SUSE Package Hub - SUSE-SLE-Module-Packagehub-Subpackages-15-SP7-2026-590

Update Info

SUSE-SLE-Module-Packagehub-Subpackages-15-SP7-2026-590

Security update for python

Type: security

Severity: important

Issued: 2026-02-20

Description:

This update for python fixes the following issues:

- CVE-2026-0672: Fixed a HTTP header injection via user-controlled cookie values and parameters when using http.cookies.Morsel. (bsc#1257031)
- CVE-2026-0865: Fixed a bug where a user-controlled header containing newlines can allow injecting HTTP headers. (bsc#1257042)
- CVE-2025-15366: Fixed a bug wherer a user-controlled command can allow additional commands injected using newlines. (bsc#1257044)
- CVE-2025-15367: Fixed control characters which may allow the injection of additional commands. (bsc#1257041)

References

CVE: CVE-2026-0865
CVE: CVE-2026-0672
CVE: CVE-2025-15367
CVE: CVE-2025-15366
Bugzilla: 1257044 VUL-0: CVE-2025-15366: python: user-controlled command can allow additional commands injected using newlines
Bugzilla: 1257042 VUL-0: CVE-2026-0865: python: user-controlled header containing newlines can allow injecting HTTP headers
Bugzilla: 1257041 VUL-0: CVE-2025-15367: python: control characters may allow the injection of additional commands
Bugzilla: 1257031 VUL-0: CVE-2026-0672: python3: HTTP header injection via user-controlled cookie values and parameters when using http.cookies.Morsel
Bugzilla: 1254867 VUL-0: CVE-2025-66471: python-urllib3,python-urllib3_1,python36-urllib3: excessive resource consumption via decompression of highly compressed data in Streaming API

Packages

python-2.7.18-150000.102.1

python-base-2.7.18-150000.102.1