SUSE-SU-2026:1937-1

Details

Description of the patch:

This update for python3 fixes the following issue:

CVE-2026-1502: HTTP client proxy tunnel headers not validated for CR/LF (bsc#1261969).
CVE-2026-3446: base64 decoding stops at first padded quad by default and ignores other information that could be processed (bsc#1261970).
CVE-2026-4786: URLs prefixed with %action can pass the dash-prefix safety check and allow for command injection (bsc#1262319).
CVE-2026-6019: BaseCookie.js_output() does not neutralize characters in cookie values embedded in JS (bsc#1262654).
CVE-2026-6100: use-after-free in lzma.LZMADecompressor, bz2.BZ2Decompressor, and gzip.GzipFile when process is under memory pressure(bsc#1262098).

Affected Packages

libpython3_4m1_0

SUSE Linux Enterprise Server 12 SP5SUSE Linux Enterprise Server 12 SP5-LTSSSUSE Linux Enterprise Server LTSS Extended Security 12 SP5

Fixed in:

3.4.10-25.185.1

libpython3_4m1_0-32bit

SUSE Linux Enterprise Server 12 SP5SUSE Linux Enterprise Server 12 SP5-LTSSSUSE Linux Enterprise Server LTSS Extended Security 12 SP5

Fixed in:

3.4.10-25.185.1

python3

SUSE Linux Enterprise Server 12 SP5SUSE Linux Enterprise Server 12 SP5-LTSSSUSE Linux Enterprise Server LTSS Extended Security 12 SP5

Fixed in: