Package Release Info

python-2.7.18-150000.120.1

Update Info: SUSE-SLE-Module-Packagehub-Subpackages-15-SP7-2026-2387
Available in Package Hub : 15 SP7 Subpackages Updates

platforms

AArch64
ppc64le
s390x
x86-64

subpackages

python

python-curses

python-gdbm

Change Logs

* Wed May 13 2026 mcepl@suse.com

Add updated version of the pip wheel
  pip-10.0.1-py2.py3-none-any.whl, which fixes:
- CVE-2026-6357: pip self-update functionality can import newly
  installed modules after wheel installation (bsc#1263442)
- CVE-2026-3219: pip doesn't reject concatenated ZIP (bsc#1262429)
- CVE-2026-1703: (bsc#1257599, CVE-2026-1703, gh#pypa/pip#13777)

* Mon Apr 27 2026 mcepl@cepl.eu

- Add CVE-2026-6019-Morsel-js_output.patch protects against HTML
  injection by Base64-encoding cookie values embedded in JS
  (bsc#1262654, CVE-2026-6019, gh#python/cpython#90309).

* Sat Apr 25 2026 mcepl@cepl.eu

- Add CVE-2026-4786-webbrowser-open-action.patch, which fixes
  webbrowser %action substitution bypass of dash-prefix check
  (bsc#1262319, CVE-2026-4786, gh#python/cpython#148169).

* Fri Apr 24 2026 mcepl@cepl.eu

- Add CVE-2026-6100-use-after-free-decompression.patch preventing
  dangling pointer which can end in the use-after-free error
  (CVE-2026-6100, bsc#1262098, gh#python/cpython#148395).

* Thu Apr 09 2026 mcepl@suse.com

- Add skip-windows-test-aarch64.patch to skip obviously Windows
  API test, which has no business to be tested on SLE-12/aarch64,
  where it is failing.
- For SLE-12-SP1 use vendored libffi (bsc#1261652). We have
  libffi4.so from SP3 only.

Version: 2.7.18-150000.117.1

* Wed Apr 15 2026 mcepl@cepl.eu

- Add CVE-2026-3446-base64-padding.patch preventing ignoring
  excess Base64 data after the first padded quad (bsc#1261970,
  CVE-2026-3446, gh#python/cpython#145264).

Version: 2.7.18-150000.114.1

* Thu Apr 02 2026 mcepl@cepl.eu

- Add CVE-2026-3479-pkgutil_get_data.patch pkgutil.get_data() has
  the same security model as open(). The documented limitations
  ensure compatibility with non-filesystem loaders; Python
  doesn't check that. (bsc#1259989, CVE-2026-3479,
  gh#python/cpython#146121).

Version: 2.7.18-150000.111.1

* Fri Mar 27 2026 mcepl@cepl.eu

- Add CVE-2026-4519-webbrowser-open-dashes.patch to reject
  leading dashes in webbrowser URLs (bsc#1260026, CVE-2026-4519,
  gh#python/cpython#143930).

* Wed Mar 25 2026 mcepl@cepl.eu

- Add CVE-2025-13462-tarinfo-header-parse.patch which skips
  TarInfo DIRTYPE normalization during GNU long name handling
  (bsc#1259611, CVE-2025-13462).

* Mon Mar 23 2026 mcepl@cepl.eu

- Add CVE-2026-4224-expat-unbound-C-recursion.patch avoiding
  unbound C recursion in conv_content_model in pyexpat.c
  (bsc#1259735, CVE-2026-4224).

* Mon Mar 23 2026 mcepl@cepl.eu

- Add CVE-2026-3644-cookies-Morsel-update-II.patch to reject
  control characters in http.cookies.Morsel.update() and
  http.cookies.BaseCookie.js_output (bsc#1259734, CVE-2026-3644).

Version: 2.7.18-150000.108.1

* Sat Mar 07 2026 mcepl@suse.com

- Fix the test suite so it is run again.
- Add CVE-2026-1299-email-encode-EOL-headers.patch preventing
  embedded white characters inside of email headers (bsc#1257181,
  CVE-2026-1299, gh#python/cpython#144125).

Version: 2.7.18-150000.105.1

* Wed Feb 25 2026 mcepl@suse.com

- Add CVE-2024-7592-quad-complex-cookies.patch (bsc#1229596,
  CVE-2024-7592), which fixes quadratic complexity in parsing
  "-quoted cookie values with backslashes by http.cookies.

* Sat Feb 14 2026 mcepl@suse.com

- CVE-2026-0672: rejects control characters in http cookies.
  (bsc#1257031, gh#python/cpython#143919)
  CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch
- CVE-2026-0865: rejecting control characters in
  wsgiref.headers.Headers, which could be abused for injecting
  false HTTP headers. (bsc#1257042, gh#python/cpython#143916)
  CVE-2026-0865-wsgiref-ctrl-chars.patch
- CVE-2025-15366: basically the same as the previous patch for
  IMAP protocol. (bsc#1257044, gh#python/cpython#143921)
  CVE-2025-15366-imap-ctrl-chars.patch
- CVE-2025-15367: basically the same as the previous patch for
  poplib library. (bsc#1257041, gh#python/cpython#143923)
  CVE-2025-15367-poplib-ctrl-chars.patch

* Fri Nov 14 2025 mcepl@suse.com

- Add CVE-2025-6075-expandvars-perf-degrad.patch avoid simple
  quadratic complexity vulnerabilities of os.path.expandvars()
  (CVE-2025-6075, bsc#1252974).

Version: 2.7.18-150000.102.1

* Fri Feb 13 2026 mcepl@suse.com

- CVE-2026-0672: rejects control characters in http cookies.
  (bsc#1257031, gh#python/cpython#143919)
  CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch
- CVE-2026-0865: rejecting control characters in
  wsgiref.headers.Headers, which could be abused for injecting
  false HTTP headers. (bsc#1257042, gh#python/cpython#143916)
  CVE-2026-0865-wsgiref-ctrl-chars.patch
- CVE-2025-15366: basically the same as the previous patch for
  IMAP protocol. (bsc#1257044, gh#python/cpython#143921)
  CVE-2025-15366-imap-ctrl-chars.patch
- CVE-2025-15367: basically the same as the previous patch for
  poplib library. (bsc#1257041, gh#python/cpython#143923)
  CVE-2025-15367-poplib-ctrl-chars.patch

* Fri Feb 13 2026 nico.krapp@suse.com

- Add add-zlib-eof-attribute.patch, needed for python-urllib3
  CVE fix (bsc#1254867)