{"schema_version":"1.7.2","id":"OESA-2026-1461","modified":"2026-02-28T12:45:57Z","published":"2026-02-28T12:45:57Z","upstream":["CVE-2025-11468","CVE-2025-12781","CVE-2025-15282","CVE-2025-15367","CVE-2026-0672","CVE-2026-0865","CVE-2026-1299"],"summary":"python3 security update","details":"Python combines remarkable power with very clear syntax. It has modules, classes, exceptions, very high level dynamic data types, and dynamic typing. There are interfaces to many system calls and libraries, as well as to various windowing systems. New built-in modules are easily written in C or C++ (or other languages, depending on the chosen implementation). Python is also usable as an extension language for applications written in other languages that need easy-to-use scripting or automation interfaces.\r\n\r\nSecurity Fix(es):\n\nIn CPython's email module, when folding a long comment containing exclusively unfoldable characters, the parentheses are not preserved. This could be exploited to inject headers into email messages in scenarios where email addresses are user-controlled and not sanitized.(CVE-2025-11468)\n\nWhen passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions in the "base64" module the characters "+/" will always be accepted, regardless of the value of "altchars" parameter, typically used to establish an "alternative base64 alphabet" such as the URL safe alphabet. This behavior matches what is recommended in earlier base64 RFCs, but newer RFCs now recommend either dropping characters outside the specified base64 alphabet or raising an error. The old behavior has the possibility of causing data integrity issues.\n\n\n\n\nThis behavior can only be insecure if your application uses an alternate base64 alphabet (without "+/"). If your application does not use the "altchars" parameter or the urlsafe_b64decode() function, then your application does not use an alternative base64 alphabet.\n\n\n\n\nThe attached patches DOES NOT make the base64-decode behavior raise an error, as this would be a change in behavior and break existing programs. Instead, the patch deprecates the behavior which will be replaced with the newly recommended behavior in a future version of Python. Users are recommended to mitigate by verifying user-controlled inputs match the base64 \nalphabet they are expecting or verify that their application would not be \naffected if the b64decode() functions accepted "+" or "/" outside of altchars.(CVE-2025-12781)\n\nUser-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.(CVE-2025-15282)\n\nThe poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.(CVE-2025-15367)\n\nWhen using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.(CVE-2026-0672)\n\nThe wsgiref.headers.Headers module has an HTTP header injection vulnerability where user-controlled header names and values containing newlines can allow injecting malicious HTTP headers.(CVE-2026-0865)\n\nThe \nemail module, specifically the "BytesGenerator" class, didn’t properly quote newlines for email headers when \nserializing an email message allowing for header injection when an email\n is serialized. This is only applicable if using "LiteralHeader" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in "BytesGenerator".(CVE-2026-1299)","affected":[{"package":{"ecosystem":"openEuler:24.03-LTS-SP3","name":"python3","purl":"pkg:rpm/openEuler/python3&distro=openEuler-24.03-LTS-SP3"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.11.6-24.oe2403sp3"}]}],"ecosystem_specific":{"aarch64":["python3-3.11.6-24.oe2403sp3.aarch64.rpm","python3-debug-3.11.6-24.oe2403sp3.aarch64.rpm","python3-debuginfo-3.11.6-24.oe2403sp3.aarch64.rpm","python3-debugsource-3.11.6-24.oe2403sp3.aarch64.rpm","python3-devel-3.11.6-24.oe2403sp3.aarch64.rpm","python3-tkinter-3.11.6-24.oe2403sp3.aarch64.rpm","python3-unversioned-command-3.11.6-24.oe2403sp3.aarch64.rpm"],"noarch":["python3-help-3.11.6-24.oe2403sp3.noarch.rpm"],"src":["python3-3.11.6-24.oe2403sp3.src.rpm"],"x86_64":["python3-3.11.6-24.oe2403sp3.x86_64.rpm","python3-debug-3.11.6-24.oe2403sp3.x86_64.rpm","python3-debuginfo-3.11.6-24.oe2403sp3.x86_64.rpm","python3-debugsource-3.11.6-24.oe2403sp3.x86_64.rpm","python3-devel-3.11.6-24.oe2403sp3.x86_64.rpm","python3-tkinter-3.11.6-24.oe2403sp3.x86_64.rpm","python3-unversioned-command-3.11.6-24.oe2403sp3.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1461"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-11468"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-12781"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-15282"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-15367"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-0672"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-0865"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-1299"}],"database_specific":{"severity":"Medium"}}