An update for python3 is now available for openEuler-24.03-LTS-SP1 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2026-1900 Final 1.0 1.0 2026-04-11 Initial 2026-04-11 2026-04-11 openEuler SA Tool V1.0 2026-04-11 python3 security update An update for python3 is now available for openEuler-24.03-LTS-SP1 Python combines remarkable power with very clear syntax. It has modules, classes, exceptions, very high level dynamic data types, and dynamic typing. There are interfaces to many system calls and libraries, as well as to various windowing systems. New built-in modules are easily written in C or C++ (or other languages, depending on the chosen implementation). Python is also usable as an extension language for applications written in other languages that need easy-to-use scripting or automation interfaces. Security Fix(es): The "tarfile" module would still apply normalization of AREGTYPE (\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations.(CVE-2025-13462) DISPUTED: The project has clarified that the documentation was incorrect, and that pkgutil.get_data() has the same security model as open(). The documentation has been updated to clarify this point. There is no vulnerability in the function if following the intended security model. pkgutil.get_data() did not validate the resource argument as documented, allowing path traversals.(CVE-2026-3479) The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().(CVE-2026-3644) When an Expat parser with a registered ElementDeclHandler parses an inline document type definition containing a deeply nested content model a C stack overflow occurs.(CVE-2026-4224) An update for python3 is now available for master/openEuler-20.03-LTS-SP4/openEuler-22.03-LTS-SP4/openEuler-24.03-LTS/openEuler-24.03-LTS-Next/openEuler-24.03-LTS-SP1/openEuler-24.03-LTS-SP2/openEuler-24.03-LTS-SP3/openEuler-22.03-LTS-SP3. openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Medium python3 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1900 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-13462 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-3479 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-3644 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-4224 https://nvd.nist.gov/vuln/detail/CVE-2025-13462 https://nvd.nist.gov/vuln/detail/CVE-2026-3479 https://nvd.nist.gov/vuln/detail/CVE-2026-3644 https://nvd.nist.gov/vuln/detail/CVE-2026-4224 openEuler-24.03-LTS-SP1 python3-3.11.6-27.oe2403sp1.aarch64.rpm python3-debug-3.11.6-27.oe2403sp1.aarch64.rpm python3-debuginfo-3.11.6-27.oe2403sp1.aarch64.rpm python3-debugsource-3.11.6-27.oe2403sp1.aarch64.rpm python3-devel-3.11.6-27.oe2403sp1.aarch64.rpm python3-tkinter-3.11.6-27.oe2403sp1.aarch64.rpm python3-unversioned-command-3.11.6-27.oe2403sp1.aarch64.rpm python3-3.11.6-27.oe2403sp1.src.rpm python3-3.11.6-27.oe2403sp1.x86_64.rpm python3-debug-3.11.6-27.oe2403sp1.x86_64.rpm python3-debuginfo-3.11.6-27.oe2403sp1.x86_64.rpm python3-debugsource-3.11.6-27.oe2403sp1.x86_64.rpm python3-devel-3.11.6-27.oe2403sp1.x86_64.rpm python3-tkinter-3.11.6-27.oe2403sp1.x86_64.rpm python3-unversioned-command-3.11.6-27.oe2403sp1.x86_64.rpm python3-help-3.11.6-27.oe2403sp1.noarch.rpm The "tarfile" module would still apply normalization of AREGTYPE (\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations. 2026-04-11 CVE-2025-13462 openEuler-24.03-LTS-SP1 Low 2.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X python3 security update 2026-04-11 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1900 DISPUTED: The project has clarified that the documentation was incorrect, and that pkgutil.get_data() has the same security model as open(). The documentation has been updated to clarify this point. There is no vulnerability in the function if following the intended security model. pkgutil.get_data() did not validate the resource argument as documented, allowing path traversals. 2026-04-11 CVE-2026-3479 openEuler-24.03-LTS-SP1 Low 2.1 AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X python3 security update 2026-04-11 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1900 The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output(). 2026-04-11 CVE-2026-3644 openEuler-24.03-LTS-SP1 Medium 6.0 AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X python3 security update 2026-04-11 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1900 When an Expat parser with a registered ElementDeclHandler parses an inline document type definition containing a deeply nested content model a C stack overflow occurs. 2026-04-11 CVE-2026-4224 openEuler-24.03-LTS-SP1 Medium 6.0 AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X python3 security update 2026-04-11 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1900