[CLSA-2026:1780308409] Fix CVE(s): CVE-2026-7210
Type:
security
Severity:
Critical
Release date:
2026-06-01 10:07:02 UTC
Description:
* SECURITY UPDATE: xml.parsers.expat and xml.etree.ElementTree used insufficient entropy for the Expat hash-flooding salt (only the 8-byte Py_hash_t field _Py_HashSecret.expat.hashsalt was passed to XML_SetHashSalt), allowing a crafted XML document to trigger hash flooding in Expat's internal hash tables. Full mitigation requires libexpat 2.8.0+ at runtime (or a distro-backported equivalent that exports XML_SetHashSalt16Bytes). - debian/patches/CVE-2026-7210.patch: backport of cpython 24b8f12544 (gh-149018, Stan Ulbrych). Adds a 16-byte hashsalt16 field to _Py_HashSecret.expat and prefers the new XML_SetHashSalt16Bytes API in both Modules/pyexpat.c (newxmlparseobject + capi export) and Modules/_elementtree.c (XMLParser.__init__); the legacy XML_SetHashSalt path is kept as fallback when the loaded libexpat does not export the new symbol. The symbol is declared __attribute__((weak)) in Modules/pyexpat.c so the same source path works whether the build links against bundled libexpat 2.8.0+ or a distro libexpat 2.5/2.7 that backports the entropy fix without bumping XML_COMBINED_VERSION (Debian, Ubuntu, RHEL/CL, Alpine). - CVE-2026-7210
CVEs fixed:
Updated packages:
  • alt-python38_3.8.20-17_amd64.deb
    sha:391248bbfa0f0872ebf2749b839fdda26da561d7
  • alt-python38-debug_3.8.20-17_amd64.deb
    sha:204a91ec343f3238431d572e168e8711179d9d64
  • alt-python38-devel_3.8.20-17_amd64.deb
    sha:5babfb9f24a7e1525357c933669c48e1135f5937
  • alt-python38-idle_3.8.20-17_amd64.deb
    sha:06e8a7a955cb8ed5d8b15548ed4da7eb8d435c02
  • alt-python38-libs_3.8.20-17_amd64.deb
    sha:a151b3dca544b2ff16dbcdbeafd8c94449c28d08
  • alt-python38-test_3.8.20-17_amd64.deb
    sha:472c05575d0c24ca90869b53dfb3dbbfefbad78b
  • alt-python38-tkinter_3.8.20-17_amd64.deb
    sha:11810151dc354d0ef62ef43ced7d964349b842ed
  • alt-python38_3.8.20-17_arm64.deb
    sha:608d7ba6af3cbcb6946f635a3bc52d1f8ffe420e
  • alt-python38-debug_3.8.20-17_arm64.deb
    sha:436b9d0108c5c911e4850d84ab1bb00bb1223512
  • alt-python38-devel_3.8.20-17_arm64.deb
    sha:0154905beaab00b6432211dc5355746624219e04
  • alt-python38-idle_3.8.20-17_arm64.deb
    sha:cce56f250e36e2c5383e711f1b2021da2fbcb6fe
  • alt-python38-libs_3.8.20-17_arm64.deb
    sha:2a6e0269c0982855c0fc8ff095f20c403407c083
  • alt-python38-test_3.8.20-17_arm64.deb
    sha:7369f94b1c484a81dc9ce465a69bc1867e9b8827
  • alt-python38-tkinter_3.8.20-17_arm64.deb
    sha:a1684fcd1abe2ff7eaaa6d601ac14ebf25b2dd6f
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.