openSUSE Local Security Checks : openSUSE Security Advisory (openSUSE-SU-2025:0052-1)

Vulnerability Search		Search 324607 CVE descriptions and 145615 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.1.18.1.2025.0052.1

Category: openSUSE Local Security Checks

Title: openSUSE Security Advisory (openSUSE-SU-2025:0052-1)

Summary: The remote host is missing an update for the 'python-asteval' package(s) announced via the openSUSE-SU-2025:0052-1 advisory.

Description: Summary:
The remote host is missing an update for the 'python-asteval' package(s) announced via the openSUSE-SU-2025:0052-1 advisory.

Vulnerability Insight:
This update for python-asteval fixes the following issues:

Update to 1.0.6:

* drop testing and support for Python3.8, add Python 3.13,
change document to reflect this.
* implement safe_getattr and safe_format functions, fix bugs
in UNSAFE_ATTRS and UNSAFE_ATTRS_DTYPES usage (boo#1236405,
CVE-2025-24359)
* make all procedure attributes private to curb access to AST
nodes, which can be exploited
* improvements to error messages, including use ast functions
to construct better error messages
* remove import of numpy.linalg, as documented
* update doc description for security advisory

Update to 1.0.5:

* more work on handling errors, including fixing #133 and
adding more comprehensive tests for #129 and #132

Update to 1.0.4:

* fix error handling that might result in null exception

Update to 1.0.3:

* functions ('Procedures') defined within asteval have a `
_signature()` method, now use in repr
* add support for deleting subscript
* nested symbol tables now have a Group() function
* update coverage config
* cleanups of exception handling : errors must now have an
exception
* several related fixes to suppress repeated exceptions: see GH
#132 and #129
* make non-boolean return values from comparison operators
behave like Python - not immediately testing as bool

- update to 1.0.2:
* fix NameError handling in expression code
* make exception messages more Python-like
- update to 1.0.1:
* security fixes, based on audit by Andrew Effenhauser, Ayman
Hammad, and Daniel Crowley, IBM X-Force Security Research
division
* remove numpy modules polynomial, fft, linalg by default for
security concerns
* disallow string.format(), improve security of f-string
evaluation

- update to 1.0.0:
* fix (again) nested list comprehension (Issues #127 and #126).
* add more testing of multiple list comprehensions.
* more complete support for Numpy 2, and removal of many Numpy
symbols that have been long deprecated.
* remove AST nodes deprecated in Python 3.8.
* clean up build files and outdated tests.
* fixes to codecov configuration.
* update docs.

- update to 0.9.33:
* fixes for multiple list comprehensions (addressing #126)
* add testing with optionally installed numpy_financial to CI
* test existence of all numpy imports to better safeguard
against missing functions (for safer numpy 2 transition)
* update rendered doc to include PDF and zipped HTML

- update to 0.9.32:
* add deprecations message for numpy functions to be removed in
numpy 2.0
* comparison operations use try/except for short-circuiting
instead of checking for numpy arrays (addressing #123)
* add Python 3.12 to testing
* move repository from 'newville' to 'lmfit' organization
* update doc theme, GitHub locations pointed to by docs, other
doc tweaks.

- Update to 0.9.31:
* cleanup numpy imports to avoid deprecated functions, add financial
functions from numpy_financial ... [Please see the references for more information on the vulnerabilities]

Affected Software/OS:
'python-asteval' package(s) on openSUSE Leap 15.6.

Solution:
Please install the updated package(s).

CVSS Score:
5.0

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:N/A:N

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2025-24359

Copyright Copyright (C) 2025 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

Test ID:	1.3.6.1.4.1.25623.1.1.18.1.2025.0052.1
Category:	openSUSE Local Security Checks
Title:	openSUSE Security Advisory (openSUSE-SU-2025:0052-1)
Summary:	The remote host is missing an update for the 'python-asteval' package(s) announced via the openSUSE-SU-2025:0052-1 advisory.
Description:	Summary: The remote host is missing an update for the 'python-asteval' package(s) announced via the openSUSE-SU-2025:0052-1 advisory. Vulnerability Insight: This update for python-asteval fixes the following issues: Update to 1.0.6: * drop testing and support for Python3.8, add Python 3.13, change document to reflect this. * implement safe_getattr and safe_format functions, fix bugs in UNSAFE_ATTRS and UNSAFE_ATTRS_DTYPES usage (boo#1236405, CVE-2025-24359) * make all procedure attributes private to curb access to AST nodes, which can be exploited * improvements to error messages, including use ast functions to construct better error messages * remove import of numpy.linalg, as documented * update doc description for security advisory Update to 1.0.5: * more work on handling errors, including fixing #133 and adding more comprehensive tests for #129 and #132 Update to 1.0.4: * fix error handling that might result in null exception Update to 1.0.3: * functions ('Procedures') defined within asteval have a ` _signature()` method, now use in repr * add support for deleting subscript * nested symbol tables now have a Group() function * update coverage config * cleanups of exception handling : errors must now have an exception * several related fixes to suppress repeated exceptions: see GH #132 and #129 * make non-boolean return values from comparison operators behave like Python - not immediately testing as bool - update to 1.0.2: * fix NameError handling in expression code * make exception messages more Python-like - update to 1.0.1: * security fixes, based on audit by Andrew Effenhauser, Ayman Hammad, and Daniel Crowley, IBM X-Force Security Research division * remove numpy modules polynomial, fft, linalg by default for security concerns * disallow string.format(), improve security of f-string evaluation - update to 1.0.0: * fix (again) nested list comprehension (Issues #127 and #126). * add more testing of multiple list comprehensions. * more complete support for Numpy 2, and removal of many Numpy symbols that have been long deprecated. * remove AST nodes deprecated in Python 3.8. * clean up build files and outdated tests. * fixes to codecov configuration. * update docs. - update to 0.9.33: * fixes for multiple list comprehensions (addressing #126) * add testing with optionally installed numpy_financial to CI * test existence of all numpy imports to better safeguard against missing functions (for safer numpy 2 transition) * update rendered doc to include PDF and zipped HTML - update to 0.9.32: * add deprecations message for numpy functions to be removed in numpy 2.0 * comparison operations use try/except for short-circuiting instead of checking for numpy arrays (addressing #123) * add Python 3.12 to testing * move repository from 'newville' to 'lmfit' organization * update doc theme, GitHub locations pointed to by docs, other doc tweaks. - Update to 0.9.31: * cleanup numpy imports to avoid deprecated functions, add financial functions from numpy_financial ... [Please see the references for more information on the vulnerabilities] Affected Software/OS: 'python-asteval' package(s) on openSUSE Leap 15.6. Solution: Please install the updated package(s). CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2025-24359
Copyright	Copyright (C) 2025 Greenbone AG