MGASA-2025-0280

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2025-0280.html

Import Source

https://advisories.mageia.org/MGASA-2025-0280.json

JSON Data

https://api.osv.dev/v1/vulns/MGASA-2025-0280

Related

Published

2025-11-12T21:29:34Z

Modified

2025-11-12T20:49:11Z

Summary

Updated python3 packages fix security vulnerabilities

Details

URL parser allowed square brackets in domain names. (CVE-2025-0938) Mishandling of comma during folding and unicode-encoding of email headers. (CVE-2025-1795) Virtual environment (venv) activation scripts don't quote paths. (CVE-2024-9287) Use-after-free in "unicode_escape" decoder with error handler. (CVE-2025-4516) Bypass extraction filter to modify file metadata outside extraction directory. (CVE-2024-12718) Bypassing extraction filter to create symlinks to arbitrary targets outside extraction directory. (CVE-2025-4138) Extraction filter bypass for linking outside extraction directory. (CVE-2025-4330) Tarfile extracts filtered members when errorlevel=0. (CVE-2025-4435) Arbitrary writes via tarfile realpath overflow. (CVE-2025-4517) Tarfile infinite loop during parsing with negative member offset. (CVE-2025-8194)

References

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

Affected packages

Mageia:9 / python3

Package

Name: python3
Purl: pkg:rpm/mageia/python3?arch=source&distro=mageia-9

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.10.18-1.4.mga9

Ecosystem specific

{
    "section": "core"
}