[CLSA-2026:1780409071] Fix of 8 CVEs

Type:

security

Severity:

Moderate

Release date:

2026-06-02 14:05:13 UTC

Description:

   * SECURITY UPDATE: tarfile normalized AREGTYPE blocks to DIRTYPE while
     processing GNU long name/link follow-up headers, allowing a crafted tar
     archive to be misinterpreted.
     - debian/patches/CVE-2025-13462.patch: backport of cpython 42d754e34c
       (gh-141707). Skip DIRTYPE normalization on follow-up headers via a
       dircheck flag.
     - CVE-2025-13462
   * SECURITY UPDATE: wsgiref.headers.Headers accepted C0 control characters
     in header names, values and parameters, enabling response splitting.
     - debian/patches/CVE-2026-0865.patch: backport of cpython f7fceed79c
       (gh-143916) plus the HTAB follow-up. Reject control characters; HTAB
       remains allowed in values but not names.
     - CVE-2026-0865
   * SECURITY UPDATE: http.client did not reject CR/LF in HTTP tunnel
     (CONNECT) request headers set via HTTPConnection.set_tunnel().
     - debian/patches/CVE-2026-1502.patch: backport of cpython 05ed7ce7ae
       (gh-146211). Validate the tunnel host and per-header name/value.
     - CVE-2026-1502
   * SECURITY UPDATE: http.cookies Morsel.js_output() emitted cookie values
     into a document.cookie assignment using only quote-escaping, allowing
     a  breakout / JavaScript injection.
     - debian/patches/CVE-2026-6019.patch: backport of cpython 76b3923d68
       (gh-90309). Base64-encode the value and wrap it in atob().
     - CVE-2026-6019

CVEs fixed:

Updated packages:

alt-python39_3.9.23-17_amd64.deb
sha:970f5f4840aa6979c0acdf28c2bf81cc61905359
alt-python39-debug_3.9.23-17_amd64.deb
sha:54a91f097d23298503bccd71d65a9728f8f673ce
alt-python39-devel_3.9.23-17_amd64.deb
sha:976dd3e108f3af941133b05d71f34f16bf898ace
alt-python39-idle_3.9.23-17_amd64.deb
sha:9c77a3a1b3d055b3e7b08800c4571ce9a4bf42a2
alt-python39-libs_3.9.23-17_amd64.deb
sha:fe3fe0e3722fb3d7e04bbd699d97b9d953267523
alt-python39-test_3.9.23-17_amd64.deb
sha:fb5e026cf821dccad2122057b3d8c0ead94b27fb
alt-python39-tkinter_3.9.23-17_amd64.deb
sha:e16938727de01630953027bac7808d2a98f0097d
alt-python39_3.9.23-17_arm64.deb
sha:7fcd63d26c5b6545cb0ff25a60bde79bcbc0c5da
alt-python39-debug_3.9.23-17_arm64.deb
sha:1d3cf6247bd8fdc0969772b581db878359988e9c
alt-python39-devel_3.9.23-17_arm64.deb
sha:a51d96931a80c34ad9d8ae123fe41246bd8489bf
alt-python39-idle_3.9.23-17_arm64.deb
sha:f89b0fe5618e1b09b7c03ff420b713dd30b3df70
alt-python39-libs_3.9.23-17_arm64.deb
sha:9a470adc38abf41d98041120eed263262a983cac
alt-python39-test_3.9.23-17_arm64.deb
sha:6778c1ba43910adb190985bfac5d12a4badac18c
alt-python39-tkinter_3.9.23-17_arm64.deb
sha:d1babcecaffca66841f8d0eebf400511197e1865

Notes:

This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.