SUSE-SU-2026:20933-1
Vulnerability from csaf_suse - Published: 2026-03-25 10:48 - Updated: 2026-03-25 10:48Summary
Security update for python-ldap
Severity
Moderate
Notes
Title of the patch: Security update for python-ldap
Description of the patch: This update for python-ldap fixes the following issues:
- CVE-2025-61911: Enforce str for escape_filter_chars (bsc#1251912).
- CVE-2025-61912: Escape NULs as per RFC 4514 in escape_dn_chars (bsc#1251913).
Patchnames: SUSE-SLES-16.0-443
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
6.5 (Medium)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
5.3 (Medium)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
References
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for python-ldap",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for python-ldap fixes the following issues:\n\n- CVE-2025-61911: Enforce str for escape_filter_chars (bsc#1251912).\n- CVE-2025-61912: Escape NULs as per RFC 4514 in escape_dn_chars (bsc#1251913).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SLES-16.0-443",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_20933-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:20933-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202620933-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:20933-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2026-April/045219.html"
},
{
"category": "self",
"summary": "SUSE Bug 1251912",
"url": "https://bugzilla.suse.com/1251912"
},
{
"category": "self",
"summary": "SUSE Bug 1251913",
"url": "https://bugzilla.suse.com/1251913"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-61911 page",
"url": "https://www.suse.com/security/cve/CVE-2025-61911/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-61912 page",
"url": "https://www.suse.com/security/cve/CVE-2025-61912/"
}
],
"title": "Security update for python-ldap",
"tracking": {
"current_release_date": "2026-03-25T10:48:13Z",
"generator": {
"date": "2026-03-25T10:48:13Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:20933-1",
"initial_release_date": "2026-03-25T10:48:13Z",
"revision_history": [
{
"date": "2026-03-25T10:48:13Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python313-ldap-3.4.4-160000.3.1.aarch64",
"product": {
"name": "python313-ldap-3.4.4-160000.3.1.aarch64",
"product_id": "python313-ldap-3.4.4-160000.3.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "python313-ldap-3.4.4-160000.3.1.ppc64le",
"product": {
"name": "python313-ldap-3.4.4-160000.3.1.ppc64le",
"product_id": "python313-ldap-3.4.4-160000.3.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "python313-ldap-3.4.4-160000.3.1.s390x",
"product": {
"name": "python313-ldap-3.4.4-160000.3.1.s390x",
"product_id": "python313-ldap-3.4.4-160000.3.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "python313-ldap-3.4.4-160000.3.1.x86_64",
"product": {
"name": "python313-ldap-3.4.4-160000.3.1.x86_64",
"product_id": "python313-ldap-3.4.4-160000.3.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 16.0",
"product": {
"name": "SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:16.0"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product": {
"name": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:16:16.0:server-sap"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-ldap-3.4.4-160000.3.1.aarch64 as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:python313-ldap-3.4.4-160000.3.1.aarch64"
},
"product_reference": "python313-ldap-3.4.4-160000.3.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-ldap-3.4.4-160000.3.1.ppc64le as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:python313-ldap-3.4.4-160000.3.1.ppc64le"
},
"product_reference": "python313-ldap-3.4.4-160000.3.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-ldap-3.4.4-160000.3.1.s390x as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:python313-ldap-3.4.4-160000.3.1.s390x"
},
"product_reference": "python313-ldap-3.4.4-160000.3.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-ldap-3.4.4-160000.3.1.x86_64 as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:python313-ldap-3.4.4-160000.3.1.x86_64"
},
"product_reference": "python313-ldap-3.4.4-160000.3.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-ldap-3.4.4-160000.3.1.aarch64 as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:python313-ldap-3.4.4-160000.3.1.aarch64"
},
"product_reference": "python313-ldap-3.4.4-160000.3.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-ldap-3.4.4-160000.3.1.ppc64le as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:python313-ldap-3.4.4-160000.3.1.ppc64le"
},
"product_reference": "python313-ldap-3.4.4-160000.3.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-ldap-3.4.4-160000.3.1.s390x as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:python313-ldap-3.4.4-160000.3.1.s390x"
},
"product_reference": "python313-ldap-3.4.4-160000.3.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-ldap-3.4.4-160000.3.1.x86_64 as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:python313-ldap-3.4.4-160000.3.1.x86_64"
},
"product_reference": "python313-ldap-3.4.4-160000.3.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-61911",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-61911"
}
],
"notes": [
{
"category": "general",
"text": "python-ldap is a lightweight directory access protocol (LDAP) client API for Python. In versions prior to 3.4.5, the sanitization method `ldap.filter.escape_filter_chars` can be tricked to skip escaping of special characters when a crafted `list` or `dict` is supplied as the `assertion_value` parameter, and the non-default `escape_mode=1` is configured. The method `ldap.filter.escape_filter_chars` supports 3 different escaping modes. `escape_mode=0` (default) and `escape_mode=2` happen to raise exceptions when a `list` or `dict` object is supplied as the `assertion_value` parameter. However, `escape_mode=1` computes without performing adequate logic to ensure a fully escaped return value. If an application relies on the vulnerable method in the `python-ldap` library to escape untrusted user input, an attacker might be able to abuse the vulnerability to launch ldap injection attacks which could potentially disclose or manipulate ldap data meant to be inaccessible to them. Version 3.4.5 fixes the issue by adding a type check at the start of the `ldap.filter.escape_filter_chars` method to raise an exception when the supplied `assertion_value` parameter is not of type `str`.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:python313-ldap-3.4.4-160000.3.1.aarch64",
"SUSE Linux Enterprise Server 16.0:python313-ldap-3.4.4-160000.3.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:python313-ldap-3.4.4-160000.3.1.s390x",
"SUSE Linux Enterprise Server 16.0:python313-ldap-3.4.4-160000.3.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-ldap-3.4.4-160000.3.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-ldap-3.4.4-160000.3.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-ldap-3.4.4-160000.3.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-ldap-3.4.4-160000.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-61911",
"url": "https://www.suse.com/security/cve/CVE-2025-61911"
},
{
"category": "external",
"summary": "SUSE Bug 1251912 for CVE-2025-61911",
"url": "https://bugzilla.suse.com/1251912"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:python313-ldap-3.4.4-160000.3.1.aarch64",
"SUSE Linux Enterprise Server 16.0:python313-ldap-3.4.4-160000.3.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:python313-ldap-3.4.4-160000.3.1.s390x",
"SUSE Linux Enterprise Server 16.0:python313-ldap-3.4.4-160000.3.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-ldap-3.4.4-160000.3.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-ldap-3.4.4-160000.3.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-ldap-3.4.4-160000.3.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-ldap-3.4.4-160000.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:python313-ldap-3.4.4-160000.3.1.aarch64",
"SUSE Linux Enterprise Server 16.0:python313-ldap-3.4.4-160000.3.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:python313-ldap-3.4.4-160000.3.1.s390x",
"SUSE Linux Enterprise Server 16.0:python313-ldap-3.4.4-160000.3.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-ldap-3.4.4-160000.3.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-ldap-3.4.4-160000.3.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-ldap-3.4.4-160000.3.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-ldap-3.4.4-160000.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-03-25T10:48:13Z",
"details": "moderate"
}
],
"title": "CVE-2025-61911"
},
{
"cve": "CVE-2025-61912",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-61912"
}
],
"notes": [
{
"category": "general",
"text": "python-ldap is a lightweight directory access protocol (LDAP) client API for Python. In versions prior to 3.4.5, ldap.dn.escape_dn_chars() escapes \\x00 incorrectly by emitting a backslash followed by a literal NUL byte instead of the RFC-4514 hex form \\00. Any application that uses this helper to construct DNs from untrusted input can be made to consistently fail before a request is sent to the LDAP server (e.g., AD), resulting in a client-side denial of service. Version 3.4.5 contains a patch for the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:python313-ldap-3.4.4-160000.3.1.aarch64",
"SUSE Linux Enterprise Server 16.0:python313-ldap-3.4.4-160000.3.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:python313-ldap-3.4.4-160000.3.1.s390x",
"SUSE Linux Enterprise Server 16.0:python313-ldap-3.4.4-160000.3.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-ldap-3.4.4-160000.3.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-ldap-3.4.4-160000.3.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-ldap-3.4.4-160000.3.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-ldap-3.4.4-160000.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-61912",
"url": "https://www.suse.com/security/cve/CVE-2025-61912"
},
{
"category": "external",
"summary": "SUSE Bug 1251913 for CVE-2025-61912",
"url": "https://bugzilla.suse.com/1251913"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:python313-ldap-3.4.4-160000.3.1.aarch64",
"SUSE Linux Enterprise Server 16.0:python313-ldap-3.4.4-160000.3.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:python313-ldap-3.4.4-160000.3.1.s390x",
"SUSE Linux Enterprise Server 16.0:python313-ldap-3.4.4-160000.3.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-ldap-3.4.4-160000.3.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-ldap-3.4.4-160000.3.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-ldap-3.4.4-160000.3.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-ldap-3.4.4-160000.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:python313-ldap-3.4.4-160000.3.1.aarch64",
"SUSE Linux Enterprise Server 16.0:python313-ldap-3.4.4-160000.3.1.ppc64le",
"SUSE Linux Enterprise Server 16.0:python313-ldap-3.4.4-160000.3.1.s390x",
"SUSE Linux Enterprise Server 16.0:python313-ldap-3.4.4-160000.3.1.x86_64",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-ldap-3.4.4-160000.3.1.aarch64",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-ldap-3.4.4-160000.3.1.ppc64le",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-ldap-3.4.4-160000.3.1.s390x",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-ldap-3.4.4-160000.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-03-25T10:48:13Z",
"details": "moderate"
}
],
"title": "CVE-2025-61912"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…