python-interpreters/python312
SHA256
6
0
Fork 0
forked from pool/python312
Code Pull Requests Activity

extraction filters (filter="data" and filter="tar")

Browse Source 
to be bypassed using crafted symlinks and hard links.
      CVE-2025-4517 (bsc#1244032). Also addresses CVE-2025-4435
      (gh#135034, bsc#1244061).

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python312?expand=0&rev=149
This commit is contained in:
Matej Cepl
2025-06-25 19:47:39 +00:00
committed by Git OBS Bridge
parent 9c7fb3fd1c
commit a20e070127
1 changed files with 4 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
python312.changes
View File

@@ -4,11 +4,12 @@ Mon Jun 9 19:41:07 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
- Update to 3.12.11:
- Security
- gh-135034: Fixes multiple issues that allowed tarfile
extraction filters (filter="data" and filter="tar") to be
bypassed using crafted symlinks and hard links.
extraction filters (filter="data" and filter="tar")
to be bypassed using crafted symlinks and hard links.
Addresses CVE-2024-12718 (bsc#1244056), CVE-2025-4138
(bsc#1244059), CVE-2025-4330 (bsc#1244060), and
CVE-2025-4517 (bsc#1244032).
CVE-2025-4517 (bsc#1244032). Also addresses CVE-2025-4435
(gh#135034, bsc#1244061).
- gh-133767: Fix use-after-free in the “unicode-escape”
decoder with a non-“strict” error handler (CVE-2025-4516,
bsc#1243273).