SUSE Package Hub - SUSE-SLE-Module-Packagehub-Subpackages-15-SP7-2026-1206

Update Info

SUSE-SLE-Module-Packagehub-Subpackages-15-SP7-2026-1206

Security update for python

Type: security

Severity: important

Issued: 2026-04-07

Description:

This update for python fixes the following issues:

- CVE-2025-13462: incorrect parsing of TarInfo when GNU long name and type AREGTYPE are combined can lead to
  misinterpretation of tar archives (bsc#1259611).
- CVE-2026-3644: incomplete control character validation in http.cookies can lead to input validation bypass
  (bsc#1259734).
- CVE-2026-4224: parsing XML with deeply nested DTD content models can lead to C stack overflow (bsc#1259735).
- CVE-2026-4519: failure to sanitize leading dashes in URLs in the `webbrowser.open()` API can lead to web browser
  command line option injection (bsc#1260026).

References

CVE: CVE-2026-4519
CVE: CVE-2026-4224
CVE: CVE-2026-3644
CVE: CVE-2025-13462
Bugzilla: 1260026 VUL-0: CVE-2026-4519: python,python3,python310,python311,python312,python313,python314,python36,python39: leading dashes in URLs are accepted by the `webbrowser.open()` API and allow for web browser command line option injection
Bugzilla: 1259735 VUL-0: CVE-2026-4224: python,python3,python310,python311,python312,python313,python314,python36,python39: C stack overflow when parsing XML with deeply nested DTD content models
Bugzilla: 1259734 VUL-0: CVE-2026-3644: python,python3,python310,python311,python312,python313,python314,python36,python39: incomplete control character validation in http.cookies
Bugzilla: 1259611 VUL-0: CVE-2025-13462: python,python: incorrect parsing of TarInfo header when GNU long name and type AREGTYPE are combined

Packages

python-2.7.18-150000.111.1

python-base-2.7.18-150000.111.1