SUSE-SU-2026:1937-1
- Source
- https://www.suse.com/support/update/announcement/2026/suse-su-20261937-1/
- Import Source
- https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2026:1937-1.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/SUSE-SU-2026:1937-1
- Upstream
- Related
- Published
- 2026-05-18T07:41:58Z
- Modified
- 2026-05-19T08:45:06.846071151Z
- Summary
- Security update for python3
- Details
-
This update for python3 fixes the following issue:
- CVE-2026-1502: HTTP client proxy tunnel headers not validated for CR/LF (bsc#1261969).
- CVE-2026-3446: base64 decoding stops at first padded quad by default and ignores other information that could be processed (bsc#1261970).
- CVE-2026-4786: URLs prefixed with
%actioncan pass the dash-prefix safety check and allow for command injection (bsc#1262319). - CVE-2026-6019:
BaseCookie.js_output()does not neutralize characters in cookie values embedded in JS (bsc#1262654). - CVE-2026-6100: use-after-free in
lzma.LZMADecompressor,bz2.BZ2Decompressor, andgzip.GzipFilewhen process is under memory pressure(bsc#1262098).
- References
-
- https://www.suse.com/support/update/announcement/2026/suse-su-20261937-1/
- https://bugzilla.suse.com/1261969
- https://bugzilla.suse.com/1261970
- https://bugzilla.suse.com/1262098
- https://bugzilla.suse.com/1262319
- https://bugzilla.suse.com/1262654
- https://www.suse.com/security/cve/CVE-2026-1502
- https://www.suse.com/security/cve/CVE-2026-3446
- https://www.suse.com/security/cve/CVE-2026-4786
- https://www.suse.com/security/cve/CVE-2026-6019
- https://www.suse.com/security/cve/CVE-2026-6100