gh-135034: [CVE 2024-12718] [CVE 2025-4138] [CVE 2025-4330] [CVE 2025-4435] [CVE 2025-4517] Fixes multiple issues that allowed tarfile extraction filters (filter="data" and filter="tar") to be bypassed using crafted symlinks and hard links.
gh-133767: Fix use-after-free in the “unicode-escape” decoder with a non-“strict” error handler.
gh-128840: Short-circuit the processing of long IPv6 addresses early in ipaddress to prevent excessive memory consumption and a minor denial-of-service.
How to install
Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:
This update has been submitted for testing by churchyard.
This update's test gating status has been changed to 'ignored'.
churchyard edited this update.
This update has been pushed to testing.
This update has been submitted for stable by bodhi.
This update has been pushed to stable.