Package Release Info

python-2.7.18-150000.111.1

Update Info: SUSE-SLE-Module-Packagehub-Subpackages-15-SP7-2026-1206
Available in Package Hub : 15 SP7 Subpackages Updates

platforms

AArch64
ppc64le
s390x
x86-64

subpackages

python

python-curses

python-gdbm

Change Logs

* Fri Mar 27 2026 mcepl@cepl.eu

- Add CVE-2026-4519-webbrowser-open-dashes.patch to reject
  leading dashes in webbrowser URLs (bsc#1260026, CVE-2026-4519,
  gh#python/cpython#143930).

* Wed Mar 25 2026 mcepl@cepl.eu

- Add CVE-2025-13462-tarinfo-header-parse.patch which skips
  TarInfo DIRTYPE normalization during GNU long name handling
  (bsc#1259611, CVE-2025-13462).

* Mon Mar 23 2026 mcepl@cepl.eu

- Add CVE-2026-4224-expat-unbound-C-recursion.patch avoiding
  unbound C recursion in conv_content_model in pyexpat.c
  (bsc#1259735, CVE-2026-4224).

* Mon Mar 23 2026 mcepl@cepl.eu

- Add CVE-2026-3644-cookies-Morsel-update-II.patch to reject
  control characters in http.cookies.Morsel.update() and
  http.cookies.BaseCookie.js_output (bsc#1259734, CVE-2026-3644).

Version: 2.7.18-150000.108.1

* Sat Mar 07 2026 mcepl@suse.com

- Fix the test suite so it is run again.
- Add CVE-2026-1299-email-encode-EOL-headers.patch preventing
  embedded white characters inside of email headers (bsc#1257181,
  CVE-2026-1299, gh#python/cpython#144125).

Version: 2.7.18-150000.105.1

* Wed Feb 25 2026 mcepl@suse.com

- Add CVE-2024-7592-quad-complex-cookies.patch (bsc#1229596,
  CVE-2024-7592), which fixes quadratic complexity in parsing
  "-quoted cookie values with backslashes by http.cookies.

* Sat Feb 14 2026 mcepl@suse.com

- CVE-2026-0672: rejects control characters in http cookies.
  (bsc#1257031, gh#python/cpython#143919)
  CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch
- CVE-2026-0865: rejecting control characters in
  wsgiref.headers.Headers, which could be abused for injecting
  false HTTP headers. (bsc#1257042, gh#python/cpython#143916)
  CVE-2026-0865-wsgiref-ctrl-chars.patch
- CVE-2025-15366: basically the same as the previous patch for
  IMAP protocol. (bsc#1257044, gh#python/cpython#143921)
  CVE-2025-15366-imap-ctrl-chars.patch
- CVE-2025-15367: basically the same as the previous patch for
  poplib library. (bsc#1257041, gh#python/cpython#143923)
  CVE-2025-15367-poplib-ctrl-chars.patch

* Fri Nov 14 2025 mcepl@suse.com

- Add CVE-2025-6075-expandvars-perf-degrad.patch avoid simple
  quadratic complexity vulnerabilities of os.path.expandvars()
  (CVE-2025-6075, bsc#1252974).

Version: 2.7.18-150000.102.1

* Fri Feb 13 2026 mcepl@suse.com

- CVE-2026-0672: rejects control characters in http cookies.
  (bsc#1257031, gh#python/cpython#143919)
  CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch
- CVE-2026-0865: rejecting control characters in
  wsgiref.headers.Headers, which could be abused for injecting
  false HTTP headers. (bsc#1257042, gh#python/cpython#143916)
  CVE-2026-0865-wsgiref-ctrl-chars.patch
- CVE-2025-15366: basically the same as the previous patch for
  IMAP protocol. (bsc#1257044, gh#python/cpython#143921)
  CVE-2025-15366-imap-ctrl-chars.patch
- CVE-2025-15367: basically the same as the previous patch for
  poplib library. (bsc#1257041, gh#python/cpython#143923)
  CVE-2025-15367-poplib-ctrl-chars.patch

* Fri Feb 13 2026 nico.krapp@suse.com

- Add add-zlib-eof-attribute.patch, needed for python-urllib3
  CVE fix (bsc#1254867)