Security update for python3 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2026:0645-1 Final 1 1 2026-02-25T16:29:02Z current 2026-02-25T16:29:02Z 2026-02-25T16:29:02Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for python3 This update for python3 fixes the following issues: - CVE-2025-11468: header injection when folding a long comment in an email header containing exclusively unfoldable characters (bsc#1257029). - CVE-2026-0672: HTTP header injection via user-controlled cookie values and parameters when using http.cookies.Morsel (bsc#1257031). - CVE-2026-0865: user-controlled header containing newlines can allow injecting HTTP headers (bsc#1257042). - CVE-2025-15366: user-controlled command can allow additional commands injected using newlines (bsc#1257044). - CVE-2025-15282: user-controlled data URLs parsed may allow injecting headers (bsc#1257046). - CVE-2025-15367: control characters may allow the injection of additional commands (bsc#1257041). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2026-645,SUSE-SLE-SERVER-12-SP5-LTSS-2026-645,SUSE-SLE-SERVER-12-SP5-LTSS-EXTENDED-SECURITY-2026-645 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2026/suse-su-20260645-1/ Link for SUSE-SU-2026:0645-1 https://lists.suse.com/pipermail/sle-security-updates/2026-February/024402.html E-Mail link for SUSE-SU-2026:0645-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1257029 SUSE Bug 1257029 https://bugzilla.suse.com/1257031 SUSE Bug 1257031 https://bugzilla.suse.com/1257041 SUSE Bug 1257041 https://bugzilla.suse.com/1257042 SUSE Bug 1257042 https://bugzilla.suse.com/1257044 SUSE Bug 1257044 https://bugzilla.suse.com/1257046 SUSE Bug 1257046 https://www.suse.com/security/cve/CVE-2025-11468/ SUSE CVE CVE-2025-11468 page https://www.suse.com/security/cve/CVE-2025-15282/ SUSE CVE CVE-2025-15282 page https://www.suse.com/security/cve/CVE-2025-15366/ SUSE CVE CVE-2025-15366 page https://www.suse.com/security/cve/CVE-2025-15367/ SUSE CVE CVE-2025-15367 page https://www.suse.com/security/cve/CVE-2026-0672/ SUSE CVE CVE-2026-0672 page https://www.suse.com/security/cve/CVE-2026-0865/ SUSE CVE CVE-2026-0865 page SUSE Linux Enterprise Server 12 SP5-LTSS SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 libpython3_4m1_0-3.4.10-25.172.1 libpython3_4m1_0-32bit-3.4.10-25.172.1 libpython3_4m1_0-64bit-3.4.10-25.172.1 python3-3.4.10-25.172.1 python3-32bit-3.4.10-25.172.1 python3-64bit-3.4.10-25.172.1 python3-base-3.4.10-25.172.1 python3-base-32bit-3.4.10-25.172.1 python3-base-64bit-3.4.10-25.172.1 python3-curses-3.4.10-25.172.1 python3-dbm-3.4.10-25.172.1 python3-devel-3.4.10-25.172.1 python3-doc-3.4.10-25.172.1 python3-doc-pdf-3.4.10-25.172.1 python3-idle-3.4.10-25.172.1 python3-testsuite-3.4.10-25.172.1 python3-tk-3.4.10-25.172.1 python3-tools-3.4.10-25.172.1 libpython3_4m1_0-3.4.10-25.172.1 as a component of SUSE Linux Enterprise Server 12 SP5-LTSS libpython3_4m1_0-32bit-3.4.10-25.172.1 as a component of SUSE Linux Enterprise Server 12 SP5-LTSS python3-3.4.10-25.172.1 as a component of SUSE Linux Enterprise Server 12 SP5-LTSS python3-base-3.4.10-25.172.1 as a component of SUSE Linux Enterprise Server 12 SP5-LTSS python3-curses-3.4.10-25.172.1 as a component of SUSE Linux Enterprise Server 12 SP5-LTSS python3-devel-3.4.10-25.172.1 as a component of SUSE Linux Enterprise Server 12 SP5-LTSS python3-tk-3.4.10-25.172.1 as a component of SUSE Linux Enterprise Server 12 SP5-LTSS libpython3_4m1_0-3.4.10-25.172.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 libpython3_4m1_0-32bit-3.4.10-25.172.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 python3-3.4.10-25.172.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 python3-base-3.4.10-25.172.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 python3-curses-3.4.10-25.172.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 python3-devel-3.4.10-25.172.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 python3-tk-3.4.10-25.172.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized. CVE-2025-11468 SUSE Linux Enterprise Server 12 SP5-LTSS:libpython3_4m1_0-3.4.10-25.172.1 SUSE Linux Enterprise Server 12 SP5-LTSS:libpython3_4m1_0-32bit-3.4.10-25.172.1 SUSE Linux Enterprise Server 12 SP5-LTSS:python3-3.4.10-25.172.1 SUSE Linux Enterprise Server 12 SP5-LTSS:python3-base-3.4.10-25.172.1 SUSE Linux Enterprise Server 12 SP5-LTSS:python3-curses-3.4.10-25.172.1 SUSE Linux Enterprise Server 12 SP5-LTSS:python3-devel-3.4.10-25.172.1 SUSE Linux Enterprise Server 12 SP5-LTSS:python3-tk-3.4.10-25.172.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libpython3_4m1_0-3.4.10-25.172.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libpython3_4m1_0-32bit-3.4.10-25.172.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:python3-3.4.10-25.172.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:python3-base-3.4.10-25.172.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:python3-curses-3.4.10-25.172.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:python3-devel-3.4.10-25.172.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:python3-tk-3.4.10-25.172.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260645-1/ https://www.suse.com/security/cve/CVE-2025-11468.html CVE-2025-11468 https://bugzilla.suse.com/1257029 SUSE Bug 1257029 User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype. CVE-2025-15282 SUSE Linux Enterprise Server 12 SP5-LTSS:libpython3_4m1_0-3.4.10-25.172.1 SUSE Linux Enterprise Server 12 SP5-LTSS:libpython3_4m1_0-32bit-3.4.10-25.172.1 SUSE Linux Enterprise Server 12 SP5-LTSS:python3-3.4.10-25.172.1 SUSE Linux Enterprise Server 12 SP5-LTSS:python3-base-3.4.10-25.172.1 SUSE Linux Enterprise Server 12 SP5-LTSS:python3-curses-3.4.10-25.172.1 SUSE Linux Enterprise Server 12 SP5-LTSS:python3-devel-3.4.10-25.172.1 SUSE Linux Enterprise Server 12 SP5-LTSS:python3-tk-3.4.10-25.172.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libpython3_4m1_0-3.4.10-25.172.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libpython3_4m1_0-32bit-3.4.10-25.172.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:python3-3.4.10-25.172.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:python3-base-3.4.10-25.172.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:python3-curses-3.4.10-25.172.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:python3-devel-3.4.10-25.172.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:python3-tk-3.4.10-25.172.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260645-1/ https://www.suse.com/security/cve/CVE-2025-15282.html CVE-2025-15282 https://bugzilla.suse.com/1257046 SUSE Bug 1257046 The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters. CVE-2025-15366 SUSE Linux Enterprise Server 12 SP5-LTSS:libpython3_4m1_0-3.4.10-25.172.1 SUSE Linux Enterprise Server 12 SP5-LTSS:libpython3_4m1_0-32bit-3.4.10-25.172.1 SUSE Linux Enterprise Server 12 SP5-LTSS:python3-3.4.10-25.172.1 SUSE Linux Enterprise Server 12 SP5-LTSS:python3-base-3.4.10-25.172.1 SUSE Linux Enterprise Server 12 SP5-LTSS:python3-curses-3.4.10-25.172.1 SUSE Linux Enterprise Server 12 SP5-LTSS:python3-devel-3.4.10-25.172.1 SUSE Linux Enterprise Server 12 SP5-LTSS:python3-tk-3.4.10-25.172.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libpython3_4m1_0-3.4.10-25.172.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libpython3_4m1_0-32bit-3.4.10-25.172.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:python3-3.4.10-25.172.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:python3-base-3.4.10-25.172.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:python3-curses-3.4.10-25.172.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:python3-devel-3.4.10-25.172.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:python3-tk-3.4.10-25.172.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260645-1/ https://www.suse.com/security/cve/CVE-2025-15366.html CVE-2025-15366 https://bugzilla.suse.com/1257044 SUSE Bug 1257044 The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters. CVE-2025-15367 SUSE Linux Enterprise Server 12 SP5-LTSS:libpython3_4m1_0-3.4.10-25.172.1 SUSE Linux Enterprise Server 12 SP5-LTSS:libpython3_4m1_0-32bit-3.4.10-25.172.1 SUSE Linux Enterprise Server 12 SP5-LTSS:python3-3.4.10-25.172.1 SUSE Linux Enterprise Server 12 SP5-LTSS:python3-base-3.4.10-25.172.1 SUSE Linux Enterprise Server 12 SP5-LTSS:python3-curses-3.4.10-25.172.1 SUSE Linux Enterprise Server 12 SP5-LTSS:python3-devel-3.4.10-25.172.1 SUSE Linux Enterprise Server 12 SP5-LTSS:python3-tk-3.4.10-25.172.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libpython3_4m1_0-3.4.10-25.172.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libpython3_4m1_0-32bit-3.4.10-25.172.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:python3-3.4.10-25.172.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:python3-base-3.4.10-25.172.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:python3-curses-3.4.10-25.172.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:python3-devel-3.4.10-25.172.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:python3-tk-3.4.10-25.172.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260645-1/ https://www.suse.com/security/cve/CVE-2025-15367.html CVE-2025-15367 https://bugzilla.suse.com/1257041 SUSE Bug 1257041 When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters. CVE-2026-0672 SUSE Linux Enterprise Server 12 SP5-LTSS:libpython3_4m1_0-3.4.10-25.172.1 SUSE Linux Enterprise Server 12 SP5-LTSS:libpython3_4m1_0-32bit-3.4.10-25.172.1 SUSE Linux Enterprise Server 12 SP5-LTSS:python3-3.4.10-25.172.1 SUSE Linux Enterprise Server 12 SP5-LTSS:python3-base-3.4.10-25.172.1 SUSE Linux Enterprise Server 12 SP5-LTSS:python3-curses-3.4.10-25.172.1 SUSE Linux Enterprise Server 12 SP5-LTSS:python3-devel-3.4.10-25.172.1 SUSE Linux Enterprise Server 12 SP5-LTSS:python3-tk-3.4.10-25.172.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libpython3_4m1_0-3.4.10-25.172.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libpython3_4m1_0-32bit-3.4.10-25.172.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:python3-3.4.10-25.172.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:python3-base-3.4.10-25.172.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:python3-curses-3.4.10-25.172.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:python3-devel-3.4.10-25.172.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:python3-tk-3.4.10-25.172.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260645-1/ https://www.suse.com/security/cve/CVE-2026-0672.html CVE-2026-0672 https://bugzilla.suse.com/1257031 SUSE Bug 1257031 User-controlled header names and values containing newlines can allow injecting HTTP headers. CVE-2026-0865 SUSE Linux Enterprise Server 12 SP5-LTSS:libpython3_4m1_0-3.4.10-25.172.1 SUSE Linux Enterprise Server 12 SP5-LTSS:libpython3_4m1_0-32bit-3.4.10-25.172.1 SUSE Linux Enterprise Server 12 SP5-LTSS:python3-3.4.10-25.172.1 SUSE Linux Enterprise Server 12 SP5-LTSS:python3-base-3.4.10-25.172.1 SUSE Linux Enterprise Server 12 SP5-LTSS:python3-curses-3.4.10-25.172.1 SUSE Linux Enterprise Server 12 SP5-LTSS:python3-devel-3.4.10-25.172.1 SUSE Linux Enterprise Server 12 SP5-LTSS:python3-tk-3.4.10-25.172.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libpython3_4m1_0-3.4.10-25.172.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libpython3_4m1_0-32bit-3.4.10-25.172.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:python3-3.4.10-25.172.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:python3-base-3.4.10-25.172.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:python3-curses-3.4.10-25.172.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:python3-devel-3.4.10-25.172.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:python3-tk-3.4.10-25.172.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260645-1/ https://www.suse.com/security/cve/CVE-2026-0865.html CVE-2026-0865 https://bugzilla.suse.com/1257042 SUSE Bug 1257042