[CLSA-2026:1780308750] Fix CVE(s): CVE-2026-7210

Type:

security

Severity:

Critical

Release date:

2026-06-01 10:12:45 UTC

Description:

   * SECURITY UPDATE: xml.parsers.expat / xml.etree.ElementTree used
     insufficient entropy for libexpat hash-flooding protection, allowing a
     crafted XML document to trigger hash collisions. Mitigation requires
     both libexpat 2.8.0+ (or a distro-backported equivalent that exports
     XML_SetHashSalt16Bytes) and a Python-side patch to seed the parser
     with the new 16-byte salt API.
     - debian/patches/CVE-2026-7210.patch: backport of cpython
       24b8f12544 (gh-149018, Stan Ulbrych). pyexpat and _elementtree call
       XML_SetHashSalt16Bytes with _Py_HashSecret.expat.hashsalt16 (16
       bytes of entropy); legacy XML_SetHashSalt remains as the fallback
       when the loaded libexpat does not export the new symbol. The
       symbol is declared __attribute__((weak)) in Modules/pyexpat.c so
       the same source path works whether the build links against bundled
       libexpat 2.8.0+ or a distro libexpat 2.5/2.7 that backports the
       entropy fix without bumping XML_COMBINED_VERSION (Debian, Ubuntu,
       RHEL/CL, Alpine). Extends the PyExpat CAPI with a nullable
       SetHashSalt16Bytes slot populated from the weak reference.
     - CVE-2026-7210

CVEs fixed:

CVE-2026-7210

Updated packages:

alt-python39_3.9.23-15_amd64.deb
sha:35fb172ac45b0b51a878d4e8d865dabb9389b886
alt-python39-debug_3.9.23-15_amd64.deb
sha:416b5c59a4e67685e7c2b2d07dc097bb31b15dcd
alt-python39-devel_3.9.23-15_amd64.deb
sha:65f61e11c973598de176c1aaf56243fcc4a5a893
alt-python39-idle_3.9.23-15_amd64.deb
sha:822c248c6b8ee54cd92bbb1089f4bfb8a34a5d20
alt-python39-libs_3.9.23-15_amd64.deb
sha:b299ce4b01452bee670cb09a84714849db29e834
alt-python39-test_3.9.23-15_amd64.deb
sha:2312da306379fa21db356f7d599ec3cb3b150cee
alt-python39-tkinter_3.9.23-15_amd64.deb
sha:dfde039159a56bab3f45c98acfff05c5dce89c84
alt-python39_3.9.23-15_arm64.deb
sha:4bbd5672da1f6d9772deb09f25615a1faa7740d1
alt-python39-debug_3.9.23-15_arm64.deb
sha:86a6b0d1dc0201241e874e27d8c1eca340b838e7
alt-python39-devel_3.9.23-15_arm64.deb
sha:834d76ac775ab1666ec39dff26f8523137e0c312
alt-python39-idle_3.9.23-15_arm64.deb
sha:ac8f94fecde3d801b34b9d2611e025cd52613709
alt-python39-libs_3.9.23-15_arm64.deb
sha:7dc65d53734fe2fa861ee658322587fbfa946b8d
alt-python39-test_3.9.23-15_arm64.deb
sha:b4a7ad4d6b453f41cc2fdc687a1487b3e0bff9ce
alt-python39-tkinter_3.9.23-15_arm64.deb
sha:1670a7635b0b1702c29d7955901e1b1f76046365

Notes:

This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.