{"affected":[{"ecosystem_specific":{"binaries":[{"libpython3_13-1_0":"3.13.12-160000.1.1","libpython3_13-1_0-x86-64-v3":"3.13.12-160000.1.1","libpython3_13t1_0":"3.13.12-160000.1.1","python313":"3.13.12-160000.1.1","python313-base":"3.13.12-160000.1.1","python313-base-x86-64-v3":"3.13.12-160000.1.1","python313-curses":"3.13.12-160000.1.1","python313-dbm":"3.13.12-160000.1.1","python313-devel":"3.13.12-160000.1.1","python313-doc":"3.13.12-160000.1.1","python313-doc-devhelp":"3.13.12-160000.1.1","python313-idle":"3.13.12-160000.1.1","python313-nogil":"3.13.12-160000.1.1","python313-nogil-base":"3.13.12-160000.1.1","python313-nogil-curses":"3.13.12-160000.1.1","python313-nogil-dbm":"3.13.12-160000.1.1","python313-nogil-devel":"3.13.12-160000.1.1","python313-nogil-idle":"3.13.12-160000.1.1","python313-nogil-testsuite":"3.13.12-160000.1.1","python313-nogil-tk":"3.13.12-160000.1.1","python313-nogil-tools":"3.13.12-160000.1.1","python313-testsuite":"3.13.12-160000.1.1","python313-tk":"3.13.12-160000.1.1","python313-tools":"3.13.12-160000.1.1","python313-x86-64-v3":"3.13.12-160000.1.1"}]},"package":{"ecosystem":"openSUSE:Leap 16.0","name":"python313","purl":"pkg:rpm/opensuse/python313&distro=openSUSE%20Leap%2016.0"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"3.13.12-160000.1.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"libpython3_13-1_0":"3.13.12-160000.1.1","libpython3_13-1_0-x86-64-v3":"3.13.12-160000.1.1","libpython3_13t1_0":"3.13.12-160000.1.1","python313":"3.13.12-160000.1.1","python313-base":"3.13.12-160000.1.1","python313-base-x86-64-v3":"3.13.12-160000.1.1","python313-curses":"3.13.12-160000.1.1","python313-dbm":"3.13.12-160000.1.1","python313-devel":"3.13.12-160000.1.1","python313-doc":"3.13.12-160000.1.1","python313-doc-devhelp":"3.13.12-160000.1.1","python313-idle":"3.13.12-160000.1.1","python313-nogil":"3.13.12-160000.1.1","python313-nogil-base":"3.13.12-160000.1.1","python313-nogil-curses":"3.13.12-160000.1.1","python313-nogil-dbm":"3.13.12-160000.1.1","python313-nogil-devel":"3.13.12-160000.1.1","python313-nogil-idle":"3.13.12-160000.1.1","python313-nogil-testsuite":"3.13.12-160000.1.1","python313-nogil-tk":"3.13.12-160000.1.1","python313-nogil-tools":"3.13.12-160000.1.1","python313-testsuite":"3.13.12-160000.1.1","python313-tk":"3.13.12-160000.1.1","python313-tools":"3.13.12-160000.1.1","python313-x86-64-v3":"3.13.12-160000.1.1"}]},"package":{"ecosystem":"openSUSE:Leap 16.0","name":"python313-core","purl":"pkg:rpm/opensuse/python313-core&distro=openSUSE%20Leap%2016.0"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"3.13.12-160000.1.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"libpython3_13-1_0":"3.13.12-160000.1.1","libpython3_13-1_0-x86-64-v3":"3.13.12-160000.1.1","libpython3_13t1_0":"3.13.12-160000.1.1","python313":"3.13.12-160000.1.1","python313-base":"3.13.12-160000.1.1","python313-base-x86-64-v3":"3.13.12-160000.1.1","python313-curses":"3.13.12-160000.1.1","python313-dbm":"3.13.12-160000.1.1","python313-devel":"3.13.12-160000.1.1","python313-doc":"3.13.12-160000.1.1","python313-doc-devhelp":"3.13.12-160000.1.1","python313-idle":"3.13.12-160000.1.1","python313-nogil":"3.13.12-160000.1.1","python313-nogil-base":"3.13.12-160000.1.1","python313-nogil-curses":"3.13.12-160000.1.1","python313-nogil-dbm":"3.13.12-160000.1.1","python313-nogil-devel":"3.13.12-160000.1.1","python313-nogil-idle":"3.13.12-160000.1.1","python313-nogil-testsuite":"3.13.12-160000.1.1","python313-nogil-tk":"3.13.12-160000.1.1","python313-nogil-tools":"3.13.12-160000.1.1","python313-testsuite":"3.13.12-160000.1.1","python313-tk":"3.13.12-160000.1.1","python313-tools":"3.13.12-160000.1.1","python313-x86-64-v3":"3.13.12-160000.1.1"}]},"package":{"ecosystem":"openSUSE:Leap 16.0","name":"python313-documentation","purl":"pkg:rpm/opensuse/python313-documentation&distro=openSUSE%20Leap%2016.0"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"3.13.12-160000.1.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"libpython3_13-1_0":"3.13.12-160000.1.1","libpython3_13-1_0-x86-64-v3":"3.13.12-160000.1.1","libpython3_13t1_0":"3.13.12-160000.1.1","python313":"3.13.12-160000.1.1","python313-base":"3.13.12-160000.1.1","python313-base-x86-64-v3":"3.13.12-160000.1.1","python313-curses":"3.13.12-160000.1.1","python313-dbm":"3.13.12-160000.1.1","python313-devel":"3.13.12-160000.1.1","python313-doc":"3.13.12-160000.1.1","python313-doc-devhelp":"3.13.12-160000.1.1","python313-idle":"3.13.12-160000.1.1","python313-nogil":"3.13.12-160000.1.1","python313-nogil-base":"3.13.12-160000.1.1","python313-nogil-curses":"3.13.12-160000.1.1","python313-nogil-dbm":"3.13.12-160000.1.1","python313-nogil-devel":"3.13.12-160000.1.1","python313-nogil-idle":"3.13.12-160000.1.1","python313-nogil-testsuite":"3.13.12-160000.1.1","python313-nogil-tk":"3.13.12-160000.1.1","python313-nogil-tools":"3.13.12-160000.1.1","python313-testsuite":"3.13.12-160000.1.1","python313-tk":"3.13.12-160000.1.1","python313-tools":"3.13.12-160000.1.1","python313-x86-64-v3":"3.13.12-160000.1.1"}]},"package":{"ecosystem":"openSUSE:Leap 16.0","name":"python313-nogil","purl":"pkg:rpm/opensuse/python313-nogil&distro=openSUSE%20Leap%2016.0"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"3.13.12-160000.1.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"libpython3_13-1_0":"3.13.12-160000.1.1","libpython3_13-1_0-x86-64-v3":"3.13.12-160000.1.1","libpython3_13t1_0":"3.13.12-160000.1.1","python313":"3.13.12-160000.1.1","python313-base":"3.13.12-160000.1.1","python313-base-x86-64-v3":"3.13.12-160000.1.1","python313-curses":"3.13.12-160000.1.1","python313-dbm":"3.13.12-160000.1.1","python313-devel":"3.13.12-160000.1.1","python313-doc":"3.13.12-160000.1.1","python313-doc-devhelp":"3.13.12-160000.1.1","python313-idle":"3.13.12-160000.1.1","python313-nogil":"3.13.12-160000.1.1","python313-nogil-base":"3.13.12-160000.1.1","python313-nogil-curses":"3.13.12-160000.1.1","python313-nogil-dbm":"3.13.12-160000.1.1","python313-nogil-devel":"3.13.12-160000.1.1","python313-nogil-idle":"3.13.12-160000.1.1","python313-nogil-testsuite":"3.13.12-160000.1.1","python313-nogil-tk":"3.13.12-160000.1.1","python313-nogil-tools":"3.13.12-160000.1.1","python313-testsuite":"3.13.12-160000.1.1","python313-tk":"3.13.12-160000.1.1","python313-tools":"3.13.12-160000.1.1","python313-x86-64-v3":"3.13.12-160000.1.1"}]},"package":{"ecosystem":"openSUSE:Leap 16.0","name":"python313-nogil-nogil-core","purl":"pkg:rpm/opensuse/python313-nogil-nogil-core&distro=openSUSE%20Leap%2016.0"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"3.13.12-160000.1.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for python313 fixes the following issues:\n\nUpdate to version 3.13.12.\n\nSecurity issues fixed:\n\n- CVE-2025-11468: header injection when folding a long comment in an email header containing exclusively unfoldable\n  characters (bsc#1257029).\n- CVE-2025-15282: user-controlled data URLs parsed may allow injecting headers (bsc#1257046).\n- CVE-2026-0672: HTTP header injection via user-controlled cookie values and parameters when using http.cookies.Morsel\n  (bsc#1257031).\n- CVE-2026-0865: user-controlled header containing newlines can allow injecting HTTP headers (bsc#1257042).\n- CVE-2026-1299: header injection when an email is serialized due to improper newline quoting in `BytesGenerator`\n  (bsc#1257181).\n\nOther updates and bugfixes:\n\n- Update to version 3.13.12.\n\n  - Library\n\n    - gh-144380: Improve performance of io.BufferedReader line\n      iteration by ~49%.\n    - gh-144169: Fix three crashes when non-string keyword\n      arguments are supplied to objects in the ast module.\n    - gh-144100: Fixed a crash in ctypes when using a deprecated\n      POINTER(str) type in argtypes. Instead of aborting, ctypes\n      now raises a proper Python exception when the pointer\n      target type is unresolved.\n    - gh-144050: Fix stat.filemode() in the pure-Python\n      implementation to avoid misclassifying invalid mode values\n      as block devices.\n    - gh-144023: Fixed validation of file descriptor 0 in posix\n      functions when used with follow_symlinks parameter.\n    - gh-143999: Fix an issue where inspect.getgeneratorstate()\n      and inspect.getcoroutinestate() could fail for generators\n      wrapped by types.coroutine() in the suspended state.\n    - gh-143706: Fix multiprocessing forkserver so that sys.argv\n      is correctly set before __main__ is preloaded. Previously,\n      sys.argv was empty during main module import in forkserver\n      child processes. This fixes a regression introduced in\n      3.13.8 and 3.14.1. Root caused by Aaron Wieczorek, test\n      provided by Thomas Watson, thanks!\n    - gh-143638: Forbid reentrant calls of the pickle.Pickler and\n      pickle.Unpickler methods for the C implementation.\n      Previously, this could cause crash or data corruption, now\n      concurrent calls of methods of the same object raise\n      RuntimeError.\n    - gh-78724: Raise RuntimeError's when user attempts to call\n      methods on half-initialized Struct objects, For example,\n      created by Struct.__new__(Struct). Patch by Sergey\n      B Kirpichev.\n    - gh-143602: Fix a inconsistency issue in write() that leads\n      to unexpected buffer overwrite by deduplicating the buffer\n      exports.\n    - gh-143547: Fix sys.unraisablehook() when the hook raises an\n      exception and changes sys.unraisablehook(): hold a strong\n      reference to the old hook. Patch by Victor Stinner.\n    - gh-143378: Fix use-after-free crashes when a BytesIO object\n      is concurrently mutated during write() or writelines().\n    - gh-143346: Fix incorrect wrapping of the Base64 data in\n      plistlib._PlistWriter when the indent contains a mix of\n      tabs and spaces.\n    - gh-143310: tkinter: fix a crash when a Python list is\n      mutated during the conversion to a Tcl object (e.g., when\n      setting a Tcl variable). Patch by Benedikt Tran.\n    - gh-143309: Fix a crash in os.execve() on non-Windows\n      platforms when given a custom environment mapping which is\n      then mutated during parsing. Patch by Benedikt Tran.\n    - gh-143308: pickle: fix use-after-free crashes when\n      a PickleBuffer is concurrently mutated by a custom buffer\n      callback during pickling. Patch by Benedikt Tran and Aaron\n      Wieczorek.\n    - gh-143237: Fix support of named pipes in the rotating\n      logging handlers.\n    - gh-143249: Fix possible buffer leaks in Windows overlapped\n      I/O on error handling.\n    - gh-143241: zoneinfo: fix infinite loop in\n      ZoneInfo.from_file when parsing a malformed TZif file.\n      Patch by Fatih Celik.\n    - gh-142830: sqlite3: fix use-after-free crashes when the\n      connection's callbacks are mutated during a callback\n      execution. Patch by Benedikt Tran.\n    - gh-143200: xml.etree.ElementTree: fix use-after-free\n      crashes in __getitem__() and __setitem__() methods of\n      Element when the element is concurrently mutated. Patch by\n      Benedikt Tran.\n    - gh-142195: Updated timeout evaluation logic in subprocess\n      to be compatible with deterministic environments like\n      Shadow where time moves exactly as requested.\n    - gh-143145: Fixed a possible reference leak in ctypes when\n      constructing results with multiple output parameters on\n      error.\n    - gh-122431: Corrected the error message in\n      readline.append_history_file() to state that nelements must\n      be non-negative instead of positive.\n    - gh-143004: Fix a potential use-after-free in\n      collections.Counter.update() when user code mutates the\n      Counter during an update.\n    - gh-143046: The asyncio REPL no longer prints copyright and\n      version messages in the quiet mode (-q). Patch by Bartosz\n      Slawecki.\n    - gh-140648: The asyncio REPL now respects the -I flag\n      (isolated mode). Previously, it would load and execute\n      PYTHONSTARTUP even if the flag was set. Contributed by\n      Bartosz Slawecki.\n    - gh-142991: Fixed socket operations such as recvfrom() and\n      sendto() for FreeBSD divert(4) socket.\n    - gh-143010: Fixed a bug in mailbox where the precise timing\n      of an external event could result in the library opening an\n      existing file instead of a file it expected to create.\n    - gh-142881: Fix concurrent and reentrant call of\n      atexit.unregister().\n    - gh-112127: Fix possible use-after-free in\n      atexit.unregister() when the callback is unregistered\n      during comparison.\n    - gh-142783: Fix zoneinfo use-after-free with descriptor\n      _weak_cache. a descriptor as _weak_cache could cause\n      crashes during object creation. The fix ensures proper\n      reference counting for descriptor-provided objects.\n    - gh-142754: Add the ownerDocument attribute to\n      xml.dom.minidom elements and attributes created by directly\n      instantiating the Element or Attr class. Note that this way\n      of creating nodes is not supported; creator functions like\n      xml.dom.Document.documentElement() should be used instead.\n    - gh-142784: The asyncio REPL now properly closes the loop\n      upon the end of interactive session. Previously, it could\n      cause surprising warnings. Contributed by Bartosz Slawecki.\n    - gh-142555: array: fix a crash in a[i] = v when converting\n      i to an index via i.__index__ or i.__float__ mutates the\n      array.\n    - gh-142594: Fix crash in TextIOWrapper.close() when the\n      underlying buffer's closed property calls detach().\n    - gh-142451: hmac: Ensure that the HMAC.block_size attribute\n      is correctly copied by HMAC.copy. Patch by Benedikt Tran.\n    - gh-142495: collections.defaultdict now prioritizes\n      __setitem__() when inserting default values from\n      default_factory. This prevents race conditions where\n      a default value would overwrite a value set before\n      default_factory returns.\n    - gh-142651: unittest.mock: fix a thread safety issue where\n      Mock.call_count may return inaccurate values when the mock\n      is called concurrently from multiple threads.\n    - gh-142595: Added type check during initialization of the\n      decimal module to prevent a crash in case of broken stdlib.\n      Patch by Sergey B Kirpichev.\n    - gh-142517: The non-compat32 email policies now correctly\n      handle refolding encoded words that contain bytes that can\n      not be decoded in their specified character set. Previously\n      this resulted in an encoding exception during folding.\n    - gh-112527: The help text for required options in argparse\n      no longer extended with \"(default: None)\".\n    - gh-142315: Pdb can now run scripts from anonymous pipes\n      used in process substitution. Patch by Bartosz Slawecki.\n    - gh-142282: Fix winreg.QueryValueEx() to not accidentally\n      read garbage buffer under race condition.\n    - gh-75949: Fix argparse to preserve | separators in mutually\n      exclusive groups when the usage line wraps due to length.\n    - gh-68552: MisplacedEnvelopeHeaderDefect and Missing header\n      name defects are now correctly passed to the handle_defect\n      method of policy in FeedParser.\n    - gh-142006: Fix a bug in the email.policy.default folding\n      algorithm which incorrectly resulted in a doubled newline\n      when a line ending at exactly max_line_length was followed\n      by an unfoldable token.\n    - gh-105836: Fix asyncio.run_coroutine_threadsafe() leaving\n      underlying cancelled asyncio task running.\n    - gh-139971: pydoc: Ensure that the link to the online\n      documentation of a stdlib module is correct.\n    - gh-139262: Some keystrokes can be swallowed in the new\n      PyREPL on Windows, especially when used together with the\n      ALT key. Fix by Chris Eibl.\n    - gh-138897: Improved license/copyright/credits display in\n      the REPL: now uses a pager.\n    - gh-79986: Add parsing for References and In-Reply-To\n      headers to the email library that parses the header content\n      as lists of message id tokens. This prevents them from\n      being folded incorrectly.\n    - gh-109263: Starting a process from spawn context in\n      multiprocessing no longer sets the start method globally.\n    - gh-90871: Fixed an off by one error concerning the backlog\n      parameter in create_unix_server(). Contributed by Christian\n      Harries.\n    - gh-133253: Fix thread-safety issues in linecache.\n    - gh-132715: Skip writing objects during marshalling once\n      a failure has occurred.\n    - gh-127529: Correct behavior of\n      asyncio.selector_events.BaseSelectorEventLoop._accept_connection()\n      in handling ConnectionAbortedError in a loop. This improves\n      performance on OpenBSD.\n\n  - IDLE\n\n    - gh-143774: Better explain the operation of Format / Format\n      Paragraph.\n\n  - Core and Builtins\n\n    - gh-144307: Prevent a reference leak in module teardown at\n      interpreter finalization.\n    - gh-144194: Fix error handling in perf jitdump\n      initialization on memory allocation failure.\n    - gh-141805: Fix crash in set when objects with the same hash\n      are concurrently added to the set after removing an element\n      with the same hash while the set still contains elements\n      with the same hash.\n    - gh-143670: Fixes a crash in ga_repr_items_list function.\n    - gh-143377: Fix a crash in _interpreters.capture_exception()\n      when the exception is incorrectly formatted. Patch by\n      Benedikt Tran.\n    - gh-143189: Fix crash when inserting a non-str key into\n      a split table dictionary when the key matches an existing\n      key in the split table but has no corresponding value in\n      the dict.\n    - gh-143228: Fix use-after-free in perf trampoline when\n      toggling profiling while threads are running or during\n      interpreter finalization with daemon threads active. The\n      fix uses reference counting to ensure trampolines are not\n      freed while any code object could still reference them.\n      Pach by Pablo Galindo\n    - gh-142664: Fix a use-after-free crash in\n      memoryview.__hash__ when the __hash__ method of the\n      referenced object mutates that object or the view. Patch by\n      Benedikt Tran.\n    - gh-142557: Fix a use-after-free crash in bytearray.__mod__\n      when the bytearray is mutated while formatting the %-style\n      arguments. Patch by Benedikt Tran.\n    - gh-143195: Fix use-after-free crashes in bytearray.hex()\n      and memoryview.hex() when the separator's __len__() mutates\n      the original object. Patch by Benedikt Tran.\n    - gh-143135: Set sys.flags.inspect to 1 when PYTHONINSPECT is\n      0. Previously, it was set to 0 in this case.\n    - gh-143003: Fix an overflow of the shared empty buffer in\n      bytearray.extend() when __length_hint__() returns 0 for\n      non-empty iterator.\n    - gh-143006: Fix a possible assertion error when comparing\n      negative non-integer float and int with the same number of\n      bits in the integer part.\n    - gh-142776: Fix a file descriptor leak in import.c\n    - gh-142829: Fix a use-after-free crash in\n      contextvars.Context comparison when a custom __eq__ method\n      modifies the context via set().\n    - gh-142766: Clear the frame of a generator when\n      generator.close() is called.\n    - gh-142737: Tracebacks will be displayed in fallback mode\n      even if io.open() is lost. Previously, this would crash the\n      interpreter. Patch by Bartosz Slawecki.\n    - gh-142554: Fix a crash in divmod() when\n      _pylong.int_divmod() does not return a tuple of length two\n      exactly. Patch by Benedikt Tran.\n    - gh-142560: Fix use-after-free in bytearray search-like\n      methods (find(), count(), index(), rindex(), and rfind())\n      by marking the storage as exported which causes\n      reallocation attempts to raise BufferError. For contains(),\n      split(), and rsplit() the buffer protocol is used for this.\n    - gh-142343: Fix SIGILL crash on m68k due to incorrect\n      assembly constraint.\n    - gh-141732: Ensure the __repr__() for ExceptionGroup and\n      BaseExceptionGroup does not change when the exception\n      sequence that was original passed in to its constructor is\n      subsequently mutated.\n    - gh-100964: Fix reference cycle in exhausted generator\n      frames. Patch by Savannah Ostrowski.\n    - gh-140373: Correctly emit PY_UNWIND event when generator\n      object is closed. Patch by Mikhail Efimov.\n    - gh-138568: Adjusted the built-in help() function so that\n      empty inputs are ignored in interactive mode.\n    - gh-127773: Do not use the type attribute cache for types\n      with incompatible MRO.\n\n  - C API\n\n    - gh-142571: PyUnstable_CopyPerfMapFile() now checks that\n      opening the file succeeded before flushing.\n\n  - Build\n\n    - gh-142454: When calculating the digest of the JIT stencils\n      input, sort the hashed files by filenames before adding\n      their content to the hasher. This ensures deterministic\n      hash input and hence deterministic hash, independent on\n      filesystem order.\n    - gh-141808: When running make clean-retain-profile, keep the\n      generated JIT stencils. That way, the stencils are not\n      generated twice when Profile-guided optimization (PGO) is\n      used. It also allows distributors to supply their own\n      pre-built JIT stencils.\n    - gh-138061: Ensure reproducible builds by making JIT stencil\n      header generation deterministic.\n","id":"openSUSE-SU-2026:20254-1","modified":"2026-02-19T10:31:04Z","published":"2026-02-19T10:31:04Z","references":[{"type":"ADVISORY","url":null},{"type":"REPORT","url":"https://bugzilla.suse.com/1257029"},{"type":"REPORT","url":"https://bugzilla.suse.com/1257031"},{"type":"REPORT","url":"https://bugzilla.suse.com/1257042"},{"type":"REPORT","url":"https://bugzilla.suse.com/1257046"},{"type":"REPORT","url":"https://bugzilla.suse.com/1257181"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-11468"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-15282"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2026-0672"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2026-0865"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2026-1299"}],"related":["CVE-2025-11468","CVE-2025-15282","CVE-2026-0672","CVE-2026-0865","CVE-2026-1299"],"summary":"Security update for python313","upstream":["CVE-2025-11468","CVE-2025-15282","CVE-2026-0672","CVE-2026-0865","CVE-2026-1299"]}