openSUSE Security Update: Security update for python-asteval ______________________________________________________________________________ Announcement ID: openSUSE-SU-2025:0052-1 Rating: moderate References: #1236405 Cross-References: CVE-2025-24359 Affected Products: openSUSE Backports SLE-15-SP6 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for python-asteval fixes the following issues: Update to 1.0.6: * drop testing and support for Python3.8, add Python 3.13, change document to reflect this. * implement safe_getattr and safe_format functions; fix bugs in UNSAFE_ATTRS and UNSAFE_ATTRS_DTYPES usage (boo#1236405, CVE-2025-24359) * make all procedure attributes private to curb access to AST nodes, which can be exploited * improvements to error messages, including use ast functions to construct better error messages * remove import of numpy.linalg, as documented * update doc description for security advisory Update to 1.0.5: * more work on handling errors, including fixing #133 and adding more comprehensive tests for #129 and #132 Update to 1.0.4: * fix error handling that might result in null exception Update to 1.0.3: * functions ("Procedures") defined within asteval have a ` _signature()` method, now use in repr * add support for deleting subscript * nested symbol tables now have a Group() function * update coverage config * cleanups of exception handling : errors must now have an exception * several related fixes to suppress repeated exceptions: see GH #132 and #129 * make non-boolean return values from comparison operators behave like Python - not immediately testing as bool - update to 1.0.2: * fix NameError handling in expression code * make exception messages more Python-like - update to 1.0.1: * security fixes, based on audit by Andrew Effenhauser, Ayman Hammad, and Daniel Crowley, IBM X-Force Security Research division * remove numpy modules polynomial, fft, linalg by default for security concerns * disallow string.format(), improve security of f-string evaluation - update to 1.0.0: * fix (again) nested list comprehension (Issues #127 and #126). * add more testing of multiple list comprehensions. * more complete support for Numpy 2, and removal of many Numpy symbols that have been long deprecated. * remove AST nodes deprecated in Python 3.8. * clean up build files and outdated tests. * fixes to codecov configuration. * update docs. - update to 0.9.33: * fixes for multiple list comprehensions (addressing #126) * add testing with optionally installed numpy_financial to CI * test existence of all numpy imports to better safeguard against missing functions (for safer numpy 2 transition) * update rendered doc to include PDF and zipped HTML - update to 0.9.32: * add deprecations message for numpy functions to be removed in numpy 2.0 * comparison operations use try/except for short-circuiting instead of checking for numpy arrays (addressing #123) * add Python 3.12 to testing * move repository from "newville" to "lmfit" organization * update doc theme, GitHub locations pointed to by docs, other doc tweaks. - Update to 0.9.31: * cleanup numpy imports to avoid deprecated functions, add financial functions from numpy_financial module, if installed. * prefer 'user_symbols' when initializing Interpreter, but still support 'usersyms' argument. Will deprecate and remove eventually. * add support of optional (off-by default) "nested symbol table". * update tests to run most tests with symbol tables of dict and nested group type. * general code and testing cleanup. * add config argument to Interpreter to more fully control which nodes are supported * add support for import and importfrom -- off by default * add support for with blocks * add support for f-strings * add support of set and dict comprehension * fix bug with 'int**int' not returning a float. - update to 0.9.29: * bug fixes - Update to 0.9.28 * add support for Python 3.11 * add support for multiple list comprehensions * improve performance of making the initial symbol table, and Interpreter creation, including better checking for index_tricks attributes - update to 0.9.27: * more cleanups - update to 0.9.26: * fix setup.py again - update to 0.9.25: * fixes import errors for Py3.6 and 3.7, setting version with importlib_metadata.version if available. * use setuptools_scm and importlib for version * treat all __dunder__ attributes of all objects as inherently unsafe. - Update to 0.9.22 * another important but small fix for Python 3.9 * Merge branch 'nested_interrupts_returns' - Drop hard numpy requirement, don't test on python36 - update to 0.9.18 * drop python2 * few fixes Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP6: zypper in -t patch openSUSE-2025-52=1 Package List: - openSUSE Backports SLE-15-SP6 (noarch): python311-asteval-1.0.6-bp156.4.3.1 References: https://www.suse.com/security/cve/CVE-2025-24359.html https://bugzilla.suse.com/1236405