Release date:
2026-06-05 15:19:50 UTC
Description:
* SECURITY UPDATE: zipfile did not validate the ZIP64 End-of-Central-
Directory Locator relative-offset, assuming the EOCD64 record sat
immediately before the locator, allowing ambiguous-parsing ZIP
archives (parser confusion vs. other ZIP tools).
- debian/patches/CVE-2025-8291.patch: backport of cpython
d11e69d620 (gh-139700, PSF-2025-12). Validates the locator offset
and raises BadZipFile when it disagrees.
- CVE-2025-8291
* SECURITY UPDATE: tarfile applied the V7 AREGTYPE -> DIRTYPE
normalization in frombuf() even when the header was a sub-block of
a multi-block GNUTYPE_LONGNAME/LONGLINK member, causing parser
confusion.
- debian/patches/CVE-2025-13462.patch: backport of cpython
42d754e34c (gh-141707). Skips the normalization on continuation
blocks (dircheck=False on follow-up headers in _proc_gnulong and
_proc_pax).
- CVE-2025-13462
* SECURITY UPDATE: wsgiref.headers.Headers did not reject control
characters in header names/values, allowing HTTP header injection.
- debian/patches/CVE-2026-0865.patch: backport of cpython
22e4d55285 (gh-143916, initial reject of [\x00-\x1F\x7F] in
_convert_string_type) plus follow-up 83ecd18779 (gh-144762,
relax to allow HTAB \x09 in header values per RFC 9110). The
merged patch splits the regex into _name_disallowed_re and
_value_disallowed_re and threads a `name` keyword through
_convert_string_type call sites.
- CVE-2026-0865
* SECURITY UPDATE: http.client.HTTPConnection did not sanitize CR/LF
in the proxy CONNECT tunnel host or in set_tunnel() headers,
enabling request/header splitting.
- debian/patches/CVE-2026-1502.patch: backport of cpython
b1cf901633 (gh-146211). Applies _is_legal_header_name/
_is_illegal_header_value and control-char checks in
_tunnel()/set_tunnel().
- CVE-2026-1502
* SECURITY UPDATE: http.cookies.Morsel.js_output() emitted the cookie
value inside only escaping `"`, so a value
containing could break out of the script element (XSS).
- debian/patches/CVE-2026-6019.patch: backport of cpython
76b3923d68 (gh-90309). Base64-encodes the embedded cookie value;
composes with the existing CVE-2026-3644 patch on the same
function.
- CVE-2026-6019
* SECURITY UPDATE: ftplib.ftpcp() called parse227() directly and
passed the attacker-controllable PASV host/port to target.sendport()
(SSRF). The CVE-2021-4189 PASV fix had been applied to makepasv()
but not ftpcp().
- debian/patches/CVE-2026-8328.patch: backport of cpython
eac4fe3b2c (gh-87451). Mirrors the getpeername() /
trust_server_pasv_ipv4_address logic in ftpcp().
- CVE-2026-8328
Updated packages:
-
alt-python38_3.8.20-19_amd64.deb
sha:ba7111a6f8c583b600454fd1a34f9b130adfd62f
-
alt-python38-debug_3.8.20-19_amd64.deb
sha:2e655737690309d3ce507fd25aa19a15681626c4
-
alt-python38-devel_3.8.20-19_amd64.deb
sha:818a72495933a41a4443ccd0da9b1e97c69f41bb
-
alt-python38-idle_3.8.20-19_amd64.deb
sha:d40aa675c000be0ab8112067a11d81dec235b1d5
-
alt-python38-libs_3.8.20-19_amd64.deb
sha:fa0df688f6fb31bda7d4bbf63e37a26f368c413f
-
alt-python38-test_3.8.20-19_amd64.deb
sha:a2411ed4108ce1fcb2d5d164316ac0f8cde49336
-
alt-python38-tkinter_3.8.20-19_amd64.deb
sha:07759c59b2e3aa08fdc4f1f8f5e4b0adcabd9b01
-
alt-python38_3.8.20-19_arm64.deb
sha:b8240e8cacf1873f99658b771fff4e95f3ba7c5d
-
alt-python38-debug_3.8.20-19_arm64.deb
sha:7407d89670e4a550cfe4fe928f7733d87b5d7575
-
alt-python38-devel_3.8.20-19_arm64.deb
sha:775bacb0b16db52ade7879ba439a106dfb58d06f
-
alt-python38-idle_3.8.20-19_arm64.deb
sha:da1d968d843c0a1073ea38b6846e2af2c0969e21
-
alt-python38-libs_3.8.20-19_arm64.deb
sha:63979e5d2c8764b82e3b4b99fc16df872eb35331
-
alt-python38-test_3.8.20-19_arm64.deb
sha:ab8865e75d8de51e48932f681fa84c88ed7e8a68
-
alt-python38-tkinter_3.8.20-19_arm64.deb
sha:97949fa82e0e34a040559f4e714c8068dd50be09
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.
