SUSE Package Hub - SUSE-SLE-Module-Packagehub-Subpackages-15-SP7-2025-4389

Update Info

SUSE-SLE-Module-Packagehub-Subpackages-15-SP7-2025-4389

Security update for python

Type: security

Severity: low

Issued: 2025-12-12

Description:

This update for python fixes the following issues:

- CVE-2025-6075: quadratic complexity in `os.path.expandvars()` can lead to performance degradation when values passed
  to it are user-controlled (bsc#1252974).
- CVE-2025-8291: lack of validity checks on the ZIP64 End of Central Directory (EOCD) record allows for the creation of
  ZIP archives that are processed inconsistently by the `zipfile` module (bsc#1251305).

References

CVE: CVE-2025-8291
CVE: CVE-2025-6075
Bugzilla: 1252974 VUL-0: CVE-2025-6075: python,python27,python3,python310,python311,python312,python313,python36,python39: If the value passed to os.path.expandvars() is user-controlled a performance degradation is possible when expanding environment variables.
Bugzilla: 1251305 VUL-0: CVE-2025-8291: python,python3,python310,python311,python312,python313,python36,python39: validity of the ZIP64 End of Central Directory (EOCD) is not checked by the 'zipfile' module

Packages

python-2.7.18-150000.89.1

python-base-2.7.18-150000.89.2