the following issues:</p>
<p>Update to version 3.13.7.</p>
<ul>
<li>Fixes in 3.13.7:</li>
<li>gh-137583: Fix a deadlock introduced in 3.13.6 when a call
to ssl.SSLSocket.recv was blocked in one thread, and then
another method on the object (such as ssl.SSLSocket.send) was
subsequently called in another thread.</li>
<li>gh-137044: Return large limit values as positive integers
instead of negative integers in resource.getrlimit().
Accept large values and reject negative values (except
RLIM_INFINITY) for limits in resource.setrlimit().</li>
<li>gh-136914: Fix retrieval of doctest.DocTest.lineno
for objects decorated with functools.cache() or
functools.cached_property.</li>
<li>gh-131788: Make ResourceTracker.send from multiprocessing
re-entrant safe</li>
<li>gh-136155: We are now checking for fatal errors in EPUB
builds in CI.</li>
<li>
<p>gh-137400: Fix a crash in the free threading build when
disabling profiling or tracing across all threads with
PyEval_SetProfileAllThreads() or PyEval_SetTraceAllThreads()
or their Python equivalents threading.settrace_all_threads()
and threading.setprofile_all_threads().</p>
</li>
<li>
<p>Fixes in 3.13.6:</p>
</li>
<li>Security<ul>
<li>gh-135661: Fix parsing start and end tags in
html.parser.HTMLParser according to the HTML5 standard.<ul>
<li>Whitespaces no longer accepted between </ and the tag
name. E.g. </ script> does not end the script section.</li>
<li>Vertical tabulation (\v) and non-ASCII whitespaces no
longer recognized as whitespaces. The only whitespaces
are \t\n\r\f and space.</li>
<li>Null character (U+0000) no longer ends the tag name.</li>
<li>Attributes and slashes after the tag name in end tags
are now ignored, instead of terminating after the first
> in quoted attribute value. E.g. </script/foo=">"/>.</li>
<li>Multiple slashes and whitespaces between the last
attribute and closing > are now ignored in both start
and end tags. E.g. <a foo=bar/ //>.</li>
<li>Multiple = between attribute name and value are no
longer collapsed. E.g. <a foo==bar> produces attribute
“foo” with value “=bar”.</li>
</ul>
</li>
<li>gh-102555: Fix comment parsing in html.parser.HTMLParser
according to the HTML5 standard. --!> now ends the comment.
-- > no longer ends the comment. Support abnormally ended
empty comments <--> and <--->.</li>
<li>gh-135462: Fix quadratic complexity in processing specially
crafted input in html.parser.HTMLParser. End-of-file errors
are now handled according to the HTML5 specs – comments and
declarations are automatically closed, tags are ignored
(CVE-2025-6069, bsc#1244705).</li>
<li>gh-118350: Fix support of escapable raw text mode (elements
“textarea” and “title”) in html.parser.HTMLParser.</li>
</ul>
</li>
<li>Core and Builtins<ul>
<li>gh-58124: Fix name of the Python encoding in Unicode errors
of the code page codec: use “cp65000” and “cp65001” instead
of “CP_UTF7” and “CP_UTF8” which are not valid Python code
names. Patch by Victor Stinner.</li>
<li>gh-137314: Fixed a regression where raw f-strings
incorrectly interpreted escape sequences in format
specifications. Raw f-strings now properly preserve literal
backslashes in format specs, matching the behavior from
Python 3.11. For example, rf"{obj:\xFF}" now correctly
produces '\xFF' instead of 'ÿ'. Patch by Pablo Galindo.</li>
<li>gh-136541: Fix some issues with the perf trampolines
on x86-64 and aarch64. The trampolines were not being
generated correctly for some cases, which could lead to
the perf integration not working correctly. Patch by Pablo
Galindo.</li>
<li>gh-109700: Fix memory error handling in
PyDict_SetDefault().</li>
<li>gh-78465: Fix error message for cls.<strong>new</strong>(cls, ...) where
cls is not instantiable builtin or extension type (with
tp_new set to NULL).</li>
<li>gh-135871: Non-blocking mutex lock attempts now return
immediately when the lock is busy instead of briefly
spinning in the free threading build.</li>
<li>gh-135607: Fix potential weakref races in an object’s
destructor on the free threaded build.</li>
<li>gh-135496: Fix typo in the f-string conversion type error
(“exclamanation” -> “exclamation”).</li>
<li>gh-130077: Properly raise custom syntax errors when
incorrect syntax containing names that are prefixes of soft
keywords is encountered. Patch by Pablo Galindo.</li>
<li>gh-135148: Fixed a bug where f-string debug expressions
(using =) would incorrectly strip out parts of strings
containing escaped quotes and # characters. Patch by Pablo
Galindo.</li>
<li>gh-133136: Limit excess memory usage in the free threading
build when a large dictionary or list is resized and
accessed by multiple threads.</li>
<li>gh-132617: Fix dict.update() modification check that could
incorrectly raise a “dict mutated during update” error when
a different dictionary was modified that happens to share
the same underlying keys object.</li>
<li>gh-91153: Fix a crash when a bytearray is concurrently
mutated during item assignment.</li>
<li>gh-127971: Fix off-by-one read beyond the end of a string
in string search.</li>
<li>gh-125723: Fix crash with gi_frame.f_locals when generator
frames outlive their generator. Patch by Mikhail Efimov.</li>
</ul>
</li>
<li>Library<ul>
<li>gh-132710: If possible, ensure that uuid.getnode()
returns the same result even across different processes.
Previously, the result was constant only within the same
process. Patch by Bénédikt Tran.</li>
<li>gh-137273: Fix debug assertion failure in
locale.setlocale() on Windows.</li>
<li>gh-137257: Bump the version of pip bundled in ensurepip to
version 25.2</li>
<li>gh-81325: tarfile.TarFile now accepts a path-like when
working on a tar archive. (Contributed by Alexander Enrique
Urieles Nieto in gh-81325.)</li>
<li>gh-130522: Fix unraisable TypeError raised during
interpreter shutdown in the threading module.</li>
<li>gh-130577: tarfile now validates archives to ensure member
offsets are non-negative. (Contributed by Alexander Enrique
Urieles Nieto in gh-130577; CVE-2025-8194, bsc#1247249).</li>
<li>gh-136549: Fix signature of threading.excepthook().</li>
<li>gh-136523: Fix wave.Wave_write emitting an unraisable when
open raises.</li>
<li>gh-52876: Add missing keepends (default True)
parameter to codecs.StreamReaderWriter.readline() and
codecs.StreamReaderWriter.readlines().</li>
<li>gh-85702: If zoneinfo._common.load_tzdata is given a
package without a resource a zoneinfo.ZoneInfoNotFoundError
is raised rather than a PermissionError. Patch by Victor
Stinner.</li>
<li>gh-134759: Fix UnboundLocalError in
email.message.Message.get_payload() when the payload to
decode is a bytes object. Patch by Kliment Lamonov.</li>
<li>gh-136028: Fix parsing month names containing “İ” (U+0130,
LATIN CAPITAL LETTER I WITH DOT ABOVE) in time.strptime().
This affects locales az_AZ, ber_DZ, ber_MA and crh_UA.</li>
<li>gh-135995: In the palmos encoding, make byte 0x9b decode to
› (U+203A - SINGLE RIGHT-POINTING ANGLE QUOTATION MARK).</li>
<li>gh-53203: Fix time.strptime() for %c and %x formats on
locales byn_ER, wal_ET and lzh_TW, and for %X format on
locales ar_SA, bg_BG and lzh_TW.</li>
<li>gh-91555: An earlier change, which was introduced in
3.13.4, has been reverted. It disabled logging for a logger
during handling of log messages for that logger. Since the
reversion, the behaviour should be as it was before 3.13.4.</li>
<li>gh-135878: Fixes a crash of types.SimpleNamespace on free
threading builds, when several threads were calling its
<strong>repr</strong>() method at the same time.</li>
<li>gh-135836: Fix IndexError in
asyncio.loop.create_connection() that could occur when
non-OSError exception is raised during connection and
socket’s close() raises OSError.</li>
<li>gh-135836: Fix IndexError in
asyncio.loop.create_connection() that could occur when the
Happy Eyeballs algorithm resulted in an empty exceptions
list during connection attempts.</li>
<li>gh-135855: Raise TypeError instead of SystemError when
_interpreters.set<strong><em>main</em></strong>attrs() is passed a non-dict
object. Patch by Brian Schubert.</li>
<li>gh-135815: netrc: skip security checks if os.getuid() is
missing. Patch by Bénédikt Tran.</li>
<li>gh-135640: Address bug where it was possible to call
xml.etree.ElementTree.ElementTree.write() on an ElementTree
object with an invalid root element. This behavior blanked
the file passed to write if it already existed.</li>
<li>gh-135444: Fix asyncio.DatagramTransport.sendto() to
account for datagram header size when data cannot be sent.</li>
<li>gh-135497: Fix os.getlogin() failing for longer usernames
on BSD-based platforms.</li>
<li>gh-135487: Fix reprlib.Repr.repr_int() when given integers
with more than sys.get_int_max_str_digits() digits. Patch
by Bénédikt Tran.</li>
<li>gh-135335: multiprocessing: Flush stdout and stderr after
preloading modules in the forkserver.</li>
<li>gh-135244: uuid: when the MAC address cannot be
determined, the 48-bit node ID is now generated with a
cryptographically-secure pseudo-random number generator
(CSPRNG) as per RFC 9562, §6.10.3. This affects uuid1().</li>
<li>gh-135069: Fix the “Invalid error handling” exception in
encodings.idna.IncrementalDecoder to correctly replace the
‘errors’ parameter.</li>
<li>gh-134698: Fix a crash when calling methods of
ssl.SSLContext or ssl.SSLSocket across multiple threads.</li>
<li>gh-132124: On POSIX-compliant systems,
multiprocessing.util.get_temp_dir() now ignores TMPDIR
(and similar environment variables) if the path length of
AF_UNIX socket files exceeds the platform-specific maximum
length when using the forkserver start method. Patch by
Bénédikt Tran.</li>
<li>gh-133439: Fix dot commands with trailing spaces are
mistaken for multi-line SQL statements in the sqlite3
command-line interface.</li>
<li>gh-132969: Prevent the ProcessPoolExecutor executor thread,
which remains running when shutdown(wait=False), from
attempting to adjust the pool’s worker processes after
the object state has already been reset during shutdown.
A combination of conditions, including a worker process
having terminated abormally, resulted in an exception and
a potential hang when the still-running executor thread
attempted to replace dead workers within the pool.</li>
<li>gh-130664: Support the '_' digit separator in formatting
of the integral part of Decimal’s. Patch by Sergey B
Kirpichev.</li>
<li>gh-85702: If zoneinfo._common.load_tzdata is given a
package without a resource a ZoneInfoNotFoundError is
raised rather than a IsADirectoryError.</li>
<li>gh-130664: Handle corner-case for Fraction’s formatting:
treat zero-padding (preceding the width field by a zero
('0') character) as an equivalent to a fill character of
'0' with an alignment type of '=', just as in case of
float’s.</li>
</ul>
</li>
<li>Tools/Demos<ul>
<li>gh-135968: Stubs for strip are now provided as part of an
iOS install.</li>
</ul>
</li>
<li>Tests<ul>
<li>gh-135966: The iOS testbed now handles the app_packages
folder as a site directory.</li>
<li>gh-135494: Fix regrtest to support excluding tests from
--pgo tests. Patch by Victor Stinner.</li>
<li>gh-135489: Show verbose output for failing tests during PGO
profiling step with –enable-optimizations.</li>
</ul>
</li>
<li>Documentation<ul>
<li>gh-135171: Document that the iterator for the leftmost for
clause in the generator expression is created immediately.</li>
</ul>
</li>
<li>Build<ul>
<li>gh-135497: Fix the detection of MAXLOGNAME in the
configure.ac script.</li>
</ul>
</li>
</ul>
<h2>Patch Instructions:</h2>
<p>
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".<br/>
Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">
<li class="list-group-item">
Python 3 Module 15-SP7
<br/>
<code>zypper in -t patch SUSE-SLE-Module-Python3-15-SP7-2025-3706=1</code>
</li>
</ul>
<h2>Package List:</h2>
<ul>
<li>
Python 3 Module 15-SP7 (aarch64 ppc64le s390x x86_64)
<ul>
<li>python313-idle-3.13.7-150700.4.23.1</li>
<li>python313-curses-debuginfo-3.13.7-150700.4.23.1</li>
<li>python313-base-debuginfo-3.13.7-150700.4.23.1</li>
<li>python313-core-debugsource-3.13.7-150700.4.23.1</li>
<li>python313-debugsource-3.13.7-150700.4.23.1</li>
<li>python313-dbm-debuginfo-3.13.7-150700.4.23.1</li>
<li>python313-debuginfo-3.13.7-150700.4.23.1</li>
<li>python313-devel-3.13.7-150700.4.23.1</li>
<li>libpython3_13-1_0-debuginfo-3.13.7-150700.4.23.1</li>
<li>python313-base-3.13.7-150700.4.23.1</li>
<li>python313-3.13.7-150700.4.23.1</li>
<li>python313-tk-debuginfo-3.13.7-150700.4.23.1</li>
<li>python313-curses-3.13.7-150700.4.23.1</li>
<li>python313-dbm-3.13.7-150700.4.23.1</li>
<li>python313-tk-3.13.7-150700.4.23.1</li>
<li>libpython3_13-1_0-3.13.7-150700.4.23.1</li>
<li>python313-tools-3.13.7-150700.4.23.1</li>
</ul>
</li>
</ul>
<h2>References:</h2>
<ul>
<li>
<a href="https://www.suse.com/security/cve/CVE-2025-6069.html">https://www.suse.com/security/cve/CVE-2025-6069.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2025-8194.html">https://www.suse.com/security/cve/CVE-2025-8194.html</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1244705">https://bugzilla.suse.com/show_bug.cgi?id=1244705</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1247249">https://bugzilla.suse.com/show_bug.cgi?id=1247249</a>
</li>
</ul>
</div>