VYPR

rpm package

suse/python&distro=SUSE Linux Enterprise Module for Package Hub 15 SP6

pkg:rpm/suse/python&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6

Vulnerabilities (10)

  • CVE-2025-6075Oct 31, 2025
    affected < 2.7.18-150000.89.1fixed 2.7.18-150000.89.1

    If the value passed to os.path.expandvars() is user-controlled a performance degradation is possible when expanding environment variables.

  • CVE-2025-8291MedOct 7, 2025
    affected < 2.7.18-150000.86.1fixed 2.7.18-150000.86.1

    The 'zipfile' module would not check the validity of the ZIP64 End of Central Directory (EOCD) Locator record offset value would not be used to locate the ZIP64 EOCD record, instead the ZIP64 EOCD record would be assumed to be the previous record in the ZIP archive. This could be

  • CVE-2025-8194HigJul 28, 2025
    affected < 2.7.18-150000.83.1fixed 2.7.18-150000.83.1

    There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously cra

  • CVE-2025-6069MedJun 17, 2025
    affected < 2.7.18-150000.80.1fixed 2.7.18-150000.80.1

    The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service.

  • CVE-2025-0938MedJan 31, 2025
    affected < 2.7.18-150000.71.1fixed 2.7.18-150000.71.1

    The Python standard library functions `urllib.parse.urlsplit` and `urlparse` accepted domain names that included square brackets which isn't valid according to RFC 3986. Square brackets are only meant to be used as delimiters for specifying IPv6 and IPvFuture hosts in URLs. This

  • CVE-2024-11168LowNov 12, 2024
    affected < 2.7.18-150000.68.1fixed 2.7.18-150000.68.1

    The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts (`[]`), allowing hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser.

  • CVE-2024-0450MedMar 19, 2024
    affected < 2.7.18-150000.65.1fixed 2.7.18-150000.65.1

    An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed

  • CVE-2023-52425Feb 4, 2024
    affected < 2.7.18-150000.65.1fixed 2.7.18-150000.65.1

    libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed.

  • CVE-2022-48560Aug 22, 2023
    affected < 2.7.18-150000.65.1fixed 2.7.18-150000.65.1

    A use-after-free exists in Python through 3.9 via heappushpop in heapq.

  • CVE-2023-27043MedApr 19, 2023
    affected < 2.7.18-150000.65.1fixed 2.7.18-150000.65.1

    The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which applica