[CLSA-2026:1780311862] Fix CVE(s): CVE-2026-7210

Type:

security

Severity:

Critical

Release date:

2026-06-01 11:04:34 UTC

Description:

   * SECURITY UPDATE: xml.parsers.expat / xml.etree.ElementTree used
     insufficient entropy for libexpat hash-flooding protection, allowing a
     crafted XML document to trigger hash collisions. Mitigation requires
     both libexpat 2.8.0+ (or a distro-backported equivalent that exports
     XML_SetHashSalt16Bytes) and a Python-side patch to seed the parser
     with the new 16-byte salt API.
     - debian/patches/CVE-2026-7210.patch: backport of cpython
       24b8f12544 (gh-149018, Stan Ulbrych). pyexpat and _elementtree call
       XML_SetHashSalt16Bytes with _Py_HashSecret.expat.hashsalt16 (16
       bytes of entropy); legacy XML_SetHashSalt remains as the fallback
       when the loaded libexpat does not export the new symbol. The
       symbol is declared __attribute__((weak)) in Modules/pyexpat.c so
       the same source path works whether the build links against bundled
       libexpat 2.8.0+ or a distro libexpat 2.5/2.7 that backports the
       entropy fix without bumping XML_COMBINED_VERSION (Debian, Ubuntu,
       RHEL/CL, Alpine). Extends the PyExpat CAPI with a nullable
       SetHashSalt16Bytes slot populated from the weak reference.
     - CVE-2026-7210

CVEs fixed:

CVE-2026-7210

Updated packages:

alt-python39_3.9.23-15_amd64.deb
sha:c67f26425c9da79b22a36d10c42f3e2e27e21939
alt-python39-debug_3.9.23-15_amd64.deb
sha:416b5c59a4e67685e7c2b2d07dc097bb31b15dcd
alt-python39-devel_3.9.23-15_amd64.deb
sha:bd728c575647b9f3cc286d47a678554242846792
alt-python39-idle_3.9.23-15_amd64.deb
sha:2aa4284209b1b94796f6c7ae037013f2508ca2dd
alt-python39-libs_3.9.23-15_amd64.deb
sha:b7845a18632563cb8f586578570a0ac25f9a4043
alt-python39-test_3.9.23-15_amd64.deb
sha:e5bc1d0d9d73c49da478852f897e7e68cb4af247
alt-python39-tkinter_3.9.23-15_amd64.deb
sha:4d8f2f80782576ff2cb355b660ebdf0189232363
alt-python39_3.9.23-15_arm64.deb
sha:e06098dfebe1961dae10cf12b3db60ecd1fdbbbd
alt-python39-debug_3.9.23-15_arm64.deb
sha:86a6b0d1dc0201241e874e27d8c1eca340b838e7
alt-python39-devel_3.9.23-15_arm64.deb
sha:ba4cbcb0e5a04f1e948d635b78f0fda8f3bbed48
alt-python39-idle_3.9.23-15_arm64.deb
sha:d8c61a41c01c53889153b1e6a807014256453f6f
alt-python39-libs_3.9.23-15_arm64.deb
sha:5b6b0cfe8a11c1ab6230a202737bcf53902c3839
alt-python39-test_3.9.23-15_arm64.deb
sha:88f48e47736f4c59738858d6934a65bc98136735
alt-python39-tkinter_3.9.23-15_arm64.deb
sha:a60dad82e3c399c801d1ea167a94d0d9dd795a52

Notes:

This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.