SUSE alert openSUSE-SU-2026:20846-1 (python-python-multipart)

From:
             
 
null@suse.de
To:
             
 
security-announce@lists.opensuse.org
Subject:
             
 
openSUSE-SU-2026:20846-1: important: Security update for python-python-multipart
Date:
             
 
Mon, 01 Jun 2026 17:51:40 +0200
Message-ID:
             
 
<20260601155140.14179FD89@maintenance.suse.de>
Archive-link:
             
 
Article
openSUSE security update: security update for python-python-multipart
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2026:20846-1
Rating: important
References:

  * bsc#1262403
  * bsc#1265250



Cross-References:

  * CVE-2026-40347
  * CVE-2026-42561



CVSS scores:

  * CVE-2026-40347 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  * CVE-2026-40347 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
  * CVE-2026-42561 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Products:

         openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves 2 vulnerabilities and has 2 bug fixes can now be installed.

Description:

This update for python-python-multipart fixes the following issues

- CVE-2026-40347: crafted `multipart/form-data` can cause a denial of service (bsc#1262403).
- CVE-2026-42561: denial of service vulnerability in multipart part header parsing (bsc#1265250).


Patch instructions:

   To install this openSUSE security update use the suse recommended installation methods
   like YaST online_update or "zypper patch".
   Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

   zypper in -t patch openSUSE-Leap-16.0-827=1

Package List:

- openSUSE Leap 16.0:

  python313-python-multipart-0.0.20-160000.4.1

References:

  * https://www.suse.com/security/cve/CVE-2026-40347.html
  * https://www.suse.com/security/cve/CVE-2026-42561.html