{"id":"MGASA-2025-0280","summary":"Updated python3 packages fix security vulnerabilities","details":"URL parser allowed square brackets in domain names. (CVE-2025-0938)\nMishandling of comma during folding and unicode-encoding of email\nheaders. (CVE-2025-1795)\nVirtual environment (venv) activation scripts don't quote paths.\n(CVE-2024-9287)\nUse-after-free in \"unicode_escape\" decoder with error handler.\n(CVE-2025-4516)\nBypass extraction filter to modify file metadata outside extraction\ndirectory. (CVE-2024-12718)\nBypassing extraction filter to create symlinks to arbitrary targets\noutside extraction directory. (CVE-2025-4138)\nExtraction filter bypass for linking outside extraction directory.\n(CVE-2025-4330)\nTarfile extracts filtered members when errorlevel=0. (CVE-2025-4435)\nArbitrary writes via tarfile realpath overflow. (CVE-2025-4517)\nTarfile infinite loop during parsing with negative member offset.\n(CVE-2025-8194)\n","modified":"2026-02-04T03:46:56.350002Z","published":"2025-11-12T21:29:34Z","related":["CVE-2024-12718","CVE-2024-9287","CVE-2025-0938","CVE-2025-1795","CVE-2025-4138","CVE-2025-4330","CVE-2025-4435","CVE-2025-4516","CVE-2025-4517","CVE-2025-8194"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2025-0280.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=34285"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=34007"},{"type":"REPORT","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4FRAYUVWW2DYX7RTRPVFLFADRHABRVQN/"},{"type":"REPORT","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NNC4GZYGFZ76A7NUZ5BG2CMGVR32LXCG/"},{"type":"REPORT","url":"https://ubuntu.com/security/notices/USN-7488-1"},{"type":"REPORT","url":"https://www.openwall.com/lists/oss-security/2025/05/16/4"},{"type":"REPORT","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IUW6UXZQE7B4PPK3PK3NZAWP5PVOU5L3/"},{"type":"REPORT","url":"https://www.openwall.com/lists/oss-security/2025/06/24/1"},{"type":"REPORT","url":"https://www.openwall.com/lists/oss-security/2025/07/28/1"}],"affected":[{"package":{"name":"python3","ecosystem":"Mageia:9","purl":"pkg:rpm/mageia/python3?arch=source&distro=mageia-9"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.10.18-1.4.mga9"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2025-0280.json"}}],"schema_version":"1.7.3","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}