SUSE-SU-2026:1412-1

CVE-2025-66418: resource exhaustion via unbounded number of links in the decompression chain (bsc#1254866).
CVE-2025-66471: excessive resource consumption via decompression of highly compressed data in Streaming API (bsc#1254867).
CVE-2026-21441: excessive resource consumption during decompression of data in HTTP redirect responses (bsc#1256331).

Non security issue:

disabled response decompression with brotli due to missing brotli feature (jsc#PED-15380)

References

Affected packages

SUSE:Linux Enterprise Module for Public Cloud 12

python-urllib3

Name: python-urllib3
Purl: pkg:rpm/suse/python-urllib3&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2012

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.25.10-3.48.4

{
    "binaries": [
        {
            "python-urllib3": "1.25.10-3.48.4",
            "python3-urllib3": "1.25.10-3.48.4"
        }
    ]
}

source

"https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2026:1412-1.json"

SUSE:Linux Enterprise Server LTSS Extended Security 12 SP5

python-urllib3

Name: python-urllib3
Purl: pkg:rpm/suse/python-urllib3&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.25.10-3.48.4

{
    "binaries": [
        {
            "python-urllib3": "1.25.10-3.48.4",
            "python3-urllib3": "1.25.10-3.48.4"
        }
    ]
}

source

"https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2026:1412-1.json"