SUSE-SU-2026:0643-1

Details

This update for python39 fixes the following issues:

CVE-2025-11468: Fixed a header injection when folding a long comment in an email header containing exclusively unfoldable characters. (bsc#1257029)
CVE-2026-0672: Fixed a HTTP header injection via user-controlled cookie values and parameters when using http.cookies.Morsel. (bsc#1257031)
CVE-2026-0865: Fixed a bug where a user-controlled header containing newlines can allow injecting HTTP headers. (bsc#1257042)
CVE-2025-15282: Fixed a bug where a user-controlled data URLs parsed may allow injecting headers. (bsc#1257046)
CVE-2025-15366: Fixed a bug wherer a user-controlled command can allow additional commands injected using newlines. (bsc#1257044)
CVE-2025-15367: Fixed control characters which may allow the injection of additional commands. (bsc#1257041)

Affected Packages(17 packages)

libpython3_9-1_0

SUSE Linux Enterprise Server 15 SP5-LTSSSUSE Linux Enterprise Server for SAP Applications 15 SP5openSUSE Leap 15.6

Fixed in:

3.9.25-150300.4.93.1

python39

SUSE Linux Enterprise Server 15 SP5-LTSSSUSE Linux Enterprise Server for SAP Applications 15 SP5openSUSE Leap 15.6

Fixed in:

3.9.25-150300.4.93.1

python39-base

SUSE Linux Enterprise Server 15 SP5-LTSSSUSE Linux Enterprise Server for SAP Applications 15 SP5openSUSE Leap 15.6

Fixed in: