Release date:
2026-06-03 17:25:51 UTC
Description:
* SECURITY UPDATE: rework the CVE-2026-7210 fix so the
XML_SetHashSalt16Bytes code path is no longer inert when the linked
libexpat does not bump XML_COMBINED_VERSION to 2.8.0 (Alpine system
libexpat).
- debian/patches/CVE-2026-7210.patch: rewritten. Declares
XML_SetHashSalt16Bytes as __attribute__((weak)) at the top of
Modules/pyexpat.c and replaces the compile-time
XML_COMBINED_VERSION / XML_HAS_SET_HASH_SALT_16_BYTES gate with a
single runtime "if (... != NULL)" check at every call site
(newxmlparseobject in pyexpat.c, the pyexpat C-API capsule init,
and _elementtree.c). RPM / Debian builds keep 16-byte mitigation
via bundled libexpat 2.5.0 + CVE-2026-41080; Alpine activates
the 16-byte path automatically the moment the system libexpat
ships the entropy fix; libexpat without the symbol falls back
to the legacy 8-byte XML_SetHashSalt path (no regression).
- CVE-2026-41080.patch is unchanged.
- CVE-2026-7210
* SECURITY UPDATE: urllib.parse.urlsplit / urlparse accepted bracketed
hosts that were not valid IPv6 / IPvFuture, enabling SSRF and
parser-differential attacks.
- debian/patches/CVE-2024-11168.patch: backport of cpython 3.11
b2171a2 (gh-103848, Seth Larson).
- CVE-2024-11168
* SECURITY UPDATE: bundled libexpat 2.5.0 crashes in XML_ResumeParser
when XML_StopParser is called on an unstarted parser (NULL deref).
- debian/patches/CVE-2024-50602.patch: backport of libexpat
51c70190 (PR #915). Alpine builds use system expat
(--with-system-expat) so this hardening affects only the
bundled-expat path used by RPM/Debian builds.
- CVE-2024-50602
* SECURITY UPDATE: urllib.parse.urlsplit / urlparse continued to accept
domain names containing square brackets after the CVE-2024-11168
fix; follow-up that completes the validation.
- debian/patches/CVE-2025-0938.patch: backport of cpython 3.10
b8b4b71 (gh-105704).
- CVE-2025-0938
* SECURITY UPDATE: bytes.decode("unicode_escape", errors="ignore" or
"replace") could trigger a use-after-free when the error handler
reallocated the input buffer.
- debian/patches/CVE-2025-4516.patch: backport of cpython 3.9
8d35fd1b (gh-129648, Serhiy Storchaka). Captures the initial
starts pointer and only stores *first_invalid_escape when
starts == initial_starts.
- CVE-2025-4516
* SECURITY UPDATE: ftplib.ftpcp() was not updated when CVE-2021-4189
was fixed; still passed raw server-supplied PASV host / port to
target.sendport().
- debian/patches/CVE-2026-8328.patch: backport of cpython
eac4fe3b (gh-87451, PR #149648). Applies the CVE-2021-4189
hardening to ftpcp() using source.sock.getpeername()[0]
unless trust_server_pasv_ipv4_address is set.
- CVE-2026-8328
Updated packages:
-
alt-python37_3.7.17-21_amd64.deb
sha:d2600c086ba54bb87fde9090d81d520e6a04bb41
-
alt-python37-debug_3.7.17-21_amd64.deb
sha:da8411c9782dbbdf34de4f900ea1aae0e2b1ee93
-
alt-python37-devel_3.7.17-21_amd64.deb
sha:939b5780ee911582872f233d1cdcf6d12e9be652
-
alt-python37-libs_3.7.17-21_amd64.deb
sha:85ee76fa998df77e4bc3d96749053d5a7bc64cd6
-
alt-python37-test_3.7.17-21_amd64.deb
sha:38ed09ebc6d40f9ccdd83e9604dbdff9a36bc788
-
alt-python37-tkinter_3.7.17-21_amd64.deb
sha:4c9c3aede822e3d550aa34457c28d7c2379d37bc
-
alt-python37-tools_3.7.17-21_amd64.deb
sha:566496782f593211915519e44d4ae04afeade2c6
-
alt-python37_3.7.17-21_arm64.deb
sha:87317b481c4e9a00260b91e355755b8114eaad20
-
alt-python37-debug_3.7.17-21_arm64.deb
sha:d772905195e14ea5068a40deffdfd0819cc49419
-
alt-python37-devel_3.7.17-21_arm64.deb
sha:60fc378581d782512f77efe5e5e46f8842530e15
-
alt-python37-libs_3.7.17-21_arm64.deb
sha:cfba2077d1059beec89c82d3242d733405673c11
-
alt-python37-test_3.7.17-21_arm64.deb
sha:46e6df9aef44be4cc12b93793b1ed79f5f071ed1
-
alt-python37-tkinter_3.7.17-21_arm64.deb
sha:f097a6c2847b1e1f087da17146753c51a123f9c8
-
alt-python37-tools_3.7.17-21_arm64.deb
sha:e7a064077ce12ab7d15defc3246fa08d686248c0
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.
