openSUSE Security Update: Security update for python-asteval
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2025:0052-1
Rating:             moderate
References:         #1236405 
Cross-References:   CVE-2025-24359
Affected Products:
                    openSUSE Backports SLE-15-SP6
______________________________________________________________________________

   An update that fixes one vulnerability is now available.

Description:

   This update for python-asteval fixes the following issues:

   Update to 1.0.6:

     * drop testing and support for Python3.8, add Python 3.13, change
       document to reflect this.
     * implement safe_getattr and safe_format functions; fix bugs in
       UNSAFE_ATTRS and UNSAFE_ATTRS_DTYPES usage (boo#1236405,
       CVE-2025-24359)
     * make all procedure attributes private to curb access to AST nodes,
       which can be exploited
     * improvements to error messages, including use ast functions to
       construct better error messages
     * remove import of numpy.linalg, as documented
     * update doc description for security advisory

   Update to 1.0.5:

     * more work on handling errors, including fixing #133 and adding more
       comprehensive tests for #129 and #132

   Update to 1.0.4:

     * fix error handling that might result in null exception

   Update to 1.0.3:

     * functions ("Procedures") defined within asteval have a ` _signature()`
       method, now use in repr
     * add support for deleting subscript
     * nested symbol tables now have a  Group() function
     * update coverage config
     * cleanups of exception handling :  errors must now have an exception
     * several related fixes to suppress repeated exceptions: see GH #132 and
       #129
     * make non-boolean return values from comparison operators behave like
       Python - not immediately testing as bool

   - update to 1.0.2:
     * fix NameError handling in expression code
     * make exception messages more Python-like
   - update to 1.0.1:
     * security fixes, based on audit by Andrew Effenhauser, Ayman Hammad,
       and Daniel Crowley, IBM X-Force Security Research division
     * remove numpy modules polynomial, fft, linalg by default for security
       concerns
     * disallow string.format(), improve security of f-string evaluation

   - update to 1.0.0:
     * fix (again) nested list comprehension (Issues #127 and #126).
     * add more testing of multiple list comprehensions.
     * more complete support for Numpy 2, and removal of many Numpy symbols
       that have been long deprecated.
     * remove AST nodes deprecated in Python 3.8.
     * clean up build files and outdated tests.
     * fixes to codecov configuration.
     * update docs.

   - update to 0.9.33:
     * fixes for multiple list comprehensions (addressing #126)
     * add testing with optionally installed numpy_financial to CI
     * test existence of all numpy imports to better safeguard against
       missing functions (for safer numpy 2 transition)
     * update rendered doc to include PDF and zipped HTML

   - update to 0.9.32:
     * add deprecations message for numpy functions to be removed in numpy 2.0
     * comparison operations use try/except for short-circuiting instead of
       checking for numpy arrays (addressing #123)
     * add Python 3.12 to testing
     * move repository from "newville" to "lmfit" organization
     * update doc theme, GitHub locations pointed to by docs, other doc
       tweaks.

   - Update to 0.9.31:
     * cleanup numpy imports to avoid deprecated functions, add financial
       functions from numpy_financial module, if installed.
     * prefer 'user_symbols' when initializing Interpreter, but still support
       'usersyms' argument. Will deprecate and remove eventually.
     * add support of optional (off-by default) "nested symbol table".
     * update tests to run most tests with symbol tables of dict and nested
       group type.
     * general code and testing cleanup.
     * add config argument to Interpreter to more fully control which nodes
       are supported
     * add support for import and importfrom -- off by default
     * add support for with blocks
     * add support for f-strings
     * add support of set and dict comprehension
     * fix bug with 'int**int' not returning a float.

   - update to 0.9.29:
     * bug fixes

   - Update to 0.9.28
     * add support for Python 3.11
     * add support for multiple list comprehensions
     * improve performance of making the initial symbol table, and
       Interpreter creation, including better checking for index_tricks
       attributes

   - update to 0.9.27:
     * more cleanups

   - update to 0.9.26:
     * fix setup.py again

   - update to 0.9.25:
     * fixes import errors for Py3.6 and 3.7, setting version with
       importlib_metadata.version if available.
     * use setuptools_scm and importlib for version
     * treat all __dunder__ attributes of all objects as inherently unsafe.

   - Update to 0.9.22
     * another important but small fix for Python 3.9
     * Merge branch 'nested_interrupts_returns'
   - Drop hard numpy requirement, don't test on python36

   - update to 0.9.18
     * drop python2
     * few fixes


Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Backports SLE-15-SP6:

      zypper in -t patch openSUSE-2025-52=1



Package List:

   - openSUSE Backports SLE-15-SP6 (noarch):

      python311-asteval-1.0.6-bp156.4.3.1


References:

   https://www.suse.com/security/cve/CVE-2025-24359.html
   https://bugzilla.suse.com/1236405

openSUSE: 2025:0052-1 moderate: python-asteval Advisory Security Update

February 3, 2025
An update that fixes one vulnerability is now available

Description

This update for python-asteval fixes the following issues: Update to 1.0.6: * drop testing and support for Python3.8, add Python 3.13, change document to reflect this. * implement safe_getattr and safe_format functions; fix bugs in UNSAFE_ATTRS and UNSAFE_ATTRS_DTYPES usage (boo#1236405, CVE-2025-24359) * make all procedure attributes private to curb access to AST nodes, which can be exploited * improvements to error messages, including use ast functions to construct better error messages * remove import of numpy.linalg, as documented * update doc description for security advisory Update to 1.0.5: * more work on handling errors, including fixing #133 and adding more comprehensive tests for #129 and #132 Update to 1.0.4: * fix error handling that might result in null exception Update to 1.0.3: * functions ("Procedures") defined within asteval have a ` _signature()` method, now...

Read the Full Advisory

 

Patch

Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP6: zypper in -t patch openSUSE-2025-52=1


Package List

- openSUSE Backports SLE-15-SP6 (noarch): python311-asteval-1.0.6-bp156.4.3.1


References

https://www.suse.com/security/cve/CVE-2025-24359.html https://bugzilla.suse.com/1236405


Severity
Announcement ID: openSUSE-SU-2025:0052-1
Rating: moderate
Affected Products: openSUSE Backports SLE-15-SP6 .

Related News

Parrot OS 6.3: Elevating Security with Enhanced Features & Tools
3 - 5 min read
Parrot OS 6.3 has just arrived , bringing crucial updates that security admins should note. This latest version of the popular secure Linux
Linux Kernel 6.14 Released: Top Security Features You Need to Know
3 - 6 min read
With the release of Linux kernel 6.14 , admins and Linux users have many new features and enhancements to look forward to - especially in the realm
Don
2 - 4 min read
Google recently issued a crucial Chrome update that those using a version of the browser prior to version 132.0.6834.110 should implement
Intel Brings Next-Level Security to Linux with Partner Security Engine
3 - 6 min read
Intel recently introduced a game-changer in hardware security with its new Partner Security Engine integrated into the Core Ultra Series 2. This
A Tiny Linux Kernel Tweak with Massive Implications for Datacenter Efficiency
3 - 6 min read
In a groundbreaking development, security researchers have introduced a small but mighty tweak to the Linux kernel that promises to cut data center
Best Practices for Securing Linux Systems Against Malicious Bots
3 - 6 min read
Linux systems have long been an indispensable asset to businesses and individuals alike. From running servers and cloud infrastructure to powering
Securing Open-Source Projects with Automated Testing on Linux
4 - 7 min read
Open-source project security testing focuses on many components, ensuring there are no safety vulnerabilities. These components include physical
KaOS Linux 2025.01: Merging Security with Practicality
3 - 6 min read
As the realm of Linux distribution expands, security admins find themselves faced with choosing a system that fits operational needs and upholds

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved