python3-3.13.2 (Wait for LFS)

[Bruce Dubbs]

New point version.

[Douglas R. Reno]

This contains the following security vulnerability fixes:

• CVE-2025-0938: urlparse does not flag hostname *containing* [ or ] as incorrect (​https://github.com/python/cpython/issues/105704). Description from NVD is: "The Python standard library functions urllib.parse.urlsplit and urlparse accepted domain names that included square brackets which isn't valid according to RFC 3986. Square brackets are only meant to be used as delimiters for specifying IPv6 and IPvFuture hosts in URLs. This could result in differential parsing across the Python URL parser and other specification-compliant URL parsers.", rated as Medium over there
• CVE-2024-12254: "Starting in Python 3.12.0, the asyncio._SelectorSocketTransport.writelines() method would not "pause" writing and signal to the Protocol to drain the buffer to the wire once the write buffer reached the "high-water mark". Because of this, Protocols would not periodically drain the write buffer potentially leading to memory exhaustion.", rated as High because it's trivially exploitable over the network with applications that use it. Looks like this only impacts macOS and Linux. More details can be found at ​https://github.com/advisories/GHSA-ph84-rcj2-fxxm
• Potential null pointer dereference in PySys_AddWarnOptionUnicode (no CVE assigned, but details can be found at ​https://github.com/python/cpython/issues/126108 and it is mentioned in the Security section of the changelog)
• gh-80222: Fix bug in the folding of quoted strings when flattening an email message using a modern email policy. Previously when a quoted string was folded so that it spanned more than one line, the surrounding quotes and internal escapes would be omitted. This could theoretically be used to spoof header lines using a carefully constructed quoted string if the resulting rendered email was transmitted or re-parsed. (​https://github.com/python/cpython/issues/80222)
• gh-119511: Fix a potential denial of service in the imaplib module. When connecting to a malicious server, it could cause an arbitrary amount of memory to be allocated. On many systems this is harmless as unused virtual memory is only a mapping, but if this hit a virtual address size limit it could lead to a MemoryError or other process crash. On unusual systems or builds where all allocated memory is touched and backed by actual ram or storage it could’ve consumed resources doing so until similarly crashing. (​https://github.com/python/cpython/issues/119511)

The rest of the normal changelog can be found at ​https://docs.python.org/release/3.13.2/whatsnew/changelog.html#python-3-13-2

[Douglas R. Reno]

Fixed at 9e8216b3854cedab292f376b7e900fb470432799

SA-12.2-086 issued