{ "document": { "aggregate_severity": { "text": "Critical" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" }, { "category": "details", "text": "Commit: ee1b7da4045d07f00d132bfdfea43a9635886e18-dirty", "title": "Details" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_alt_python/alpinelinux3.22/advisories/2026/clsa-2026_1770316296.json" }, { "category": "self", "summary": "https://cve.tuxcare.com/els-alt-python/releases/CLSA-2026:1770316296", "url": "https://cve.tuxcare.com/els-alt-python/releases/CLSA-2026:1770316296" } ], "tracking": { "current_release_date": "2026-02-06T13:40:54Z", "generator": { "date": "2026-02-06T13:40:54Z", "engine": { "name": "pyCSAF" } }, "id": "CLSA-2026:1770316296", "initial_release_date": "2026-02-05T18:31:38Z", "revision_history": [ { "date": "2026-02-05T18:31:38Z", "number": "1", "summary": "Initial version" }, { "date": "2026-02-06T13:40:54Z", "number": "2", "summary": "Official Publication" } ], "status": "final", "version": "2" }, "title": "Update of alt-python38-wheel" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Alpine Linux 3.22", "product": { "name": "Alpine Linux 3.22", "product_id": "Alpine-Linux-3.22", "product_identification_helper": { "cpe": "cpe:2.3:o:alpinelinux:alpine_linux:3.22:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "Alpine Linux" } ], "category": "vendor", "name": "Alpine Linux" }, { "branches": [ { "branches": [ { "category": "product_version", "name": "alt-python38-wheel-0.37.1-rr1.aarch64", "product": { "name": "alt-python38-wheel-0.37.1-rr1.aarch64", "product_id": "alt-python38-wheel-0.37.1-rr1.aarch64", "product_identification_helper": { "purl": "pkg:apk/tuxcare/alt-python38-wheel@0.37.1-rr1?arch=aarch64&os_name=alpine&os_version=3.22" } } }, { "category": "product_version", "name": "alt-python38-wheel-wheel-0.37.1-rr1.aarch64", "product": { "name": "alt-python38-wheel-wheel-0.37.1-rr1.aarch64", "product_id": "alt-python38-wheel-wheel-0.37.1-rr1.aarch64", "product_identification_helper": { "purl": "pkg:apk/tuxcare/alt-python38-wheel-wheel@0.37.1-rr1?arch=aarch64&os_name=alpine&os_version=3.22" } } } ], "category": "architecture", "name": "aarch64" }, { "branches": [ { "category": "product_version", "name": "alt-python38-wheel-0.37.1-rr1.x86_64", "product": { "name": "alt-python38-wheel-0.37.1-rr1.x86_64", "product_id": "alt-python38-wheel-0.37.1-rr1.x86_64", "product_identification_helper": { "purl": "pkg:apk/tuxcare/alt-python38-wheel@0.37.1-rr1?arch=x86_64&os_name=alpine&os_version=3.22" } } }, { "category": "product_version", "name": "alt-python38-wheel-wheel-0.37.1-rr1.x86_64", "product": { "name": "alt-python38-wheel-wheel-0.37.1-rr1.x86_64", "product_id": "alt-python38-wheel-wheel-0.37.1-rr1.x86_64", "product_identification_helper": { "purl": "pkg:apk/tuxcare/alt-python38-wheel-wheel@0.37.1-rr1?arch=x86_64&os_name=alpine&os_version=3.22" } } } ], "category": "architecture", "name": "x86_64" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "alt-python38-wheel-0.37.1-rr1.aarch64 as a component of Alpine Linux 3.22", "product_id": "Alpine-Linux-3.22:alt-python38-wheel-0.37.1-rr1.aarch64" }, "product_reference": "alt-python38-wheel-0.37.1-rr1.aarch64", "relates_to_product_reference": "Alpine-Linux-3.22" }, { "category": "default_component_of", "full_product_name": { "name": "alt-python38-wheel-0.37.1-rr1.x86_64 as a component of Alpine Linux 3.22", "product_id": "Alpine-Linux-3.22:alt-python38-wheel-0.37.1-rr1.x86_64" }, "product_reference": "alt-python38-wheel-0.37.1-rr1.x86_64", "relates_to_product_reference": "Alpine-Linux-3.22" }, { "category": "default_component_of", "full_product_name": { "name": "alt-python38-wheel-wheel-0.37.1-rr1.aarch64 as a component of Alpine Linux 3.22", "product_id": "Alpine-Linux-3.22:alt-python38-wheel-wheel-0.37.1-rr1.aarch64" }, "product_reference": "alt-python38-wheel-wheel-0.37.1-rr1.aarch64", "relates_to_product_reference": "Alpine-Linux-3.22" }, { "category": "default_component_of", "full_product_name": { "name": "alt-python38-wheel-wheel-0.37.1-rr1.x86_64 as a component of Alpine Linux 3.22", "product_id": "Alpine-Linux-3.22:alt-python38-wheel-wheel-0.37.1-rr1.x86_64" }, "product_reference": "alt-python38-wheel-wheel-0.37.1-rr1.x86_64", "relates_to_product_reference": "Alpine-Linux-3.22" } ] }, "vulnerabilities": [ { "cve": "CVE-2025-12084", "cwe": { "id": "CWE-407", "name": "Inefficient Algorithmic Complexity" }, "notes": [ { "category": "description", "text": "When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Alpine-Linux-3.22:alt-python38-wheel-0.37.1-rr1.aarch64", "Alpine-Linux-3.22:alt-python38-wheel-0.37.1-rr1.x86_64", "Alpine-Linux-3.22:alt-python38-wheel-wheel-0.37.1-rr1.aarch64", "Alpine-Linux-3.22:alt-python38-wheel-wheel-0.37.1-rr1.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els-alt-python/cve/CVE-2025-12084" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/027f21e417b26eed4505ac2db101a4352b7c51a0", "url": "https://github.com/python/cpython/commit/027f21e417b26eed4505ac2db101a4352b7c51a0" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/08d8e18ad81cd45bc4a27d6da478b51ea49486e4", "url": "https://github.com/python/cpython/commit/08d8e18ad81cd45bc4a27d6da478b51ea49486e4" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/27648a1818749ef44c420afe6173af6868715437", "url": "https://github.com/python/cpython/commit/27648a1818749ef44c420afe6173af6868715437" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/41f468786762348960486c166833a218a0a436af", "url": "https://github.com/python/cpython/commit/41f468786762348960486c166833a218a0a436af" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/57937a8e5e293f0dcba5115f7b7a11b1e0c9a273", "url": "https://github.com/python/cpython/commit/57937a8e5e293f0dcba5115f7b7a11b1e0c9a273" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/8d2d7bb2e754f8649a68ce4116271a4932f76907", "url": "https://github.com/python/cpython/commit/8d2d7bb2e754f8649a68ce4116271a4932f76907" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/9c9dda6625a2a90d2a06c657eee021d6be19842d", "url": "https://github.com/python/cpython/commit/9c9dda6625a2a90d2a06c657eee021d6be19842d" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/a46c10ec9d4050ab67b8a932e0859a2ea60c3cb8", "url": "https://github.com/python/cpython/commit/a46c10ec9d4050ab67b8a932e0859a2ea60c3cb8" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/a696ba8b4d42fd632afc9bc88ad830a2e4cceed8", "url": "https://github.com/python/cpython/commit/a696ba8b4d42fd632afc9bc88ad830a2e4cceed8" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/c97e87593063d84a2bd9fe7068b30eb44de23dc0", "url": "https://github.com/python/cpython/commit/c97e87593063d84a2bd9fe7068b30eb44de23dc0" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/ddcd2acd85d891a53e281c773b3093f9db953964", "url": "https://github.com/python/cpython/commit/ddcd2acd85d891a53e281c773b3093f9db953964" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/e91c11449cad34bac3ea55ee09ca557691d92b53", "url": "https://github.com/python/cpython/commit/e91c11449cad34bac3ea55ee09ca557691d92b53" }, { "category": "external", "summary": "https://github.com/python/cpython/issues/142145", "url": "https://github.com/python/cpython/issues/142145" }, { "category": "external", "summary": "https://github.com/python/cpython/pull/142146", "url": "https://github.com/python/cpython/pull/142146" } ], "release_date": "2025-12-03T19:15:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-02-05T18:31:38.689202Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els-alt-python/releases/CLSA-2026:1770316296", "product_ids": [ "Alpine-Linux-3.22:alt-python38-wheel-0.37.1-rr1.aarch64", "Alpine-Linux-3.22:alt-python38-wheel-0.37.1-rr1.x86_64", "Alpine-Linux-3.22:alt-python38-wheel-wheel-0.37.1-rr1.aarch64", "Alpine-Linux-3.22:alt-python38-wheel-wheel-0.37.1-rr1.x86_64" ], "url": "https://cve.tuxcare.com/els-alt-python/releases/CLSA-2026:1770316296" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1" }, "products": [ "Alpine-Linux-3.22:alt-python38-wheel-0.37.1-rr1.aarch64", "Alpine-Linux-3.22:alt-python38-wheel-0.37.1-rr1.x86_64", "Alpine-Linux-3.22:alt-python38-wheel-wheel-0.37.1-rr1.aarch64", "Alpine-Linux-3.22:alt-python38-wheel-wheel-0.37.1-rr1.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] }, { "cve": "CVE-2024-9287", "cwe": { "id": "CWE-428", "name": "Unquoted Search Path or Element" }, "notes": [ { "category": "description", "text": "A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment \"activation\" scripts (ie \"source venv/bin/activate\"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie \"./venv/bin/python\") are not affected.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Alpine-Linux-3.22:alt-python38-wheel-0.37.1-rr1.aarch64", "Alpine-Linux-3.22:alt-python38-wheel-0.37.1-rr1.x86_64", "Alpine-Linux-3.22:alt-python38-wheel-wheel-0.37.1-rr1.aarch64", "Alpine-Linux-3.22:alt-python38-wheel-wheel-0.37.1-rr1.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els-alt-python/cve/CVE-2024-9287" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/633555735a023d3e4d92ba31da35b1205f9ecbd7", "url": "https://github.com/python/cpython/commit/633555735a023d3e4d92ba31da35b1205f9ecbd7" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/8450b2482586857d689b6658f08de9c8179af7db", "url": "https://github.com/python/cpython/commit/8450b2482586857d689b6658f08de9c8179af7db" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/9286ab3a107ea41bd3f3c3682ce2512692bdded8", "url": "https://github.com/python/cpython/commit/9286ab3a107ea41bd3f3c3682ce2512692bdded8" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/ae961ae94bf19c8f8c7fbea3d1c25cc55ce8ae97", "url": "https://github.com/python/cpython/commit/ae961ae94bf19c8f8c7fbea3d1c25cc55ce8ae97" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/d48cc82ed25e26b02eb97c6263d95dcaa1e9111b", "url": "https://github.com/python/cpython/commit/d48cc82ed25e26b02eb97c6263d95dcaa1e9111b" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/e52095a0c1005a87eed2276af7a1f2f66e2b6483", "url": "https://github.com/python/cpython/commit/e52095a0c1005a87eed2276af7a1f2f66e2b6483" }, { "category": "external", "summary": "https://github.com/python/cpython/issues/124651", "url": "https://github.com/python/cpython/issues/124651" }, { "category": "external", "summary": "https://github.com/python/cpython/pull/124712", "url": "https://github.com/python/cpython/pull/124712" }, { "category": "external", "summary": "https://mail.python.org/archives/list/security-announce@python.org/thread/RSPJ2B5JL22FG3TKUJ7D7DQ4N5JRRBZL/", "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/RSPJ2B5JL22FG3TKUJ7D7DQ4N5JRRBZL/" }, { "category": "external", "summary": "https://lists.debian.org/debian-lts-announce/2024/11/msg00024.html", "url": "https://lists.debian.org/debian-lts-announce/2024/11/msg00024.html" }, { "category": "external", "summary": "https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html", "url": "https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html" }, { "category": "external", "summary": "https://security.netapp.com/advisory/ntap-20250425-0006/", "url": "https://security.netapp.com/advisory/ntap-20250425-0006/" } ], "release_date": "2024-10-22T17:15:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-02-05T18:31:38.689202Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els-alt-python/releases/CLSA-2026:1770316296", "product_ids": [ "Alpine-Linux-3.22:alt-python38-wheel-0.37.1-rr1.aarch64", "Alpine-Linux-3.22:alt-python38-wheel-0.37.1-rr1.x86_64", "Alpine-Linux-3.22:alt-python38-wheel-wheel-0.37.1-rr1.aarch64", "Alpine-Linux-3.22:alt-python38-wheel-wheel-0.37.1-rr1.x86_64" ], "url": "https://cve.tuxcare.com/els-alt-python/releases/CLSA-2026:1770316296" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Alpine-Linux-3.22:alt-python38-wheel-0.37.1-rr1.aarch64", "Alpine-Linux-3.22:alt-python38-wheel-0.37.1-rr1.x86_64", "Alpine-Linux-3.22:alt-python38-wheel-wheel-0.37.1-rr1.aarch64", "Alpine-Linux-3.22:alt-python38-wheel-wheel-0.37.1-rr1.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] }, { "cve": "CVE-2025-13836", "cwe": { "id": "CWE-125", "name": "Out-of-bounds Read" }, "notes": [ { "category": "description", "text": "When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This allows a malicious server to cause the client to read large amounts of data into memory, potentially causing OOM or other DoS.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Alpine-Linux-3.22:alt-python38-wheel-0.37.1-rr1.aarch64", "Alpine-Linux-3.22:alt-python38-wheel-0.37.1-rr1.x86_64", "Alpine-Linux-3.22:alt-python38-wheel-wheel-0.37.1-rr1.aarch64", "Alpine-Linux-3.22:alt-python38-wheel-wheel-0.37.1-rr1.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els-alt-python/cve/CVE-2025-13836" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/14b1fdb0a94b96f86fc7b86671ea9582b8676628", "url": "https://github.com/python/cpython/commit/14b1fdb0a94b96f86fc7b86671ea9582b8676628" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/289f29b0fe38baf2d7cb5854f4bb573cc34a6a15", "url": "https://github.com/python/cpython/commit/289f29b0fe38baf2d7cb5854f4bb573cc34a6a15" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/4ce27904b597c77d74dd93f2c912676021a99155", "url": "https://github.com/python/cpython/commit/4ce27904b597c77d74dd93f2c912676021a99155" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/5a4c4a033a4a54481be6870aa1896fad732555b5", "url": "https://github.com/python/cpython/commit/5a4c4a033a4a54481be6870aa1896fad732555b5" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/5dc101675fd22918facbbe0fecdc821502beaaf0", "url": "https://github.com/python/cpython/commit/5dc101675fd22918facbbe0fecdc821502beaaf0" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/afc40bdd3dd71f343fd9016f6d8eebbacbd6587c", "url": "https://github.com/python/cpython/commit/afc40bdd3dd71f343fd9016f6d8eebbacbd6587c" }, { "category": "external", "summary": "https://github.com/python/cpython/issues/119451", "url": "https://github.com/python/cpython/issues/119451" }, { "category": "external", "summary": "https://github.com/python/cpython/pull/119454", "url": "https://github.com/python/cpython/pull/119454" }, { "category": "external", "summary": "https://mail.python.org/archives/list/security-announce@python.org/thread/OQ6G7MKRQIS3OAREC3HNG3D2DPOU34XO/", "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/OQ6G7MKRQIS3OAREC3HNG3D2DPOU34XO/" } ], "release_date": "2025-12-01T18:16:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-02-05T18:31:38.689202Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els-alt-python/releases/CLSA-2026:1770316296", "product_ids": [ "Alpine-Linux-3.22:alt-python38-wheel-0.37.1-rr1.aarch64", "Alpine-Linux-3.22:alt-python38-wheel-0.37.1-rr1.x86_64", "Alpine-Linux-3.22:alt-python38-wheel-wheel-0.37.1-rr1.aarch64", "Alpine-Linux-3.22:alt-python38-wheel-wheel-0.37.1-rr1.x86_64" ], "url": "https://cve.tuxcare.com/els-alt-python/releases/CLSA-2026:1770316296" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "version": "3.1" }, "products": [ "Alpine-Linux-3.22:alt-python38-wheel-0.37.1-rr1.aarch64", "Alpine-Linux-3.22:alt-python38-wheel-0.37.1-rr1.x86_64", "Alpine-Linux-3.22:alt-python38-wheel-wheel-0.37.1-rr1.aarch64", "Alpine-Linux-3.22:alt-python38-wheel-wheel-0.37.1-rr1.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Critical" } ] } ] }