{ "document": { "aggregate_severity": { "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" }, { "category": "details", "text": "CVE-2025-8194: tarfile: validate archives to ensure member offsets are\n non-negative", "title": "Details" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "https://cve.tuxcare.com/els-alt-python/releases/CLSA-2026:1772721745", "url": "https://cve.tuxcare.com/els-alt-python/releases/CLSA-2026:1772721745" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_alt_python/el9/advisories/2026/clsa-2026_1772721745.json" } ], "tracking": { "current_release_date": "2026-03-05T14:43:08Z", "generator": { "date": "2026-03-05T14:43:08Z", "engine": { "name": "pyCSAF" } }, "id": "CLSA-2026:1772721745", "initial_release_date": "2026-03-05T14:43:08Z", "revision_history": [ { "date": "2026-03-05T14:43:08Z", "number": "1", "summary": "Initial version" } ], "status": "final", "version": "1" }, "title": "alt-python27: Fix of CVE-2025-8194" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Community Enterprise Operating System 9", "product": { "name": "Community Enterprise Operating System 9", "product_id": "CentOS-9", "product_identification_helper": { "cpe": "cpe:2.3:o:centos:centos:9:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "Community Enterprise Operating System" } ], "category": "vendor", "name": "Cloud Linux Software, Inc." }, { "branches": [ { "branches": [ { "category": "product_version", "name": "alt-python27-libs-0:2.7.18-24.el9.x86_64", "product": { "name": "alt-python27-libs-0:2.7.18-24.el9.x86_64", "product_id": "alt-python27-libs-0:2.7.18-24.el9.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/alt-python27-libs@2.7.18-24.el9?arch=x86_64&os_name=centos&os_version=9" } } }, { "category": "product_version", "name": "alt-python27-0:2.7.18-24.el9.x86_64", "product": { "name": "alt-python27-0:2.7.18-24.el9.x86_64", "product_id": "alt-python27-0:2.7.18-24.el9.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/alt-python27@2.7.18-24.el9?arch=x86_64&os_name=centos&os_version=9" } } }, { "category": "product_version", "name": "alt-python27-tkinter-0:2.7.18-24.el9.x86_64", "product": { "name": "alt-python27-tkinter-0:2.7.18-24.el9.x86_64", "product_id": "alt-python27-tkinter-0:2.7.18-24.el9.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/alt-python27-tkinter@2.7.18-24.el9?arch=x86_64&os_name=centos&os_version=9" } } }, { "category": "product_version", "name": "alt-python27-tools-0:2.7.18-24.el9.x86_64", "product": { "name": "alt-python27-tools-0:2.7.18-24.el9.x86_64", "product_id": "alt-python27-tools-0:2.7.18-24.el9.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/alt-python27-tools@2.7.18-24.el9?arch=x86_64&os_name=centos&os_version=9" } } }, { "category": "product_version", "name": "alt-python27-test-0:2.7.18-24.el9.x86_64", "product": { "name": "alt-python27-test-0:2.7.18-24.el9.x86_64", "product_id": "alt-python27-test-0:2.7.18-24.el9.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/alt-python27-test@2.7.18-24.el9?arch=x86_64&os_name=centos&os_version=9" } } }, { "category": "product_version", "name": "alt-python27-debug-0:2.7.18-24.el9.x86_64", "product": { "name": "alt-python27-debug-0:2.7.18-24.el9.x86_64", "product_id": "alt-python27-debug-0:2.7.18-24.el9.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/alt-python27-debug@2.7.18-24.el9?arch=x86_64&os_name=centos&os_version=9" } } }, { "category": "product_version", "name": "alt-python27-devel-0:2.7.18-24.el9.x86_64", "product": { "name": "alt-python27-devel-0:2.7.18-24.el9.x86_64", "product_id": "alt-python27-devel-0:2.7.18-24.el9.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/alt-python27-devel@2.7.18-24.el9?arch=x86_64&os_name=centos&os_version=9" } } } ], "category": "architecture", "name": "x86_64" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "alt-python27-libs-0:2.7.18-24.el9.x86_64 as a component of Community Enterprise Operating System 9", "product_id": "CentOS-9:alt-python27-libs-0:2.7.18-24.el9.x86_64" }, "product_reference": "alt-python27-libs-0:2.7.18-24.el9.x86_64", "relates_to_product_reference": "CentOS-9" }, { "category": "default_component_of", "full_product_name": { "name": "alt-python27-0:2.7.18-24.el9.x86_64 as a component of Community Enterprise Operating System 9", "product_id": "CentOS-9:alt-python27-0:2.7.18-24.el9.x86_64" }, "product_reference": "alt-python27-0:2.7.18-24.el9.x86_64", "relates_to_product_reference": "CentOS-9" }, { "category": "default_component_of", "full_product_name": { "name": "alt-python27-tkinter-0:2.7.18-24.el9.x86_64 as a component of Community Enterprise Operating System 9", "product_id": "CentOS-9:alt-python27-tkinter-0:2.7.18-24.el9.x86_64" }, "product_reference": "alt-python27-tkinter-0:2.7.18-24.el9.x86_64", "relates_to_product_reference": "CentOS-9" }, { "category": "default_component_of", "full_product_name": { "name": "alt-python27-tools-0:2.7.18-24.el9.x86_64 as a component of Community Enterprise Operating System 9", "product_id": "CentOS-9:alt-python27-tools-0:2.7.18-24.el9.x86_64" }, "product_reference": "alt-python27-tools-0:2.7.18-24.el9.x86_64", "relates_to_product_reference": "CentOS-9" }, { "category": "default_component_of", "full_product_name": { "name": "alt-python27-test-0:2.7.18-24.el9.x86_64 as a component of Community Enterprise Operating System 9", "product_id": "CentOS-9:alt-python27-test-0:2.7.18-24.el9.x86_64" }, "product_reference": "alt-python27-test-0:2.7.18-24.el9.x86_64", "relates_to_product_reference": "CentOS-9" }, { "category": "default_component_of", "full_product_name": { "name": "alt-python27-debug-0:2.7.18-24.el9.x86_64 as a component of Community Enterprise Operating System 9", "product_id": "CentOS-9:alt-python27-debug-0:2.7.18-24.el9.x86_64" }, "product_reference": "alt-python27-debug-0:2.7.18-24.el9.x86_64", "relates_to_product_reference": "CentOS-9" }, { "category": "default_component_of", "full_product_name": { "name": "alt-python27-devel-0:2.7.18-24.el9.x86_64 as a component of Community Enterprise Operating System 9", "product_id": "CentOS-9:alt-python27-devel-0:2.7.18-24.el9.x86_64" }, "product_reference": "alt-python27-devel-0:2.7.18-24.el9.x86_64", "relates_to_product_reference": "CentOS-9" } ] }, "vulnerabilities": [ { "cve": "CVE-2025-8194", "cwe": { "id": "CWE-835", "name": "Loop with Unreachable Exit Condition ('Infinite Loop')" }, "notes": [ { "category": "description", "text": "There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. \nThis vulnerability can be mitigated by including the following patch after importing the “tarfile” module:  https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "CentOS-9:alt-python27-0:2.7.18-24.el9.x86_64", "CentOS-9:alt-python27-debug-0:2.7.18-24.el9.x86_64", "CentOS-9:alt-python27-devel-0:2.7.18-24.el9.x86_64", "CentOS-9:alt-python27-libs-0:2.7.18-24.el9.x86_64", "CentOS-9:alt-python27-test-0:2.7.18-24.el9.x86_64", "CentOS-9:alt-python27-tkinter-0:2.7.18-24.el9.x86_64", "CentOS-9:alt-python27-tools-0:2.7.18-24.el9.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els-alt-python/cve/CVE-2025-8194" } ], "release_date": "2025-07-28T18:42:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-03-05T14:42:27.990942Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els-alt-python/releases/CLSA-2026:1772721745", "product_ids": [ "CentOS-9:alt-python27-0:2.7.18-24.el9.x86_64", "CentOS-9:alt-python27-debug-0:2.7.18-24.el9.x86_64", "CentOS-9:alt-python27-devel-0:2.7.18-24.el9.x86_64", "CentOS-9:alt-python27-libs-0:2.7.18-24.el9.x86_64", "CentOS-9:alt-python27-test-0:2.7.18-24.el9.x86_64", "CentOS-9:alt-python27-tkinter-0:2.7.18-24.el9.x86_64", "CentOS-9:alt-python27-tools-0:2.7.18-24.el9.x86_64" ], "url": "https://cve.tuxcare.com/els-alt-python/releases/CLSA-2026:1772721745" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "CentOS-9:alt-python27-0:2.7.18-24.el9.x86_64", "CentOS-9:alt-python27-debug-0:2.7.18-24.el9.x86_64", "CentOS-9:alt-python27-devel-0:2.7.18-24.el9.x86_64", "CentOS-9:alt-python27-libs-0:2.7.18-24.el9.x86_64", "CentOS-9:alt-python27-test-0:2.7.18-24.el9.x86_64", "CentOS-9:alt-python27-tkinter-0:2.7.18-24.el9.x86_64", "CentOS-9:alt-python27-tools-0:2.7.18-24.el9.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] } ] }