[CLSA-2026:1780406384] Fix of 8 CVEs

Type:

security

Severity:

Moderate

Release date:

2026-06-02 13:20:36 UTC

Description:

   * SECURITY UPDATE: tarfile normalized AREGTYPE blocks to DIRTYPE while
     processing GNU long name/link follow-up headers, allowing a crafted tar
     archive to be misinterpreted.
     - debian/patches/CVE-2025-13462.patch: backport of cpython 42d754e34c
       (gh-141707). Skip DIRTYPE normalization on follow-up headers via a
       dircheck flag.
     - CVE-2025-13462
   * SECURITY UPDATE: wsgiref.headers.Headers accepted C0 control characters
     in header names, values and parameters, enabling response splitting.
     - debian/patches/CVE-2026-0865.patch: backport of cpython f7fceed79c
       (gh-143916) plus the HTAB follow-up. Reject control characters; HTAB
       remains allowed in values but not names.
     - CVE-2026-0865
   * SECURITY UPDATE: http.client did not reject CR/LF in HTTP tunnel
     (CONNECT) request headers set via HTTPConnection.set_tunnel().
     - debian/patches/CVE-2026-1502.patch: backport of cpython 05ed7ce7ae
       (gh-146211). Validate the tunnel host and per-header name/value.
     - CVE-2026-1502
   * SECURITY UPDATE: http.cookies Morsel.js_output() emitted cookie values
     into a document.cookie assignment using only quote-escaping, allowing
     a  breakout / JavaScript injection.
     - debian/patches/CVE-2026-6019.patch: backport of cpython 76b3923d68
       (gh-90309). Base64-encode the value and wrap it in atob().
     - CVE-2026-6019

CVEs fixed:

Updated packages:

alt-python39_3.9.23-17_amd64.deb
sha:7123205f0e061bc2781fdbc024e105b566a1944a
alt-python39-debug_3.9.23-17_amd64.deb
sha:54a91f097d23298503bccd71d65a9728f8f673ce
alt-python39-devel_3.9.23-17_amd64.deb
sha:dc559eb471c4efa826a2571ba29f48e9c8e4a3f6
alt-python39-idle_3.9.23-17_amd64.deb
sha:81cfab7edf743fd2da2ec9cd5aff04977fed5b9e
alt-python39-libs_3.9.23-17_amd64.deb
sha:6a246aa78ce41022b346decae864644aec781d37
alt-python39-test_3.9.23-17_amd64.deb
sha:522b04450201380fb95416d4f410aa9f45a439bd
alt-python39-tkinter_3.9.23-17_amd64.deb
sha:b943e2500b985c20f54065670692ff2e1e7cc0eb
alt-python39_3.9.23-17_arm64.deb
sha:376c4ef11435d521849ea2ac4b735e81f021e82b
alt-python39-debug_3.9.23-17_arm64.deb
sha:1d3cf6247bd8fdc0969772b581db878359988e9c
alt-python39-devel_3.9.23-17_arm64.deb
sha:ce9c2c714f5ac409a27f87b8ce70802e9fbcaedc
alt-python39-idle_3.9.23-17_arm64.deb
sha:0cb056391b92612906330ca42b59e394dc827f9b
alt-python39-libs_3.9.23-17_arm64.deb
sha:23dec863069aa99e864eeac3c6df2c82df01c514
alt-python39-test_3.9.23-17_arm64.deb
sha:4f34e2baa6663ed5314f4c9c870d91d9baed6046
alt-python39-tkinter_3.9.23-17_arm64.deb
sha:7a180272bcb52d6f36fe0fd6a3ee2411058ef33a

Notes:

This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.