Security update for python SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2026:0268-1 Final 1 1 2026-01-23T09:40:47Z current 2026-01-23T09:40:47Z 2026-01-23T09:40:47Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for python This update for python fixes the following issues: - CVE-2025-13836: Fixed reading an HTTP response from a server, if no read amount is specified, with using Content-Length per default as the length (bsc#1254400) - CVE-2025-12084: Fixed Denial of Service due to quadratic algorithm in xml.dom.minidom (bsc#1254997). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2026-268,SUSE-SLE-Module-Packagehub-Subpackages-15-SP7-2026-268,openSUSE-SLE-15.6-2026-268 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2026/suse-su-20260268-1/ Link for SUSE-SU-2026:0268-1 https://lists.suse.com/pipermail/sle-security-updates/2026-January/023903.html E-Mail link for SUSE-SU-2026:0268-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1254400 SUSE Bug 1254400 https://bugzilla.suse.com/1254997 SUSE Bug 1254997 https://www.suse.com/security/cve/CVE-2025-12084/ SUSE CVE CVE-2025-12084 page https://www.suse.com/security/cve/CVE-2025-13836/ SUSE CVE CVE-2025-13836 page https://www.suse.com/security/cve/CVE-2025-6075/ SUSE CVE CVE-2025-6075 page SUSE Linux Enterprise Module for Package Hub 15 SP7 openSUSE Leap 15.6 libpython2_7-1_0-2.7.18-150000.94.1 libpython2_7-1_0-32bit-2.7.18-150000.94.1 libpython2_7-1_0-64bit-2.7.18-150000.94.1 python-2.7.18-150000.94.1 python-32bit-2.7.18-150000.94.1 python-64bit-2.7.18-150000.94.1 python-base-2.7.18-150000.94.1 python-base-32bit-2.7.18-150000.94.1 python-base-64bit-2.7.18-150000.94.1 python-curses-2.7.18-150000.94.1 python-demo-2.7.18-150000.94.1 python-devel-2.7.18-150000.94.1 python-doc-2.7.18-150000.94.1 python-doc-pdf-2.7.18-150000.94.1 python-gdbm-2.7.18-150000.94.1 python-idle-2.7.18-150000.94.1 python-tk-2.7.18-150000.94.1 python-xml-2.7.18-150000.94.1 libpython2_7-1_0-2.7.18-150000.94.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP7 python-2.7.18-150000.94.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP7 python-base-2.7.18-150000.94.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP7 python-curses-2.7.18-150000.94.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP7 python-gdbm-2.7.18-150000.94.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP7 python-xml-2.7.18-150000.94.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP7 libpython2_7-1_0-2.7.18-150000.94.1 as a component of openSUSE Leap 15.6 libpython2_7-1_0-32bit-2.7.18-150000.94.1 as a component of openSUSE Leap 15.6 python-2.7.18-150000.94.1 as a component of openSUSE Leap 15.6 python-32bit-2.7.18-150000.94.1 as a component of openSUSE Leap 15.6 python-base-2.7.18-150000.94.1 as a component of openSUSE Leap 15.6 python-base-32bit-2.7.18-150000.94.1 as a component of openSUSE Leap 15.6 python-curses-2.7.18-150000.94.1 as a component of openSUSE Leap 15.6 python-demo-2.7.18-150000.94.1 as a component of openSUSE Leap 15.6 python-devel-2.7.18-150000.94.1 as a component of openSUSE Leap 15.6 python-doc-2.7.18-150000.94.1 as a component of openSUSE Leap 15.6 python-doc-pdf-2.7.18-150000.94.1 as a component of openSUSE Leap 15.6 python-gdbm-2.7.18-150000.94.1 as a component of openSUSE Leap 15.6 python-idle-2.7.18-150000.94.1 as a component of openSUSE Leap 15.6 python-tk-2.7.18-150000.94.1 as a component of openSUSE Leap 15.6 python-xml-2.7.18-150000.94.1 as a component of openSUSE Leap 15.6 When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents. CVE-2025-12084 SUSE Linux Enterprise Module for Package Hub 15 SP7:libpython2_7-1_0-2.7.18-150000.94.1 SUSE Linux Enterprise Module for Package Hub 15 SP7:python-2.7.18-150000.94.1 SUSE Linux Enterprise Module for Package Hub 15 SP7:python-base-2.7.18-150000.94.1 SUSE Linux Enterprise Module for Package Hub 15 SP7:python-curses-2.7.18-150000.94.1 SUSE Linux Enterprise Module for Package Hub 15 SP7:python-gdbm-2.7.18-150000.94.1 SUSE Linux Enterprise Module for Package Hub 15 SP7:python-xml-2.7.18-150000.94.1 openSUSE Leap 15.6:libpython2_7-1_0-2.7.18-150000.94.1 openSUSE Leap 15.6:libpython2_7-1_0-32bit-2.7.18-150000.94.1 openSUSE Leap 15.6:python-2.7.18-150000.94.1 openSUSE Leap 15.6:python-32bit-2.7.18-150000.94.1 openSUSE Leap 15.6:python-base-2.7.18-150000.94.1 openSUSE Leap 15.6:python-base-32bit-2.7.18-150000.94.1 openSUSE Leap 15.6:python-curses-2.7.18-150000.94.1 openSUSE Leap 15.6:python-demo-2.7.18-150000.94.1 openSUSE Leap 15.6:python-devel-2.7.18-150000.94.1 openSUSE Leap 15.6:python-doc-2.7.18-150000.94.1 openSUSE Leap 15.6:python-doc-pdf-2.7.18-150000.94.1 openSUSE Leap 15.6:python-gdbm-2.7.18-150000.94.1 openSUSE Leap 15.6:python-idle-2.7.18-150000.94.1 openSUSE Leap 15.6:python-tk-2.7.18-150000.94.1 openSUSE Leap 15.6:python-xml-2.7.18-150000.94.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260268-1/ https://www.suse.com/security/cve/CVE-2025-12084.html CVE-2025-12084 https://bugzilla.suse.com/1254997 SUSE Bug 1254997 When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This allows a malicious server to cause the client to read large amounts of data into memory, potentially causing OOM or other DoS. CVE-2025-13836 SUSE Linux Enterprise Module for Package Hub 15 SP7:libpython2_7-1_0-2.7.18-150000.94.1 SUSE Linux Enterprise Module for Package Hub 15 SP7:python-2.7.18-150000.94.1 SUSE Linux Enterprise Module for Package Hub 15 SP7:python-base-2.7.18-150000.94.1 SUSE Linux Enterprise Module for Package Hub 15 SP7:python-curses-2.7.18-150000.94.1 SUSE Linux Enterprise Module for Package Hub 15 SP7:python-gdbm-2.7.18-150000.94.1 SUSE Linux Enterprise Module for Package Hub 15 SP7:python-xml-2.7.18-150000.94.1 openSUSE Leap 15.6:libpython2_7-1_0-2.7.18-150000.94.1 openSUSE Leap 15.6:libpython2_7-1_0-32bit-2.7.18-150000.94.1 openSUSE Leap 15.6:python-2.7.18-150000.94.1 openSUSE Leap 15.6:python-32bit-2.7.18-150000.94.1 openSUSE Leap 15.6:python-base-2.7.18-150000.94.1 openSUSE Leap 15.6:python-base-32bit-2.7.18-150000.94.1 openSUSE Leap 15.6:python-curses-2.7.18-150000.94.1 openSUSE Leap 15.6:python-demo-2.7.18-150000.94.1 openSUSE Leap 15.6:python-devel-2.7.18-150000.94.1 openSUSE Leap 15.6:python-doc-2.7.18-150000.94.1 openSUSE Leap 15.6:python-doc-pdf-2.7.18-150000.94.1 openSUSE Leap 15.6:python-gdbm-2.7.18-150000.94.1 openSUSE Leap 15.6:python-idle-2.7.18-150000.94.1 openSUSE Leap 15.6:python-tk-2.7.18-150000.94.1 openSUSE Leap 15.6:python-xml-2.7.18-150000.94.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260268-1/ https://www.suse.com/security/cve/CVE-2025-13836.html CVE-2025-13836 https://bugzilla.suse.com/1254400 SUSE Bug 1254400 If the value passed to os.path.expandvars() is user-controlled a performance degradation is possible when expanding environment variables. CVE-2025-6075 SUSE Linux Enterprise Module for Package Hub 15 SP7:libpython2_7-1_0-2.7.18-150000.94.1 SUSE Linux Enterprise Module for Package Hub 15 SP7:python-2.7.18-150000.94.1 SUSE Linux Enterprise Module for Package Hub 15 SP7:python-base-2.7.18-150000.94.1 SUSE Linux Enterprise Module for Package Hub 15 SP7:python-curses-2.7.18-150000.94.1 SUSE Linux Enterprise Module for Package Hub 15 SP7:python-gdbm-2.7.18-150000.94.1 SUSE Linux Enterprise Module for Package Hub 15 SP7:python-xml-2.7.18-150000.94.1 openSUSE Leap 15.6:libpython2_7-1_0-2.7.18-150000.94.1 openSUSE Leap 15.6:libpython2_7-1_0-32bit-2.7.18-150000.94.1 openSUSE Leap 15.6:python-2.7.18-150000.94.1 openSUSE Leap 15.6:python-32bit-2.7.18-150000.94.1 openSUSE Leap 15.6:python-base-2.7.18-150000.94.1 openSUSE Leap 15.6:python-base-32bit-2.7.18-150000.94.1 openSUSE Leap 15.6:python-curses-2.7.18-150000.94.1 openSUSE Leap 15.6:python-demo-2.7.18-150000.94.1 openSUSE Leap 15.6:python-devel-2.7.18-150000.94.1 openSUSE Leap 15.6:python-doc-2.7.18-150000.94.1 openSUSE Leap 15.6:python-doc-pdf-2.7.18-150000.94.1 openSUSE Leap 15.6:python-gdbm-2.7.18-150000.94.1 openSUSE Leap 15.6:python-idle-2.7.18-150000.94.1 openSUSE Leap 15.6:python-tk-2.7.18-150000.94.1 openSUSE Leap 15.6:python-xml-2.7.18-150000.94.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260268-1/ https://www.suse.com/security/cve/CVE-2025-6075.html CVE-2025-6075 https://bugzilla.suse.com/1252974 SUSE Bug 1252974