Release date:
2026-06-04 11:21:19 UTC
Description:
* SECURITY UPDATE: urllib.parse.urlsplit()/urlparse() did not validate
that bracketed [...] hosts were valid IPv6 or IPvFuture, enabling
SSRF-relevant differential parsing.
- debian/patches/CVE-2024-11168.patch: backport of cpython
29f348e232 (gh-103848, John James Utley). Adds _check_bracketed_host()
and calls it from urlsplit(); also backports ipaddress.IPv6Address
scope-id support (_split_scope_id) needed by the new check.
- CVE-2024-11168
* SECURITY UPDATE: follow-up to CVE-2024-11168; urlsplit()/urlparse()
still accepted square brackets in non-IPv6 hostnames, enabling
differential parsing across URL parsers.
- debian/patches/CVE-2025-0938.patch: backport of cpython
d89a5f6a6e (gh-105704, Seth Larson). Adds _check_bracketed_netloc()
to reject brackets that don't enclose a valid IPv6/IPvFuture host.
- CVE-2025-0938
* SECURITY UPDATE: email._header_value_parser folded address-list
separator commas through encoded-word, so the separating comma could
be unicode-encoded and misinterpreted by mail servers.
- debian/patches/CVE-2025-1795.patch: backport of cpython
09fab93c3d (gh-100884) plus the bundled regression follow-up
858b9e85fc (gh-118643) which fixes the AttributeError that
gh-100884 introduced when re-folding long address lists. Sets
ListSeparator.as_ew_allowed to False and routes the list-
separator token through the named constant.
- CVE-2025-1795
* SECURITY UPDATE: when folding a long email-header comment composed
of unfoldable characters, email._header_value_parser dropped the
enclosing parenthesis (and could omit the required leading space),
enabling header injection.
- debian/patches/CVE-2025-11468.patch: backport of cpython
61614a5e50 (gh-143935). Adds make_parenthesis_pairs() and a
comment-folding branch in _refold_parse_tree() that re-emits
parentheses around comment subparts.
- CVE-2025-11468
* SECURITY UPDATE: use-after-free in the unicode-escape decoder when
an error handler ('ignore'/'replace') was used.
- debian/patches/CVE-2025-4516.patch: backport of cpython
0d5d68f707 (gh-133767, Serhiy Storchaka). Replaces the buffer
pointer with an integer (first_invalid_escape_char) plus a
starts==initial_starts guard; adds binary-compat wrappers
_PyBytes_DecodeEscape2 and _PyUnicode_DecodeUnicodeEscapeInternal2.
- CVE-2025-4516
* SECURITY UPDATE: html.parser.HTMLParser had worst-case quadratic
complexity on crafted malformed input (e.g. unterminated tags or
comments at EOF), enabling amplified DoS.
- debian/patches/CVE-2025-6069.patch: backport of cpython
8d1b3dfa09 (gh-135462). Replaces the EOF-handling branch with
starttagopen.match/endtagopen.match/bogus-comment handling.
- CVE-2025-6069
Updated packages:
-
alt-python38_3.8.20-18_amd64.deb
sha:f7091da31e37fe65ab42067a11e61166c6090ddc
-
alt-python38-debug_3.8.20-18_amd64.deb
sha:7f64c6dd34152b89c8add6fc87211d28f1eee7ed
-
alt-python38-devel_3.8.20-18_amd64.deb
sha:012826f046de505837f2b36c31bf21fe011f485d
-
alt-python38-idle_3.8.20-18_amd64.deb
sha:2bddf784386cf1a0fc5dd100321d75f533d557ca
-
alt-python38-libs_3.8.20-18_amd64.deb
sha:03d0c6f1475c96b1d3bc71325fe6fb39c412f4f8
-
alt-python38-test_3.8.20-18_amd64.deb
sha:5327515f293ff44b29d69a9a020e547ffa628568
-
alt-python38-tkinter_3.8.20-18_amd64.deb
sha:22b0e830d562b845a19a2f51c399fd183d14abb5
-
alt-python38_3.8.20-18_arm64.deb
sha:b1848aa21554867276ea0ab7b761c872a069b26b
-
alt-python38-debug_3.8.20-18_arm64.deb
sha:d491f7378d3cc34c7a9a91b0d8e73828741444cf
-
alt-python38-devel_3.8.20-18_arm64.deb
sha:146b38538505c194d1bf60b13aa2fb3a3cb74bab
-
alt-python38-idle_3.8.20-18_arm64.deb
sha:52caa3a02661201a669b786b435f18c1939b8e07
-
alt-python38-libs_3.8.20-18_arm64.deb
sha:dcddfab8425a3b4c4f6eb210989fd03461ee3116
-
alt-python38-test_3.8.20-18_arm64.deb
sha:71c2312bc343a79ae1b29eca1818eba266afedf6
-
alt-python38-tkinter_3.8.20-18_arm64.deb
sha:377e6417cad34b075977d88d7feb95b7733cefcb
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.
