openSUSE-SU-2025:0052-1

See a problem?
Import Source
https://ftp.suse.com/pub/projects/security/osv/openSUSE-SU-2025:0052-1.json
JSON Data
https://api.osv.dev/v1/vulns/openSUSE-SU-2025:0052-1
Related
Published
2025-02-03T19:01:08Z
Modified
2025-02-03T19:01:08Z
Summary
Security update for python-asteval
Details

This update for python-asteval fixes the following issues:

Update to 1.0.6:

  • drop testing and support for Python3.8, add Python 3.13, change document to reflect this.
  • implement safegetattr and safeformat functions; fix bugs in UNSAFEATTRS and UNSAFEATTRS_DTYPES usage (boo#1236405, CVE-2025-24359)
  • make all procedure attributes private to curb access to AST nodes, which can be exploited
  • improvements to error messages, including use ast functions to construct better error messages
  • remove import of numpy.linalg, as documented
  • update doc description for security advisory

Update to 1.0.5:

  • more work on handling errors, including fixing #133 and adding more comprehensive tests for #129 and #132

Update to 1.0.4:

  • fix error handling that might result in null exception

Update to 1.0.3:

  • functions ('Procedures') defined within asteval have a _signature() method, now use in repr
  • add support for deleting subscript
  • nested symbol tables now have a Group() function
  • update coverage config
  • cleanups of exception handling : errors must now have an exception
  • several related fixes to suppress repeated exceptions: see GH #132 and #129
  • make non-boolean return values from comparison operators behave like Python - not immediately testing as bool

    • update to 1.0.2:
  • fix NameError handling in expression code
  • make exception messages more Python-like
    • update to 1.0.1:
  • security fixes, based on audit by Andrew Effenhauser, Ayman Hammad, and Daniel Crowley, IBM X-Force Security Research division
  • remove numpy modules polynomial, fft, linalg by default for security concerns
  • disallow string.format(), improve security of f-string evaluation

    • update to 1.0.0:
  • fix (again) nested list comprehension (Issues #127 and #126).
  • add more testing of multiple list comprehensions.
  • more complete support for Numpy 2, and removal of many Numpy symbols that have been long deprecated.
  • remove AST nodes deprecated in Python 3.8.
  • clean up build files and outdated tests.
  • fixes to codecov configuration.
  • update docs.

    • update to 0.9.33:
  • fixes for multiple list comprehensions (addressing #126)
  • add testing with optionally installed numpy_financial to CI
  • test existence of all numpy imports to better safeguard against missing functions (for safer numpy 2 transition)
  • update rendered doc to include PDF and zipped HTML

    • update to 0.9.32:
  • add deprecations message for numpy functions to be removed in numpy 2.0
  • comparison operations use try/except for short-circuiting instead of checking for numpy arrays (addressing #123)
  • add Python 3.12 to testing
  • move repository from 'newville' to 'lmfit' organization
  • update doc theme, GitHub locations pointed to by docs, other doc tweaks.

    • Update to 0.9.31:
  • cleanup numpy imports to avoid deprecated functions, add financial functions from numpy_financial module, if installed.
  • prefer 'user_symbols' when initializing Interpreter, but still support 'usersyms' argument. Will deprecate and remove eventually.
  • add support of optional (off-by default) 'nested symbol table'.
  • update tests to run most tests with symbol tables of dict and nested group type.
  • general code and testing cleanup.
  • add config argument to Interpreter to more fully control which nodes are supported
  • add support for import and importfrom -- off by default
  • add support for with blocks
  • add support for f-strings
  • add support of set and dict comprehension
  • fix bug with 'int**int' not returning a float.

    • update to 0.9.29:
  • bug fixes

    • Update to 0.9.28
  • add support for Python 3.11
  • add support for multiple list comprehensions
  • improve performance of making the initial symbol table, and Interpreter creation, including better checking for index_tricks attributes

    • update to 0.9.27:
  • more cleanups

    • update to 0.9.26:
  • fix setup.py again

    • update to 0.9.25:
  • fixes import errors for Py3.6 and 3.7, setting version with importlib_metadata.version if available.
  • use setuptools_scm and importlib for version
  • treat all dunder attributes of all objects as inherently unsafe.

    • Update to 0.9.22
  • another important but small fix for Python 3.9
  • Merge branch 'nestedinterruptsreturns'

    • Drop hard numpy requirement, don't test on python36

    • update to 0.9.18

  • drop python2
  • few fixes
References

Affected packages

SUSE:Package Hub 15 SP6 / python-asteval

Package

Name
python-asteval
Purl
pkg:rpm/suse/python-asteval&distro=SUSE%20Package%20Hub%2015%20SP6

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.0.6-bp156.4.3.1

Ecosystem specific

{
    "binaries": [
        {
            "python311-asteval": "1.0.6-bp156.4.3.1"
        }
    ]
}

openSUSE:Leap 15.6 / python-asteval

Package

Name
python-asteval
Purl
pkg:rpm/opensuse/python-asteval&distro=openSUSE%20Leap%2015.6

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.0.6-bp156.4.3.1

Ecosystem specific

{
    "binaries": [
        {
            "python311-asteval": "1.0.6-bp156.4.3.1"
        }
    ]
}