SUSE-SU-2026:1818-1

See a problem?
Please try reporting it to the source first.
Source
https://www.suse.com/support/update/announcement/2026/suse-su-20261818-1/
Import Source
https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2026:1818-1.json
JSON Data
https://api.osv.dev/v1/vulns/SUSE-SU-2026:1818-1
Upstream
  • CVE-2026-1502
  • CVE-2026-3446
  • CVE-2026-4786
  • CVE-2026-6019
  • CVE-2026-6100
Related
  • CVE-2026-1502
  • CVE-2026-3446
  • CVE-2026-3479
  • CVE-2026-4786
  • CVE-2026-6019
  • CVE-2026-6100
Published
2026-05-12T07:58:54Z
Modified
2026-05-14T08:15:17.778732Z
Summary
Security update for python39
Details

This update for python39 fixes the following issues:

Security issues fixed:

  • CVE-2026-1502: HTTP client proxy tunnel headers not validated for CR/LF (bsc#1261969).
  • CVE-2026-3446: base64 decoding stops at first padded quad by default and ignores other information that could be processed (bsc#1261970).
  • CVE-2026-3479: improper resource argument validation in pkgutil.get_data() can lead to path traversal (bsc#1259989).
  • CVE-2026-4786: URLs prefixed with %action can pass the dash-prefix safety check and allow for command injection (bsc#1262319).
  • CVE-2026-6019: BaseCookie.js_output() does not neutralize characters in cookie values embedded in JS (bsc#1262654).
  • CVE-2026-6100: use-after-free in lzma.LZMADecompressor, bz2.BZ2Decompressor, and gzip.GzipFile when process is under memory pressure(bsc#1262098).

Other updates and bugfixes:

  • Rewrite structure of Python interpreter packages. python3* symbols should be now provided by real python3 packages and its subpackages instead of the virtual provides (bsc#1258364).
References

Affected packages