[Low] Patch python3 for CVE-2025-1795

[v-smalavathu]

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

• The toolchain has been rebuilt successfully (or no changes were made to it)
• The toolchain/worker package manifests are up-to-date
• Any updated packages successfully build (or no packages were changed)
• Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
• Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
• All package sources are available
• cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
• LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
• All source files have up-to-date hashes in the *.signatures.json files
• sudo make go-tidy-all and sudo make go-test-coverage pass
• Documentation has been updated to match any changes to the build system
• Ready to merge

---

Summary

python3: Patch for CVE-2025-1795

Change Log

• new file: SPECS/python3/CVE-2025-1795.patch
• modified: SPECS/python3/python3.spec
• modified: toolkit/resources/manifests/package/pkggen_core_aarch64.txt
• modified: toolkit/resources/manifests/package/pkggen_core_x86_64.txt
• modified: toolkit/resources/manifests/package/toolchain_aarch64.txt
• modified: toolkit/resources/manifests/package/toolchain_x86_64.txt

Does this affect the toolchain?

NO

Associated issues

• #xxxx

Links to CVEs

• https://nvd.nist.gov/vuln/detail/CVE-2025-1795

Test Methodology

• Pipeline build id: xxxx

[dmcilvaney]

https://github.com/microsoft/azurelinux/tree/2.0/toolkit/resources/manifests/package these manifests also need updating for toolchain packages. The PR check should list the expected changes.

[v-smalavathu]

https://github.com/microsoft/azurelinux/tree/2.0/toolkit/resources/manifests/package these manifests also need updating for toolchain packages. The PR check should list the expected changes.

I didn't change these manifests though this PR. Just I checked out stable version of toolchain, using the following command

"git checkout -f 2.0-stable -- resources/manifests"
-Thanks

[dmcilvaney]

The manifest files track which packages we use as our toolchain. Python is one of those packages, so the manifests need to match the new version-release in the .spec file.

When you do git checkout -f 2.0-stable -- resources/manifests it resets the toolchain to use the stable release, but since you are working with python (which is part of those manifests), the final PR will need to change those files as well.

[v-smalavathu]

The manifest files track which packages we use as our toolchain. Python is one of those packages, so the manifests need to match the new version-release in the .spec file.

When you do git checkout -f 2.0-stable -- resources/manifests it resets the toolchain to use the stable release, but since you are working with python (which is part of those manifests), the final PR will need to change those files as well.

Yes, Fixed,
Uploaded new changes.
-Thanks

[Kanishk-Bansal]

Kindly resolve merge conflicts

[v-smalavathu]

fyi

Did rebase on this PR.
-Thanks

[Kanishk-Bansal]

/azurepipelines run

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[dmcilvaney]

These versions shouldn't be rolled back, merge/rebase may have gone wrong?

[v-smalavathu]

Updated with latest manifest files.

[Kanishk-Bansal]

/azurepipelines run

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[Kanishk-Bansal]

/azurepipelines run

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[Kanishk-Bansal]

• Buddy Build
• Patch getting applied during the build in rpm.log : Yes
• test failures (if any) : NO
• Upstream Patch Reference is there in the Patch : Yes
• Has security tag : Yes