Описание
Security update for python312
This update for python312 fixes the following issues:
- CVE-2025-0938: Functions
urllib.parse.urlsplitandurlparseaccept domain names including square brackets (bsc#1236705). - CVE-2024-12254: Unbounded memory buffering in SelectorSocketTransport.writelines() (bsc#1234290).
Other bugfixes:
- Position of SUSE Python interpreters on Externally managed environments (bsc#1228165).
Список пакетов
Container bci/python:latest
SUSE Linux Enterprise Module for Python 3 15 SP6
openSUSE Leap 15.6
Ссылки
- Link for SUSE-SU-2025:0521-1
- E-Mail link for SUSE-SU-2025:0521-1
- SUSE Security Ratings
- SUSE Bug 1228165
- SUSE Bug 1234290
- SUSE Bug 1236705
- SUSE CVE CVE-2024-12254 page
- SUSE CVE CVE-2025-0938 page
Описание
Starting in Python 3.12.0, the asyncio._SelectorSocketTransport.writelines() method would not "pause" writing and signal to the Protocol to drain the buffer to the wire once the write buffer reached the "high-water mark". Because of this, Protocols would not periodically drain the write buffer potentially leading to memory exhaustion. This vulnerability likely impacts a small number of users, you must be using Python 3.12.0 or later, on macOS or Linux, using the asyncio module with protocols, and using .writelines() method which had new zero-copy-on-write behavior in Python 3.12.0 and later. If not all of these factors are true then your usage of Python is unaffected.
Затронутые продукты
Ссылки
- CVE-2024-12254
- SUSE Bug 1234290
Описание
The Python standard library functions `urllib.parse.urlsplit` and `urlparse` accepted domain names that included square brackets which isn't valid according to RFC 3986. Square brackets are only meant to be used as delimiters for specifying IPv6 and IPvFuture hosts in URLs. This could result in differential parsing across the Python URL parser and other specification-compliant URL parsers.
Затронутые продукты
Ссылки
- CVE-2025-0938
- SUSE Bug 1236705