SUSE alert SUSE-SU-2025:3706-1 (python313)
| From: | SLE-SECURITY-UPDATES <null@suse.de> | |
| To: | sle-security-updates@lists.suse.com | |
| Subject: | SUSE-SU-2025:3706-1: moderate: Security update for python313 | |
| Date: | Tue, 21 Oct 2025 16:33:09 -0000 | |
| Message-ID: | <176106438999.30362.14561152422165825579@smelt2.prg2.suse.org> |
# Security update for python313 Announcement ID: SUSE-SU-2025:3706-1 Release Date: 2025-10-21T15:07:42Z Rating: moderate References: * bsc#1244705 * bsc#1247249 Cross-References: * CVE-2025-6069 * CVE-2025-8194 CVSS scores: * CVE-2025-6069 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H * CVE-2025-6069 ( SUSE ): 6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H * CVE-2025-6069 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L * CVE-2025-8194 ( SUSE ): 7.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2025-8194 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H * CVE-2025-8194 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: * Python 3 Module 15-SP7 * SUSE Linux Enterprise Desktop 15 SP7 * SUSE Linux Enterprise Server 15 SP7 * SUSE Linux Enterprise Server for SAP Applications 15 SP7 An update that solves two vulnerabilities can now be installed. ## Description: This update for python313 fixes the following issues: Update to version 3.13.7. * Fixes in 3.13.7: * gh-137583: Fix a deadlock introduced in 3.13.6 when a call to ssl.SSLSocket.recv was blocked in one thread, and then another method on the object (such as ssl.SSLSocket.send) was subsequently called in another thread. * gh-137044: Return large limit values as positive integers instead of negative integers in resource.getrlimit(). Accept large values and reject negative values (except RLIM_INFINITY) for limits in resource.setrlimit(). * gh-136914: Fix retrieval of doctest.DocTest.lineno for objects decorated with functools.cache() or functools.cached_property. * gh-131788: Make ResourceTracker.send from multiprocessing re-entrant safe * gh-136155: We are now checking for fatal errors in EPUB builds in CI. * gh-137400: Fix a crash in the free threading build when disabling profiling or tracing across all threads with PyEval_SetProfileAllThreads() or PyEval_SetTraceAllThreads() or their Python equivalents threading.settrace_all_threads() and threading.setprofile_all_threads(). * Fixes in 3.13.6: * Security * gh-135661: Fix parsing start and end tags in html.parser.HTMLParser according to the HTML5 standard. * Whitespaces no longer accepted between </ and the tag name. E.g. </ script> does not end the script section. * Vertical tabulation (\v) and non-ASCII whitespaces no longer recognized as whitespaces. The only whitespaces are \t\n\r\f and space. * Null character (U+0000) no longer ends the tag name. * Attributes and slashes after the tag name in end tags are now ignored, instead of terminating after the first > in quoted attribute value. E.g. </script/foo=">"/>. * Multiple slashes and whitespaces between the last attribute and closing > are now ignored in both start and end tags. E.g. <a foo=bar/ //>. * Multiple = between attribute name and value are no longer collapsed. E.g. <a foo==bar> produces attribute “foo” with value “=bar”. * gh-102555: Fix comment parsing in html.parser.HTMLParser according to the HTML5 standard. --!> now ends the comment. \-- > no longer ends the comment. Support abnormally ended empty comments <\--> and <\--->. * gh-135462: Fix quadratic complexity in processing specially crafted input in html.parser.HTMLParser. End-of-file errors are now handled according to the HTML5 specs – comments and declarations are automatically closed, tags are ignored (CVE-2025-6069, bsc#1244705). * gh-118350: Fix support of escapable raw text mode (elements “textarea” and “title”) in html.parser.HTMLParser. * Core and Builtins * gh-58124: Fix name of the Python encoding in Unicode errors of the code page codec: use “cp65000” and “cp65001” instead of “CP_UTF7” and “CP_UTF8” which are not valid Python code names. Patch by Victor Stinner. * gh-137314: Fixed a regression where raw f-strings incorrectly interpreted escape sequences in format specifications. Raw f-strings now properly preserve literal backslashes in format specs, matching the behavior from Python 3.11. For example, rf"{obj:\xFF}" now correctly produces '\xFF' instead of 'ÿ'. Patch by Pablo Galindo. * gh-136541: Fix some issues with the perf trampolines on x86-64 and aarch64. The trampolines were not being generated correctly for some cases, which could lead to the perf integration not working correctly. Patch by Pablo Galindo. * gh-109700: Fix memory error handling in PyDict_SetDefault(). * gh-78465: Fix error message for cls. **new** (cls, ...) where cls is not instantiable builtin or extension type (with tp_new set to NULL). * gh-135871: Non-blocking mutex lock attempts now return immediately when the lock is busy instead of briefly spinning in the free threading build. * gh-135607: Fix potential weakref races in an object’s destructor on the free threaded build. * gh-135496: Fix typo in the f-string conversion type error (“exclamanation” -> “exclamation”). * gh-130077: Properly raise custom syntax errors when incorrect syntax containing names that are prefixes of soft keywords is encountered. Patch by Pablo Galindo. * gh-135148: Fixed a bug where f-string debug expressions (using =) would incorrectly strip out parts of strings containing escaped quotes and # characters. Patch by Pablo Galindo. * gh-133136: Limit excess memory usage in the free threading build when a large dictionary or list is resized and accessed by multiple threads. * gh-132617: Fix dict.update() modification check that could incorrectly raise a “dict mutated during update” error when a different dictionary was modified that happens to share the same underlying keys object. * gh-91153: Fix a crash when a bytearray is concurrently mutated during item assignment. * gh-127971: Fix off-by-one read beyond the end of a string in string search. * gh-125723: Fix crash with gi_frame.f_locals when generator frames outlive their generator. Patch by Mikhail Efimov. * Library * gh-132710: If possible, ensure that uuid.getnode() returns the same result even across different processes. Previously, the result was constant only within the same process. Patch by Bénédikt Tran. * gh-137273: Fix debug assertion failure in locale.setlocale() on Windows. * gh-137257: Bump the version of pip bundled in ensurepip to version 25.2 * gh-81325: tarfile.TarFile now accepts a path-like when working on a tar archive. (Contributed by Alexander Enrique Urieles Nieto in gh-81325.) * gh-130522: Fix unraisable TypeError raised during interpreter shutdown in the threading module. * gh-130577: tarfile now validates archives to ensure member offsets are non-negative. (Contributed by Alexander Enrique Urieles Nieto in gh-130577; CVE-2025-8194, bsc#1247249). * gh-136549: Fix signature of threading.excepthook(). * gh-136523: Fix wave.Wave_write emitting an unraisable when open raises. * gh-52876: Add missing keepends (default True) parameter to codecs.StreamReaderWriter.readline() and codecs.StreamReaderWriter.readlines(). * gh-85702: If zoneinfo._common.load_tzdata is given a package without a resource a zoneinfo.ZoneInfoNotFoundError is raised rather than a PermissionError. Patch by Victor Stinner. * gh-134759: Fix UnboundLocalError in email.message.Message.get_payload() when the payload to decode is a bytes object. Patch by Kliment Lamonov. * gh-136028: Fix parsing month names containing “İ” (U+0130, LATIN CAPITAL LETTER I WITH DOT ABOVE) in time.strptime(). This affects locales az_AZ, ber_DZ, ber_MA and crh_UA. * gh-135995: In the palmos encoding, make byte 0x9b decode to › (U+203A - SINGLE RIGHT-POINTING ANGLE QUOTATION MARK). * gh-53203: Fix time.strptime() for %c and %x formats on locales byn_ER, wal_ET and lzh_TW, and for %X format on locales ar_SA, bg_BG and lzh_TW. * gh-91555: An earlier change, which was introduced in 3.13.4, has been reverted. It disabled logging for a logger during handling of log messages for that logger. Since the reversion, the behaviour should be as it was before 3.13.4. * gh-135878: Fixes a crash of types.SimpleNamespace on free threading builds, when several threads were calling its **repr** () method at the same time. * gh-135836: Fix IndexError in asyncio.loop.create_connection() that could occur when non-OSError exception is raised during connection and socket’s close() raises OSError. * gh-135836: Fix IndexError in asyncio.loop.create_connection() that could occur when the Happy Eyeballs algorithm resulted in an empty exceptions list during connection attempts. * gh-135855: Raise TypeError instead of SystemError when _interpreters.set ** _main_** attrs() is passed a non-dict object. Patch by Brian Schubert. * gh-135815: netrc: skip security checks if os.getuid() is missing. Patch by Bénédikt Tran. * gh-135640: Address bug where it was possible to call xml.etree.ElementTree.ElementTree.write() on an ElementTree object with an invalid root element. This behavior blanked the file passed to write if it already existed. * gh-135444: Fix asyncio.DatagramTransport.sendto() to account for datagram header size when data cannot be sent. * gh-135497: Fix os.getlogin() failing for longer usernames on BSD-based platforms. * gh-135487: Fix reprlib.Repr.repr_int() when given integers with more than sys.get_int_max_str_digits() digits. Patch by Bénédikt Tran. * gh-135335: multiprocessing: Flush stdout and stderr after preloading modules in the forkserver. * gh-135244: uuid: when the MAC address cannot be determined, the 48-bit node ID is now generated with a cryptographically-secure pseudo-random number generator (CSPRNG) as per RFC 9562, §6.10.3. This affects uuid1(). * gh-135069: Fix the “Invalid error handling” exception in encodings.idna.IncrementalDecoder to correctly replace the ‘errors’ parameter. * gh-134698: Fix a crash when calling methods of ssl.SSLContext or ssl.SSLSocket across multiple threads. * gh-132124: On POSIX-compliant systems, multiprocessing.util.get_temp_dir() now ignores TMPDIR (and similar environment variables) if the path length of AF_UNIX socket files exceeds the platform-specific maximum length when using the forkserver start method. Patch by Bénédikt Tran. * gh-133439: Fix dot commands with trailing spaces are mistaken for multi-line SQL statements in the sqlite3 command-line interface. * gh-132969: Prevent the ProcessPoolExecutor executor thread, which remains running when shutdown(wait=False), from attempting to adjust the pool’s worker processes after the object state has already been reset during shutdown. A combination of conditions, including a worker process having terminated abormally, resulted in an exception and a potential hang when the still-running executor thread attempted to replace dead workers within the pool. * gh-130664: Support the '_' digit separator in formatting of the integral part of Decimal’s. Patch by Sergey B Kirpichev. * gh-85702: If zoneinfo._common.load_tzdata is given a package without a resource a ZoneInfoNotFoundError is raised rather than a IsADirectoryError. * gh-130664: Handle corner-case for Fraction’s formatting: treat zero-padding (preceding the width field by a zero ('0') character) as an equivalent to a fill character of '0' with an alignment type of '=', just as in case of float’s. * Tools/Demos * gh-135968: Stubs for strip are now provided as part of an iOS install. * Tests * gh-135966: The iOS testbed now handles the app_packages folder as a site directory. * gh-135494: Fix regrtest to support excluding tests from \--pgo tests. Patch by Victor Stinner. * gh-135489: Show verbose output for failing tests during PGO profiling step with –enable-optimizations. * Documentation * gh-135171: Document that the iterator for the leftmost for clause in the generator expression is created immediately. * Build * gh-135497: Fix the detection of MAXLOGNAME in the configure.ac script. ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * Python 3 Module 15-SP7 zypper in -t patch SUSE-SLE-Module-Python3-15-SP7-2025-3706=1 ## Package List: * Python 3 Module 15-SP7 (aarch64 ppc64le s390x x86_64) * python313-idle-3.13.7-150700.4.23.1 * python313-curses-debuginfo-3.13.7-150700.4.23.1 * python313-base-debuginfo-3.13.7-150700.4.23.1 * python313-core-debugsource-3.13.7-150700.4.23.1 * python313-debugsource-3.13.7-150700.4.23.1 * python313-dbm-debuginfo-3.13.7-150700.4.23.1 * python313-debuginfo-3.13.7-150700.4.23.1 * python313-devel-3.13.7-150700.4.23.1 * libpython3_13-1_0-debuginfo-3.13.7-150700.4.23.1 * python313-base-3.13.7-150700.4.23.1 * python313-3.13.7-150700.4.23.1 * python313-tk-debuginfo-3.13.7-150700.4.23.1 * python313-curses-3.13.7-150700.4.23.1 * python313-dbm-3.13.7-150700.4.23.1 * python313-tk-3.13.7-150700.4.23.1 * libpython3_13-1_0-3.13.7-150700.4.23.1 * python313-tools-3.13.7-150700.4.23.1 ## References: * https://www.suse.com/security/cve/CVE-2025-6069.html * https://www.suse.com/security/cve/CVE-2025-8194.html * https://bugzilla.suse.com/show_bug.cgi?id=1244705 * https://bugzilla.suse.com/show_bug.cgi?id=1247249
Attachment: None (type=text/html)
(HTML attachment elided)