Описание
Security update for python310
This update for python310 fixes the following issues:
python310 was updated from version 3.10.16 to 3.10.18:
-
Security issues fixed:
- CVE-2025-4516: Fixed blocking DecodeError handling vulnerability, which could lead to DoS (bsc#1243273)
- CVE-2024-12718, CVE-2025-4138, CVE-2025-4330, CVE-2025-4517: Fixed multiple issues that allowed tarfile extraction filters to be bypassed using crafted symlinks and hard links (bsc#1244056, bsc#1244059, bsc#1244060, bsc#1244032)
-
Other changes and bugs fixed:
- Improved handling of system call failures that OpenSSL reports (bsc#1241067)
- Fixed issue with test_ssl pass with OpenSSL 3.5 (bsc#1241067)
- Fixed issue with reproducible builds (bsc#1239210)
- Fixed a potential denial of service vulnerability in the imaplib module.
- Fixed bugs in the in the folding of rfc2047 encoded-words and in the folding of quoted strings when flattening an email message using a modern email policy.
- Fixed parsing long IPv6 addresses with embedded IPv4 address.
- Fixed ipaddress.IPv6Address.reverse_pointer output according to RFC 3596
- Improved handling of system call failures that OpenSSL reports
- Improved the textual representation of IPv4-mapped IPv6 addresses in ipaddress.
- ipaddress: fixed hash collisions for IPv4Network and IPv6Network objects
- os.path.realpath() now accepts a strict keyword-only argument.
- Stop the processing of long IPv6 addresses early in ipaddress to prevent excessive memory consumption and a minor denial-of-service.
- Updated bundled libexpat to 2.7.1
- Writers of documentation can now use next as the version for the versionchanged, versionadded, deprecated directives.
Список пакетов
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS
SUSE Linux Enterprise Server 15 SP4-LTSS
SUSE Linux Enterprise Server for SAP Applications 15 SP4
openSUSE Leap 15.6
Ссылки
- Link for SUSE-SU-2025:02047-1
- E-Mail link for SUSE-SU-2025:02047-1
- SUSE Security Ratings
- SUSE Bug 1239210
- SUSE Bug 1241067
- SUSE Bug 1243273
- SUSE Bug 1244032
- SUSE Bug 1244056
- SUSE Bug 1244059
- SUSE Bug 1244060
- SUSE CVE CVE-2024-12718 page
- SUSE CVE CVE-2025-4138 page
- SUSE CVE CVE-2025-4330 page
- SUSE CVE CVE-2025-4516 page
- SUSE CVE CVE-2025-4517 page
Описание
Allows modifying some file metadata (e.g. last modified) with filter="data" or file permissions (chmod) with filter="tar" of files outside the extraction directory. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of "data" or "tar". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter for more information. Only Python versions 3.12 or later are affected by these vulnerabilities, earlier versions don't include the extraction filter feature. Note that for Python 3.14 or later the default value of filter= changed from "no filtering" to `"data", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.
Затронутые продукты
Ссылки
- CVE-2024-12718
- SUSE Bug 1244056
Описание
Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of "data" or "tar". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter for more information. Only Python versions 3.12 or later are affected by these vulnerabilities, earlier versions don't include the extraction filter feature. Note that for Python 3.14 or later the default value of filter= changed from "no filtering" to `"data", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.
Затронутые продукты
Ссылки
- CVE-2025-4138
- SUSE Bug 1244059
Описание
Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of "data" or "tar". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter for more information. Only Python versions 3.12 or later are affected by these vulnerabilities, earlier versions don't include the extraction filter feature. Note that for Python 3.14 or later the default value of filter= changed from "no filtering" to `"data", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.
Затронутые продукты
Ссылки
- CVE-2025-4330
- SUSE Bug 1244060
Описание
There is an issue in CPython when using `bytes.decode("unicode_escape", error="ignore|replace")`. If you are not using the "unicode_escape" encoding or an error handler your usage is not affected. To work-around this issue you may stop using the error= handler and instead wrap the bytes.decode() call in a try-except catching the DecodeError.
Затронутые продукты
Ссылки
- CVE-2025-4516
- SUSE Bug 1243273
Описание
Allows arbitrary filesystem writes outside the extraction directory during extraction with filter="data". You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of "data" or "tar". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter for more information. Only Python versions 3.12 or later are affected by these vulnerabilities, earlier versions don't include the extraction filter feature. Note that for Python 3.14 or later the default value of filter= changed from "no filtering" to `"data", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.
Затронутые продукты
Ссылки
- CVE-2025-4517
- SUSE Bug 1244032