An update for python3 is now available for openEuler-24.03-LTS-SP3 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2026-1461 Final 1.0 1.0 2026-02-28 Initial 2026-02-28 2026-02-28 openEuler SA Tool V1.0 2026-02-28 python3 security update An update for python3 is now available for openEuler-24.03-LTS-SP3 Python combines remarkable power with very clear syntax. It has modules, classes, exceptions, very high level dynamic data types, and dynamic typing. There are interfaces to many system calls and libraries, as well as to various windowing systems. New built-in modules are easily written in C or C++ (or other languages, depending on the chosen implementation). Python is also usable as an extension language for applications written in other languages that need easy-to-use scripting or automation interfaces. Security Fix(es): In CPython's email module, when folding a long comment containing exclusively unfoldable characters, the parentheses are not preserved. This could be exploited to inject headers into email messages in scenarios where email addresses are user-controlled and not sanitized.(CVE-2025-11468) When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions in the "base64" module the characters "+/" will always be accepted, regardless of the value of "altchars" parameter, typically used to establish an "alternative base64 alphabet" such as the URL safe alphabet. This behavior matches what is recommended in earlier base64 RFCs, but newer RFCs now recommend either dropping characters outside the specified base64 alphabet or raising an error. The old behavior has the possibility of causing data integrity issues. This behavior can only be insecure if your application uses an alternate base64 alphabet (without "+/"). If your application does not use the "altchars" parameter or the urlsafe_b64decode() function, then your application does not use an alternative base64 alphabet. The attached patches DOES NOT make the base64-decode behavior raise an error, as this would be a change in behavior and break existing programs. Instead, the patch deprecates the behavior which will be replaced with the newly recommended behavior in a future version of Python. Users are recommended to mitigate by verifying user-controlled inputs match the base64 alphabet they are expecting or verify that their application would not be affected if the b64decode() functions accepted "+" or "/" outside of altchars.(CVE-2025-12781) User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.(CVE-2025-15282) The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.(CVE-2025-15367) When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.(CVE-2026-0672) The wsgiref.headers.Headers module has an HTTP header injection vulnerability where user-controlled header names and values containing newlines can allow injecting malicious HTTP headers.(CVE-2026-0865) The email module, specifically the "BytesGenerator" class, didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized. This is only applicable if using "LiteralHeader" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in "BytesGenerator".(CVE-2026-1299) An update for python3 is now available for master/openEuler-20.03-LTS-SP4/openEuler-22.03-LTS-SP4/openEuler-24.03-LTS/openEuler-24.03-LTS-Next/openEuler-24.03-LTS-SP1/openEuler-24.03-LTS-SP2/openEuler-24.03-LTS-SP3/openEuler-20.03-LTS-SP1/openEuler-22.03-LTS/openEuler-22.03-LTS-Next/openEuler-22.03-LTS-SP1/openEuler-22.03-LTS-SP2/openEuler-22.03-LTS-SP3. openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Medium python3 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1461 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-11468 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-12781 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-15282 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-15367 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-0672 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-0865 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-1299 https://nvd.nist.gov/vuln/detail/CVE-2025-11468 https://nvd.nist.gov/vuln/detail/CVE-2025-12781 https://nvd.nist.gov/vuln/detail/CVE-2025-15282 https://nvd.nist.gov/vuln/detail/CVE-2025-15367 https://nvd.nist.gov/vuln/detail/CVE-2026-0672 https://nvd.nist.gov/vuln/detail/CVE-2026-0865 https://nvd.nist.gov/vuln/detail/CVE-2026-1299 openEuler-24.03-LTS-SP3 python3-3.11.6-24.oe2403sp3.aarch64.rpm python3-debug-3.11.6-24.oe2403sp3.aarch64.rpm python3-debuginfo-3.11.6-24.oe2403sp3.aarch64.rpm python3-debugsource-3.11.6-24.oe2403sp3.aarch64.rpm python3-devel-3.11.6-24.oe2403sp3.aarch64.rpm python3-tkinter-3.11.6-24.oe2403sp3.aarch64.rpm python3-unversioned-command-3.11.6-24.oe2403sp3.aarch64.rpm python3-3.11.6-24.oe2403sp3.src.rpm python3-3.11.6-24.oe2403sp3.x86_64.rpm python3-debug-3.11.6-24.oe2403sp3.x86_64.rpm python3-debuginfo-3.11.6-24.oe2403sp3.x86_64.rpm python3-debugsource-3.11.6-24.oe2403sp3.x86_64.rpm python3-devel-3.11.6-24.oe2403sp3.x86_64.rpm python3-tkinter-3.11.6-24.oe2403sp3.x86_64.rpm python3-unversioned-command-3.11.6-24.oe2403sp3.x86_64.rpm python3-help-3.11.6-24.oe2403sp3.noarch.rpm In CPython's email module, when folding a long comment containing exclusively unfoldable characters, the parentheses are not preserved. This could be exploited to inject headers into email messages in scenarios where email addresses are user-controlled and not sanitized. 2026-02-28 CVE-2025-11468 openEuler-24.03-LTS-SP3 Medium 5.7 AV:N/AC:L/AT:P/PR:H/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N python3 security update 2026-02-28 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1461 When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions in the "base64" module the characters "+/" will always be accepted, regardless of the value of "altchars" parameter, typically used to establish an "alternative base64 alphabet" such as the URL safe alphabet. This behavior matches what is recommended in earlier base64 RFCs, but newer RFCs now recommend either dropping characters outside the specified base64 alphabet or raising an error. The old behavior has the possibility of causing data integrity issues. This behavior can only be insecure if your application uses an alternate base64 alphabet (without "+/"). If your application does not use the "altchars" parameter or the urlsafe_b64decode() function, then your application does not use an alternative base64 alphabet. The attached patches DOES NOT make the base64-decode behavior raise an error, as this would be a change in behavior and break existing programs. Instead, the patch deprecates the behavior which will be replaced with the newly recommended behavior in a future version of Python. Users are recommended to mitigate by verifying user-controlled inputs match the base64 alphabet they are expecting or verify that their application would not be affected if the b64decode() functions accepted "+" or "/" outside of altchars. 2026-02-28 CVE-2025-12781 openEuler-24.03-LTS-SP3 Medium 5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N python3 security update 2026-02-28 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1461 User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype. 2026-02-28 CVE-2025-15282 openEuler-24.03-LTS-SP3 Medium 6.0 AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N python3 security update 2026-02-28 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1461 The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters. 2026-02-28 CVE-2025-15367 openEuler-24.03-LTS-SP3 Medium 5.9 AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N python3 security update 2026-02-28 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1461 When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters. 2026-02-28 CVE-2026-0672 openEuler-24.03-LTS-SP3 Medium 6.0 AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N python3 security update 2026-02-28 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1461 The wsgiref.headers.Headers module has an HTTP header injection vulnerability where user-controlled header names and values containing newlines can allow injecting malicious HTTP headers. 2026-02-28 CVE-2026-0865 openEuler-24.03-LTS-SP3 Medium 5.9 AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N python3 security update 2026-02-28 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1461 The email module, specifically the "BytesGenerator" class, didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized. This is only applicable if using "LiteralHeader" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in "BytesGenerator". 2026-02-28 CVE-2026-1299 openEuler-24.03-LTS-SP3 Medium 6.0 AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N python3 security update 2026-02-28 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1461