SB2025080749 - SUSE update for python311
Published: August 7, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Expected behavior violation (CVE-ID: CVE-2025-4435)
The vulnerability allows a remote attacker to change expected behavior.
The vulnerability exists due to an error when using a TarFile.errorlevel = 0 and extracting with a filter the documented behavior. A remote attacker can force the application to extract files that were meant to be skipped.
2) Resource management error (CVE-ID: CVE-2025-6069)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources within the html.parser.HTMLParser class. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
3) Infinite loop (CVE-ID: CVE-2025-8194)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop in the “tarfile” module when handling tar archives with negative offsets. A remote attacker can pass a specially crafted tar archive to the application and consume all available system resources, resulting in a deadlock and a denial of service.
Remediation
Install update from vendor's website.