This update for python fixes the following issues

- CVE-2026-1703: files may be extracted outside the installation directory when installing and extracting maliciously
  crafted wheel archives (bsc#1257599).
- CVE-2026-3219: pip doesn't reject concatenated ZIP (bsc#1262429).
- CVE-2026-4786: Incomplete mitigation of %action expansion for command injection to webbrowser.open() (bsc#1262319).
- CVE-2026-6019: BaseCookie.js_output() does not neutralize embedded characters (bsc#1262654).
- CVE-2026-6100: arbitrary code execution or information disclosure via use-after-free in decompression modules
  (bsc#1262098).
- CVE-2026-6357: pip self-update functionality can import newly installed modules after wheel installation
  (bsc#1263442).

Changes for python:

- For SLE-12-SP1 use vendored libffi (bsc#1261652). We have
 libffi4.so from SP3 only.