Описание
Security update for python
This update for python fixes the following issues:
- CVE-2025-6075: Fixed performance degradation when using os.path.expandvars() (bsc#1252974).
- CVE-2026-0672: Fixed a HTTP header injection via user-controlled cookie values and parameters when using http.cookies.Morsel. (bsc#1257031)
- CVE-2026-0865: Fixed a bug where a user-controlled header containing newlines can allow injecting HTTP headers. (bsc#1257042)
- CVE-2025-15366: Fixed a bug wherer a user-controlled command can allow additional commands injected using newlines. (bsc#1257044)
- CVE-2025-15367: Fixed control characters which may allow the injection of additional commands. (bsc#1257041)
Список пакетов
SUSE Linux Enterprise Server 12 SP5-LTSS
libpython2_7-1_0-2.7.18-33.63.1
libpython2_7-1_0-32bit-2.7.18-33.63.1
python-2.7.18-33.63.1
python-32bit-2.7.18-33.63.1
python-base-2.7.18-33.63.1
python-base-32bit-2.7.18-33.63.1
python-curses-2.7.18-33.63.1
python-demo-2.7.18-33.63.1
python-devel-2.7.18-33.63.1
python-doc-2.7.18-33.63.1
python-doc-pdf-2.7.18-33.63.1
python-gdbm-2.7.18-33.63.1
python-idle-2.7.18-33.63.1
python-tk-2.7.18-33.63.1
python-xml-2.7.18-33.63.1
SUSE Linux Enterprise Server LTSS Extended Security 12 SP5
libpython2_7-1_0-2.7.18-33.63.1
libpython2_7-1_0-32bit-2.7.18-33.63.1
python-2.7.18-33.63.1
python-32bit-2.7.18-33.63.1
python-base-2.7.18-33.63.1
python-base-32bit-2.7.18-33.63.1
python-curses-2.7.18-33.63.1
python-demo-2.7.18-33.63.1
python-devel-2.7.18-33.63.1
python-doc-2.7.18-33.63.1
python-doc-pdf-2.7.18-33.63.1
python-gdbm-2.7.18-33.63.1
python-idle-2.7.18-33.63.1
python-tk-2.7.18-33.63.1
python-xml-2.7.18-33.63.1
Ссылки
- Link for SUSE-SU-2026:0663-1
- E-Mail link for SUSE-SU-2026:0663-1
- SUSE Security Ratings
- SUSE Bug 1252974
- SUSE Bug 1254867
- SUSE Bug 1257031
- SUSE Bug 1257041
- SUSE Bug 1257042
- SUSE Bug 1257044
- SUSE Bug 1257064
- SUSE CVE CVE-2025-15366 page
- SUSE CVE CVE-2025-15367 page
- SUSE CVE CVE-2025-6075 page
- SUSE CVE CVE-2026-0672 page
- SUSE CVE CVE-2026-0865 page
Описание
The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.
Затронутые продукты
SUSE Linux Enterprise Server 12 SP5-LTSS:libpython2_7-1_0-2.7.18-33.63.1
SUSE Linux Enterprise Server 12 SP5-LTSS:libpython2_7-1_0-32bit-2.7.18-33.63.1
SUSE Linux Enterprise Server 12 SP5-LTSS:python-2.7.18-33.63.1
SUSE Linux Enterprise Server 12 SP5-LTSS:python-32bit-2.7.18-33.63.1
Ссылки
- CVE-2025-15366
- SUSE Bug 1257044
Описание
The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.
Затронутые продукты
SUSE Linux Enterprise Server 12 SP5-LTSS:libpython2_7-1_0-2.7.18-33.63.1
SUSE Linux Enterprise Server 12 SP5-LTSS:libpython2_7-1_0-32bit-2.7.18-33.63.1
SUSE Linux Enterprise Server 12 SP5-LTSS:python-2.7.18-33.63.1
SUSE Linux Enterprise Server 12 SP5-LTSS:python-32bit-2.7.18-33.63.1
Ссылки
- CVE-2025-15367
- SUSE Bug 1257041
Описание
If the value passed to os.path.expandvars() is user-controlled a performance degradation is possible when expanding environment variables.
Затронутые продукты
SUSE Linux Enterprise Server 12 SP5-LTSS:libpython2_7-1_0-2.7.18-33.63.1
SUSE Linux Enterprise Server 12 SP5-LTSS:libpython2_7-1_0-32bit-2.7.18-33.63.1
SUSE Linux Enterprise Server 12 SP5-LTSS:python-2.7.18-33.63.1
SUSE Linux Enterprise Server 12 SP5-LTSS:python-32bit-2.7.18-33.63.1
Ссылки
- CVE-2025-6075
- SUSE Bug 1252974
Описание
When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.
Затронутые продукты
SUSE Linux Enterprise Server 12 SP5-LTSS:libpython2_7-1_0-2.7.18-33.63.1
SUSE Linux Enterprise Server 12 SP5-LTSS:libpython2_7-1_0-32bit-2.7.18-33.63.1
SUSE Linux Enterprise Server 12 SP5-LTSS:python-2.7.18-33.63.1
SUSE Linux Enterprise Server 12 SP5-LTSS:python-32bit-2.7.18-33.63.1
Ссылки
- CVE-2026-0672
- SUSE Bug 1257031
Описание
User-controlled header names and values containing newlines can allow injecting HTTP headers.
Затронутые продукты
SUSE Linux Enterprise Server 12 SP5-LTSS:libpython2_7-1_0-2.7.18-33.63.1
SUSE Linux Enterprise Server 12 SP5-LTSS:libpython2_7-1_0-32bit-2.7.18-33.63.1
SUSE Linux Enterprise Server 12 SP5-LTSS:python-2.7.18-33.63.1
SUSE Linux Enterprise Server 12 SP5-LTSS:python-32bit-2.7.18-33.63.1
Ссылки
- CVE-2026-0865
- SUSE Bug 1257042