SUSE-SU-2026:1715-1

Description of the patch:

This update for python3 fixes the following issues:

• CVE-2025-13462: incorrect parsing of TarInfo when GNU long name and type AREGTYPE are combined can lead to misinterpretation of tar archives (bsc#1259611).
• CVE-2026-1502: HTTP client proxy tunnel headers not validated for CR/LF (bsc#1261969).
• CVE-2026-3446: base64 decoding stops at first padded quad by default and ignores other information that could be processed (bsc#1261970).
• CVE-2026-3479: improper resource argument validation in pkgutil.get_data() can lead to path traversal (bsc#1259989).
• CVE-2026-3644: incomplete control character validation in http.cookies can lead to input validation bypass (bsc#1259734).
• CVE-2026-4224: parsing XML with deeply nested DTD content models can lead to C stack overflow (bsc#1259735).
• CVE-2026-4519: failure to sanitize leading dashes in URLs in the webbrowser.open() API can lead to web browser command line option injection (bsc#1260026).
• CVE-2026-4786: URLs prefixed with %action can pass the dash-prefix safety check and allow for command injection (bsc#1262319).
• CVE-2026-6019: BaseCookie.js_output() does not neutralize characters in cookie values embedded in JS (bsc#1262654).
• CVE-2026-6100: use-after-free in lzma.LZMADecompressor, bz2.BZ2Decompressor, and gzip.GzipFile when process is under memory pressure(bsc#1262098).