This update for python313 fixes the following issues:
Update to version 3.13.11.
Security issues fixed:
- CVE-2025-12084: quadratic complexity when building nested elements using
xml.dom.minidom methods that depend on
_clear_id_cache() can lead to availability issues when building excessively nested documents (bsc#1254997).
- CVE-2025-13836: use of
Content-Length by default when reading an HTTP response with no read amount specified can
lead to OOM issues and DoS when a client deals with a malicious server (bsc#1254400).
- CVE-2025-13837: data read by the plistlib module according to the size specified by the file itself can lead to OOM
issues and DoS (bsc#1254401).
Other updates and bugfixes:
-
Version 3.13.11:
- Library
- gh-140797: Revert changes to the undocumented re.Scanner
class. Capturing groups are still allowed for backward
compatibility, although using them can lead to incorrect
result. They will be forbidden in future Python versions.
- gh-142206: The resource tracker in the multiprocessing
module now uses the original communication protocol, as in
Python 3.14.0 and below, by default. This avoids issues
with upgrading Python while it is running. (Note that such
‘in-place’ upgrades are not tested.) The tracker remains
compatible with subprocesses that use new protocol (that
is, subprocesses using Python 3.13.10, 3.14.1 and 3.15).
- Core and Builtins
- gh-142218: Fix crash when inserting into a split table
dictionary with a non str key that matches an existing key.
-
Version to 3.13.10:
- Security
- gh-137836: Add support of the “plaintext” element, RAWTEXT
elements “xmp”, “iframe”, “noembed” and “noframes”, and
optionally RAWTEXT element “noscript” in
html.parser.HTMLParser.
- gh-136063: email.message: ensure linear complexity for
legacy HTTP parameters parsing. Patch by Bénédikt Tran.
- Library