This update for python311 fixes the following issues:
- Updated to Python 3.11.15
- CVE-2025-6075: If the value passed to os.path.expandvars() is user-controlled a performance degradation is possible when expanding environment variables (bsc#1252974).
- CVE-2025-11468: header injection when folding a long comment in an email header containing exclusively unfoldable characters (bsc#1257029).
- CVE-2025-12084: cpython: python: cpython: Quadratic algorithm in xml.dom.minidom leads to denial of service (bsc#1254997).
- CVE-2025-13462: incorrect parsing of TarInfo header when GNU long name and type AREGTYPE are combined (bsc#1259611).
- CVE-2025-13836: When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length (bsc#1254400).
- CVE-2025-13837: When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues (bsc#1254401).
- CVE-2025-15282: user-controlled data URLs parsed may allow injecting headers (bsc#1257046).
- CVE-2026-0672: HTTP header injection via user-controlled cookie values and parameters when using http.cookies.Morsel (bsc#1257031).
- CVE-2026-0865: user-controlled header containing newlines can allow injecting HTTP headers (bsc#1257042).
- CVE-2026-1299: header injection when an email is serialized due to improper newline quoting in
BytesGenerator (bsc#1257181).
- CVE-2026-2297: cpython: incorrectly handled hook in FileLoader can lead to validation bypass (bsc#1259240).
- CVE-2026-3479: python: improper resource argument validation can allow path traversal (bsc#1259989).
- CVE-2026-3644: incomplete control character validation in http.cookies (bsc#1259734).
- CVE-2026-4224: C stack overflow when parsing XML with deeply nested DTD content models (bsc#1259735).
- CVE-2026-4519: leading dashes in URLs are accepted by the
webbrowser.open() API and allow for web browser command line option injection...