Detections
Analytics

SUSE SLED15 / SLES15 Security Update : python313 (SUSE-SU-2025:3706-1)

high Nessus Plugin ID 271166

Language:

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2025:3706-1 advisory.

 Update to version 3.13.7.

 - Fixes in 3.13.7:
 * gh-137583: Fix a deadlock introduced in 3.13.6 when a call to ssl.SSLSocket.recv was blocked in one thread, and then another method on the object (such as ssl.SSLSocket.send) was subsequently called in another thread.
 * gh-137044: Return large limit values as positive integers instead of negative integers in resource.getrlimit().
 Accept large values and reject negative values (except RLIM_INFINITY) for limits in resource.setrlimit().
 * gh-136914: Fix retrieval of doctest.DocTest.lineno for objects decorated with functools.cache() or functools.cached_property.
 * gh-131788: Make ResourceTracker.send from multiprocessing re-entrant safe
 * gh-136155: We are now checking for fatal errors in EPUB builds in CI.
 * gh-137400: Fix a crash in the free threading build when disabling profiling or tracing across all threads with PyEval_SetProfileAllThreads() or PyEval_SetTraceAllThreads() or their Python equivalents threading.settrace_all_threads() and threading.setprofile_all_threads().

 - Fixes in 3.13.6:
 * Security
 - gh-135661: Fix parsing start and end tags in html.parser.HTMLParser according to the HTML5 standard.
 - Whitespaces no longer accepted between </ and the tag name. E.g. </ script> does not end the script section.
 - Vertical tabulation (\v) and non-ASCII whitespaces no longer recognized as whitespaces. The only whitespaces are \t\n\r\f and space.
 - Null character (U+0000) no longer ends the tag name.
 - Attributes and slashes after the tag name in end tags are now ignored, instead of terminating after the first > in quoted attribute value. E.g. </script/foo='>'/>.
 - Multiple slashes and whitespaces between the last attribute and closing > are now ignored in both start and end tags. E.g. <a foo=bar/ //>.
 - Multiple = between attribute name and value are no longer collapsed. E.g. <a foo==bar> produces attribute foo with value =bar.
 - gh-102555: Fix comment parsing in html.parser.HTMLParser according to the HTML5 standard. --!> now ends the comment.
 -- > no longer ends the comment. Support abnormally ended empty comments <--> and <--->.
 - gh-135462: Fix quadratic complexity in processing specially crafted input in html.parser.HTMLParser. End-of-file errors are now handled according to the HTML5 specs comments and declarations are automatically closed, tags are ignored (CVE-2025-6069, bsc#1244705).
 - gh-118350: Fix support of escapable raw text mode (elements textarea and title) in html.parser.HTMLParser.
 * Core and Builtins
 - gh-58124: Fix name of the Python encoding in Unicode errors of the code page codec: use cp65000 and cp65001 instead of CP_UTF7 and CP_UTF8 which are not valid Python code names. Patch by Victor Stinner.
 - gh-137314: Fixed a regression where raw f-strings incorrectly interpreted escape sequences in format specifications. Raw f-strings now properly preserve literal backslashes in format specs, matching the behavior from Python 3.11. For example, rf'{obj:\xFF}' now correctly produces '\\xFF' instead of '?'. Patch by Pablo Galindo.
 - gh-136541: Fix some issues with the perf trampolines on x86-64 and aarch64. The trampolines were not being generated correctly for some cases, which could lead to the perf integration not working correctly. Patch by Pablo Galindo.
 - gh-109700: Fix memory error handling in PyDict_SetDefault().
 - gh-78465: Fix error message for cls.__new__(cls, ...) where cls is not instantiable builtin or extension type (with tp_new set to NULL).
 - gh-135871: Non-blocking mutex lock attempts now return immediately when the lock is busy instead of briefly spinning in the free threading build.
 - gh-135607: Fix potential weakref races in an objects destructor on the free threaded build.
 - gh-135496: Fix typo in the f-string conversion type error (exclamanation -> exclamation).
 - gh-130077: Properly raise custom syntax errors when incorrect syntax containing names that are prefixes of soft keywords is encountered. Patch by Pablo Galindo.
 - gh-135148: Fixed a bug where f-string debug expressions (using =) would incorrectly strip out parts of strings containing escaped quotes and # characters. Patch by Pablo Galindo.
 - gh-133136: Limit excess memory usage in the free threading build when a large dictionary or list is resized and accessed by multiple threads.
 - gh-132617: Fix dict.update() modification check that could incorrectly raise a dict mutated during update error when a different dictionary was modified that happens to share the same underlying keys object.
 - gh-91153: Fix a crash when a bytearray is concurrently mutated during item assignment.
 - gh-127971: Fix off-by-one read beyond the end of a string in string search.
 - gh-125723: Fix crash with gi_frame.f_locals when generator frames outlive their generator. Patch by Mikhail Efimov.
 * Library
 - gh-132710: If possible, ensure that uuid.getnode() returns the same result even across different processes.
 Previously, the result was constant only within the same process. Patch by B?n?dikt Tran.
 - gh-137273: Fix debug assertion failure in locale.setlocale() on Windows.
 - gh-137257: Bump the version of pip bundled in ensurepip to version 25.2
 - gh-81325: tarfile.TarFile now accepts a path-like when working on a tar archive. (Contributed by Alexander Enrique Urieles Nieto in gh-81325.)
 - gh-130522: Fix unraisable TypeError raised during interpreter shutdown in the threading module.
 - gh-130577: tarfile now validates archives to ensure member offsets are non-negative. (Contributed by Alexander Enrique Urieles Nieto in gh-130577; CVE-2025-8194, bsc#1247249).
 - gh-136549: Fix signature of threading.excepthook().
 - gh-136523: Fix wave.Wave_write emitting an unraisable when open raises.
 - gh-52876: Add missing keepends (default True) parameter to codecs.StreamReaderWriter.readline() and codecs.StreamReaderWriter.readlines().
 - gh-85702: If zoneinfo._common.load_tzdata is given a package without a resource a zoneinfo.ZoneInfoNotFoundError is raised rather than a PermissionError. Patch by Victor Stinner.
 - gh-134759: Fix UnboundLocalError in email.message.Message.get_payload() when the payload to decode is a bytes object. Patch by Kliment Lamonov.
 - gh-136028: Fix parsing month names containing (U+0130, LATIN CAPITAL LETTER I WITH DOT ABOVE) in time.strptime().
 This affects locales az_AZ, ber_DZ, ber_MA and crh_UA.
 - gh-135995: In the palmos encoding, make byte 0x9b decode to (U+203A - SINGLE RIGHT-POINTING ANGLE QUOTATION MARK).
 - gh-53203: Fix time.strptime() for %c and %x formats on locales byn_ER, wal_ET and lzh_TW, and for %X format on locales ar_SA, bg_BG and lzh_TW.
 - gh-91555: An earlier change, which was introduced in 3.13.4, has been reverted. It disabled logging for a logger during handling of log messages for that logger. Since the reversion, the behaviour should be as it was before 3.13.4.
 - gh-135878: Fixes a crash of types.SimpleNamespace on free threading builds, when several threads were calling its
 __repr__() method at the same time.
 - gh-135836: Fix IndexError in asyncio.loop.create_connection() that could occur when non-OSError exception is raised during connection and sockets close() raises OSError.
 - gh-135836: Fix IndexError in asyncio.loop.create_connection() that could occur when the Happy Eyeballs algorithm resulted in an empty exceptions list during connection attempts.
 - gh-135855: Raise TypeError instead of SystemError when
 _interpreters.set___main___attrs() is passed a non-dict object. Patch by Brian Schubert.
 - gh-135815: netrc: skip security checks if os.getuid() is missing. Patch by B?n?dikt Tran.
 - gh-135640: Address bug where it was possible to call xml.etree.ElementTree.ElementTree.write() on an ElementTree object with an invalid root element. This behavior blanked the file passed to write if it already existed.
 - gh-135444: Fix asyncio.DatagramTransport.sendto() to account for datagram header size when data cannot be sent.
 - gh-135497: Fix os.getlogin() failing for longer usernames on BSD-based platforms.
 - gh-135487: Fix reprlib.Repr.repr_int() when given integers with more than sys.get_int_max_str_digits() digits. Patch by B?n?dikt Tran.
 - gh-135335: multiprocessing: Flush stdout and stderr after preloading modules in the forkserver.
 - gh-135244: uuid: when the MAC address cannot be determined, the 48-bit node ID is now generated with a cryptographically-secure pseudo-random number generator (CSPRNG) as per RFC 9562, ?6.10.3. This affects uuid1().
 - gh-135069: Fix the Invalid error handling exception in encodings.idna.IncrementalDecoder to correctly replace the errors parameter.
 - gh-134698: Fix a crash when calling methods of ssl.SSLContext or ssl.SSLSocket across multiple threads.
 - gh-132124: On POSIX-compliant systems, multiprocessing.util.get_temp_dir() now ignores TMPDIR (and similar environment variables) if the path length of AF_UNIX socket files exceeds the platform-specific maximum length when using the forkserver start method. Patch by B?n?dikt Tran.
 - gh-133439: Fix dot commands with trailing spaces are mistaken for multi-line SQL statements in the sqlite3 command-line interface.
 - gh-132969: Prevent the ProcessPoolExecutor executor thread, which remains running when shutdown(wait=False), from attempting to adjust the pools worker processes after the object state has already been reset during shutdown.
 A combination of conditions, including a worker process having terminated abormally, resulted in an exception and a potential hang when the still-running executor thread attempted to replace dead workers within the pool.
 - gh-130664: Support the '_' digit separator in formatting of the integral part of Decimals. Patch by Sergey B Kirpichev.
 - gh-85702: If zoneinfo._common.load_tzdata is given a package without a resource a ZoneInfoNotFoundError is raised rather than a IsADirectoryError.
 - gh-130664: Handle corner-case for Fractions formatting:
 treat zero-padding (preceding the width field by a zero ('0') character) as an equivalent to a fill character of '0' with an alignment type of '=', just as in case of floats.
 * Tools/Demos
 - gh-135968: Stubs for strip are now provided as part of an iOS install.
 * Tests
 - gh-135966: The iOS testbed now handles the app_packages folder as a site directory.
 - gh-135494: Fix regrtest to support excluding tests from
 --pgo tests. Patch by Victor Stinner.
 - gh-135489: Show verbose output for failing tests during PGO profiling step with enable-optimizations.
 * Documentation
 - gh-135171: Document that the iterator for the leftmost for clause in the generator expression is created immediately.
 * Build
 - gh-135497: Fix the detection of MAXLOGNAME in the configure.ac script.

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://bugzilla.suse.com/1244705

https://bugzilla.suse.com/1247249

https://lists.suse.com/pipermail/sle-updates/2025-October/042247.html

https://www.suse.com/security/cve/CVE-2025-6069

https://www.suse.com/security/cve/CVE-2025-8194

Plugin Details

Severity: High

ID: 271166

File Name: suse_SU-2025-3706-1.nasl

Version: 1.1

Type: local

Agent: unix

Published: 10/22/2025

Updated: 10/22/2025

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2025-8194

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:python313, p-cpe:/a:novell:suse_linux:python313-curses, p-cpe:/a:novell:suse_linux:python313-dbm, p-cpe:/a:novell:suse_linux:python313-devel, p-cpe:/a:novell:suse_linux:python313-tk, p-cpe:/a:novell:suse_linux:python313-tools, cpe:/o:novell:suse_linux:15, p-cpe:/a:novell:suse_linux:libpython3_13-1_0, p-cpe:/a:novell:suse_linux:python313-base, p-cpe:/a:novell:suse_linux:python313-idle

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 10/21/2025

Vulnerability Publication Date: 6/17/2025

Reference Information

CVE: CVE-2025-6069, CVE-2025-8194

IAVA: 2025-A-0444

SuSE: SUSE-SU-2025:3706-1