rpm package
suse/python36&distro=SUSE Linux Enterprise Server LTSS Extended Security 12 SP5
pkg:rpm/suse/python36&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5
Vulnerabilities (28)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-4435 | Hig | 7.5 | < 3.6.15-84.1 | 3.6.15-84.1 | Jun 3, 2025 | When using a TarFile.errorlevel = 0 and extracting with a filter the documented behavior is that any filtered members would be skipped and not extracted. However the actual behavior of TarFile.errorlevel = 0 in affected versions is that the member would still be extracted and not | |
| CVE-2025-4330 | Hig | 7.5 | < 3.6.15-84.1 | 3.6.15-84.1 | Jun 3, 2025 | Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extrac | |
| CVE-2025-4138 | Hig | 7.5 | < 3.6.15-84.1 | 3.6.15-84.1 | Jun 3, 2025 | Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extrac | |
| CVE-2024-12718 | Med | 5.3 | < 3.6.15-84.1 | 3.6.15-84.1 | Jun 3, 2025 | Allows modifying some file metadata (e.g. last modified) with filter="data" or file permissions (chmod) with filter="tar" of files outside the extraction directory. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile. | |
| CVE-2025-4516 | Med | — | < 3.6.15-84.1 | 3.6.15-84.1 | May 15, 2025 | There is an issue in CPython when using `bytes.decode("unicode_escape", error="ignore|replace")`. If you are not using the "unicode_escape" encoding or an error handler your usage is not affected. To work-around this issue you may stop using the error= handler and instead wrap th | |
| CVE-2025-0938 | Med | — | < 3.6.15-76.1 | 3.6.15-76.1 | Jan 31, 2025 | The Python standard library functions `urllib.parse.urlsplit` and `urlparse` accepted domain names that included square brackets which isn't valid according to RFC 3986. Square brackets are only meant to be used as delimiters for specifying IPv6 and IPvFuture hosts in URLs. This | |
| CVE-2024-11168 | Low | 3.7 | < 3.6.15-73.1 | 3.6.15-73.1 | Nov 12, 2024 | The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts (`[]`), allowing hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser. | |
| CVE-2024-9287 | — | < 3.6.15-70.1 | 3.6.15-70.1 | Oct 22, 2024 | A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This |
- affected < 3.6.15-84.1fixed 3.6.15-84.1
When using a TarFile.errorlevel = 0 and extracting with a filter the documented behavior is that any filtered members would be skipped and not extracted. However the actual behavior of TarFile.errorlevel = 0 in affected versions is that the member would still be extracted and not
- affected < 3.6.15-84.1fixed 3.6.15-84.1
Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extrac
- affected < 3.6.15-84.1fixed 3.6.15-84.1
Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extrac
- affected < 3.6.15-84.1fixed 3.6.15-84.1
Allows modifying some file metadata (e.g. last modified) with filter="data" or file permissions (chmod) with filter="tar" of files outside the extraction directory. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.
- affected < 3.6.15-84.1fixed 3.6.15-84.1
There is an issue in CPython when using `bytes.decode("unicode_escape", error="ignore|replace")`. If you are not using the "unicode_escape" encoding or an error handler your usage is not affected. To work-around this issue you may stop using the error= handler and instead wrap th
- affected < 3.6.15-76.1fixed 3.6.15-76.1
The Python standard library functions `urllib.parse.urlsplit` and `urlparse` accepted domain names that included square brackets which isn't valid according to RFC 3986. Square brackets are only meant to be used as delimiters for specifying IPv6 and IPvFuture hosts in URLs. This
- affected < 3.6.15-73.1fixed 3.6.15-73.1
The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts (`[]`), allowing hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser.
- CVE-2024-9287Oct 22, 2024affected < 3.6.15-70.1fixed 3.6.15-70.1
A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This
Page 2 of 2