{"affected":[{"ecosystem_specific":{"binaries":[{"libpython3_13-1_0":"3.13.7-150700.4.23.1","python313":"3.13.7-150700.4.23.1","python313-base":"3.13.7-150700.4.23.1","python313-curses":"3.13.7-150700.4.23.1","python313-dbm":"3.13.7-150700.4.23.1","python313-devel":"3.13.7-150700.4.23.1","python313-idle":"3.13.7-150700.4.23.1","python313-tk":"3.13.7-150700.4.23.1","python313-tools":"3.13.7-150700.4.23.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Module for Python 3 15 SP7","name":"python313","purl":"pkg:rpm/suse/python313&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Python%203%2015%20SP7"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"3.13.7-150700.4.23.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"libpython3_13-1_0":"3.13.7-150700.4.23.1","python313":"3.13.7-150700.4.23.1","python313-base":"3.13.7-150700.4.23.1","python313-curses":"3.13.7-150700.4.23.1","python313-dbm":"3.13.7-150700.4.23.1","python313-devel":"3.13.7-150700.4.23.1","python313-idle":"3.13.7-150700.4.23.1","python313-tk":"3.13.7-150700.4.23.1","python313-tools":"3.13.7-150700.4.23.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Module for Python 3 15 SP7","name":"python313-core","purl":"pkg:rpm/suse/python313-core&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Python%203%2015%20SP7"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"3.13.7-150700.4.23.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for python313 fixes the following issues:\n\nUpdate to version 3.13.7.\n\n- Fixes in 3.13.7:\n  * gh-137583: Fix a deadlock introduced in 3.13.6 when a call\n    to ssl.SSLSocket.recv was blocked in one thread, and then\n    another method on the object (such as ssl.SSLSocket.send) was\n    subsequently called in another thread.\n  * gh-137044: Return large limit values as positive integers\n    instead of negative integers in resource.getrlimit().\n    Accept large values and reject negative values (except\n    RLIM_INFINITY) for limits in resource.setrlimit().\n  * gh-136914: Fix retrieval of doctest.DocTest.lineno\n    for objects decorated with functools.cache() or\n    functools.cached_property.\n  * gh-131788: Make ResourceTracker.send from multiprocessing\n    re-entrant safe\n  * gh-136155: We are now checking for fatal errors in EPUB\n    builds in CI.\n  * gh-137400: Fix a crash in the free threading build when\n    disabling profiling or tracing across all threads with\n    PyEval_SetProfileAllThreads() or PyEval_SetTraceAllThreads()\n    or their Python equivalents threading.settrace_all_threads()\n    and threading.setprofile_all_threads().\n\n- Fixes in 3.13.6:\n  * Security\n    - gh-135661: Fix parsing start and end tags in\n      html.parser.HTMLParser according to the HTML5 standard.\n        - Whitespaces no longer accepted between </ and the tag\n          name. E.g. </ script> does not end the script section.\n        - Vertical tabulation (\\v) and non-ASCII whitespaces no\n          longer recognized as whitespaces. The only whitespaces\n          are \\t\\n\\r\\f and space.\n        - Null character (U+0000) no longer ends the tag name.\n        - Attributes and slashes after the tag name in end tags\n          are now ignored, instead of terminating after the first\n          > in quoted attribute value. E.g. </script/foo='>'/>.\n        - Multiple slashes and whitespaces between the last\n          attribute and closing > are now ignored in both start\n          and end tags. E.g. <a foo=bar/ //>.\n        - Multiple = between attribute name and value are no\n          longer collapsed. E.g. <a foo==bar> produces attribute\n          “foo” with value “=bar”.\n    - gh-102555: Fix comment parsing in html.parser.HTMLParser\n      according to the HTML5 standard. --!> now ends the comment.\n      -- > no longer ends the comment. Support abnormally ended\n      empty comments <--> and <--->.\n    - gh-135462: Fix quadratic complexity in processing specially\n      crafted input in html.parser.HTMLParser. End-of-file errors\n      are now handled according to the HTML5 specs – comments and\n      declarations are automatically closed, tags are ignored\n      (CVE-2025-6069, bsc#1244705).\n    - gh-118350: Fix support of escapable raw text mode (elements\n      “textarea” and “title”) in html.parser.HTMLParser.\n  * Core and Builtins\n    - gh-58124: Fix name of the Python encoding in Unicode errors\n      of the code page codec: use “cp65000” and “cp65001” instead\n      of “CP_UTF7” and “CP_UTF8” which are not valid Python code\n      names. Patch by Victor Stinner.\n    - gh-137314: Fixed a regression where raw f-strings\n      incorrectly interpreted escape sequences in format\n      specifications. Raw f-strings now properly preserve literal\n      backslashes in format specs, matching the behavior from\n      Python 3.11. For example, rf'{obj:\\xFF}' now correctly\n      produces '\\\\xFF' instead of 'ÿ'. Patch by Pablo Galindo.\n    - gh-136541: Fix some issues with the perf trampolines\n      on x86-64 and aarch64. The trampolines were not being\n      generated correctly for some cases, which could lead to\n      the perf integration not working correctly. Patch by Pablo\n      Galindo.\n    - gh-109700: Fix memory error handling in\n      PyDict_SetDefault().\n    - gh-78465: Fix error message for cls.__new__(cls, ...) where\n      cls is not instantiable builtin or extension type (with\n      tp_new set to NULL).\n    - gh-135871: Non-blocking mutex lock attempts now return\n      immediately when the lock is busy instead of briefly\n      spinning in the free threading build.\n    - gh-135607: Fix potential weakref races in an object’s\n      destructor on the free threaded build.\n    - gh-135496: Fix typo in the f-string conversion type error\n      (“exclamanation” -> “exclamation”).\n    - gh-130077: Properly raise custom syntax errors when\n      incorrect syntax containing names that are prefixes of soft\n      keywords is encountered. Patch by Pablo Galindo.\n    - gh-135148: Fixed a bug where f-string debug expressions\n      (using =) would incorrectly strip out parts of strings\n      containing escaped quotes and # characters. Patch by Pablo\n      Galindo.\n    - gh-133136: Limit excess memory usage in the free threading\n      build when a large dictionary or list is resized and\n      accessed by multiple threads.\n    - gh-132617: Fix dict.update() modification check that could\n      incorrectly raise a “dict mutated during update” error when\n      a different dictionary was modified that happens to share\n      the same underlying keys object.\n    - gh-91153: Fix a crash when a bytearray is concurrently\n      mutated during item assignment.\n    - gh-127971: Fix off-by-one read beyond the end of a string\n      in string search.\n    - gh-125723: Fix crash with gi_frame.f_locals when generator\n      frames outlive their generator. Patch by Mikhail Efimov.\n  * Library\n    - gh-132710: If possible, ensure that uuid.getnode()\n      returns the same result even across different processes.\n      Previously, the result was constant only within the same\n      process. Patch by Bénédikt Tran.\n    - gh-137273: Fix debug assertion failure in\n      locale.setlocale() on Windows.\n    - gh-137257: Bump the version of pip bundled in ensurepip to\n      version 25.2\n    - gh-81325: tarfile.TarFile now accepts a path-like when\n      working on a tar archive. (Contributed by Alexander Enrique\n      Urieles Nieto in gh-81325.)\n    - gh-130522: Fix unraisable TypeError raised during\n      interpreter shutdown in the threading module.\n    - gh-130577: tarfile now validates archives to ensure member\n      offsets are non-negative. (Contributed by Alexander Enrique\n      Urieles Nieto in gh-130577; CVE-2025-8194, bsc#1247249).\n    - gh-136549: Fix signature of threading.excepthook().\n    - gh-136523: Fix wave.Wave_write emitting an unraisable when\n      open raises.\n    - gh-52876: Add missing keepends (default True)\n      parameter to codecs.StreamReaderWriter.readline() and\n      codecs.StreamReaderWriter.readlines().\n    - gh-85702: If zoneinfo._common.load_tzdata is given a\n      package without a resource a zoneinfo.ZoneInfoNotFoundError\n      is raised rather than a PermissionError. Patch by Victor\n      Stinner.\n    - gh-134759: Fix UnboundLocalError in\n      email.message.Message.get_payload() when the payload to\n      decode is a bytes object. Patch by Kliment Lamonov.\n    - gh-136028: Fix parsing month names containing “İ” (U+0130,\n      LATIN CAPITAL LETTER I WITH DOT ABOVE) in time.strptime().\n      This affects locales az_AZ, ber_DZ, ber_MA and crh_UA.\n    - gh-135995: In the palmos encoding, make byte 0x9b decode to\n      › (U+203A - SINGLE RIGHT-POINTING ANGLE QUOTATION MARK).\n    - gh-53203: Fix time.strptime() for %c and %x formats on\n      locales byn_ER, wal_ET and lzh_TW, and for %X format on\n      locales ar_SA, bg_BG and lzh_TW.\n    - gh-91555: An earlier change, which was introduced in\n      3.13.4, has been reverted. It disabled logging for a logger\n      during handling of log messages for that logger. Since the\n      reversion, the behaviour should be as it was before 3.13.4.\n    - gh-135878: Fixes a crash of types.SimpleNamespace on free\n      threading builds, when several threads were calling its\n      __repr__() method at the same time.\n    - gh-135836: Fix IndexError in\n      asyncio.loop.create_connection() that could occur when\n      non-OSError exception is raised during connection and\n      socket’s close() raises OSError.\n    - gh-135836: Fix IndexError in\n      asyncio.loop.create_connection() that could occur when the\n      Happy Eyeballs algorithm resulted in an empty exceptions\n      list during connection attempts.\n    - gh-135855: Raise TypeError instead of SystemError when\n      _interpreters.set___main___attrs() is passed a non-dict\n      object. Patch by Brian Schubert.\n    - gh-135815: netrc: skip security checks if os.getuid() is\n      missing. Patch by Bénédikt Tran.\n    - gh-135640: Address bug where it was possible to call\n      xml.etree.ElementTree.ElementTree.write() on an ElementTree\n      object with an invalid root element. This behavior blanked\n      the file passed to write if it already existed.\n    - gh-135444: Fix asyncio.DatagramTransport.sendto() to\n      account for datagram header size when data cannot be sent.\n    - gh-135497: Fix os.getlogin() failing for longer usernames\n      on BSD-based platforms.\n    - gh-135487: Fix reprlib.Repr.repr_int() when given integers\n      with more than sys.get_int_max_str_digits() digits. Patch\n      by Bénédikt Tran.\n    - gh-135335: multiprocessing: Flush stdout and stderr after\n      preloading modules in the forkserver.\n    - gh-135244: uuid: when the MAC address cannot be\n      determined, the 48-bit node ID is now generated with a\n      cryptographically-secure pseudo-random number generator\n      (CSPRNG) as per RFC 9562, §6.10.3. This affects uuid1().\n    - gh-135069: Fix the “Invalid error handling” exception in\n      encodings.idna.IncrementalDecoder to correctly replace the\n      ‘errors’ parameter.\n    - gh-134698: Fix a crash when calling methods of\n      ssl.SSLContext or ssl.SSLSocket across multiple threads.\n    - gh-132124: On POSIX-compliant systems,\n      multiprocessing.util.get_temp_dir() now ignores TMPDIR\n      (and similar environment variables) if the path length of\n      AF_UNIX socket files exceeds the platform-specific maximum\n      length when using the forkserver start method. Patch by\n      Bénédikt Tran.\n    - gh-133439: Fix dot commands with trailing spaces are\n      mistaken for multi-line SQL statements in the sqlite3\n      command-line interface.\n    - gh-132969: Prevent the ProcessPoolExecutor executor thread,\n      which remains running when shutdown(wait=False), from\n      attempting to adjust the pool’s worker processes after\n      the object state has already been reset during shutdown.\n      A combination of conditions, including a worker process\n      having terminated abormally, resulted in an exception and\n      a potential hang when the still-running executor thread\n      attempted to replace dead workers within the pool.\n    - gh-130664: Support the '_' digit separator in formatting\n      of the integral part of Decimal’s. Patch by Sergey B\n      Kirpichev.\n    - gh-85702: If zoneinfo._common.load_tzdata is given a\n      package without a resource a ZoneInfoNotFoundError is\n      raised rather than a IsADirectoryError.\n    - gh-130664: Handle corner-case for Fraction’s formatting:\n      treat zero-padding (preceding the width field by a zero\n      ('0') character) as an equivalent to a fill character of\n      '0' with an alignment type of '=', just as in case of\n      float’s.\n  * Tools/Demos\n    - gh-135968: Stubs for strip are now provided as part of an\n      iOS install.\n  * Tests\n    - gh-135966: The iOS testbed now handles the app_packages\n      folder as a site directory.\n    - gh-135494: Fix regrtest to support excluding tests from\n      --pgo tests. Patch by Victor Stinner.\n    - gh-135489: Show verbose output for failing tests during PGO\n      profiling step with –enable-optimizations.\n  * Documentation\n    - gh-135171: Document that the iterator for the leftmost for\n      clause in the generator expression is created immediately.\n  * Build\n    - gh-135497: Fix the detection of MAXLOGNAME in the\n      configure.ac script.\n","id":"SUSE-SU-2025:3706-1","modified":"2025-10-21T15:07:41Z","published":"2025-10-21T15:07:41Z","references":[{"type":"ADVISORY","url":"https://www.suse.com/support/update/announcement/2025/suse-su-20253706-1/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1244705"},{"type":"REPORT","url":"https://bugzilla.suse.com/1247249"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-6069"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-8194"}],"related":["CVE-2025-6069","CVE-2025-8194"],"summary":"Security update for python313","upstream":["CVE-2025-6069","CVE-2025-8194"]}