Release date:
2026-06-05 15:06:52 UTC
Description:
* SECURITY UPDATE: zipfile did not validate the ZIP64 End-of-Central-
Directory Locator relative-offset, assuming the EOCD64 record sat
immediately before the locator, allowing ambiguous-parsing ZIP
archives (parser confusion vs. other ZIP tools).
- debian/patches/CVE-2025-8291.patch: backport of cpython
d11e69d620 (gh-139700, PSF-2025-12). Validates the locator offset
and raises BadZipFile when it disagrees.
- CVE-2025-8291
* SECURITY UPDATE: tarfile applied the V7 AREGTYPE -> DIRTYPE
normalization in frombuf() even when the header was a sub-block of
a multi-block GNUTYPE_LONGNAME/LONGLINK member, causing parser
confusion.
- debian/patches/CVE-2025-13462.patch: backport of cpython
42d754e34c (gh-141707). Skips the normalization on continuation
blocks (dircheck=False on follow-up headers in _proc_gnulong and
_proc_pax).
- CVE-2025-13462
* SECURITY UPDATE: wsgiref.headers.Headers did not reject control
characters in header names/values, allowing HTTP header injection.
- debian/patches/CVE-2026-0865.patch: backport of cpython
22e4d55285 (gh-143916, initial reject of [\x00-\x1F\x7F] in
_convert_string_type) plus follow-up 83ecd18779 (gh-144762,
relax to allow HTAB \x09 in header values per RFC 9110). The
merged patch splits the regex into _name_disallowed_re and
_value_disallowed_re and threads a `name` keyword through
_convert_string_type call sites.
- CVE-2026-0865
* SECURITY UPDATE: http.client.HTTPConnection did not sanitize CR/LF
in the proxy CONNECT tunnel host or in set_tunnel() headers,
enabling request/header splitting.
- debian/patches/CVE-2026-1502.patch: backport of cpython
b1cf901633 (gh-146211). Applies _is_legal_header_name/
_is_illegal_header_value and control-char checks in
_tunnel()/set_tunnel().
- CVE-2026-1502
* SECURITY UPDATE: http.cookies.Morsel.js_output() emitted the cookie
value inside only escaping `"`, so a value
containing could break out of the script element (XSS).
- debian/patches/CVE-2026-6019.patch: backport of cpython
76b3923d68 (gh-90309). Base64-encodes the embedded cookie value;
composes with the existing CVE-2026-3644 patch on the same
function.
- CVE-2026-6019
* SECURITY UPDATE: ftplib.ftpcp() called parse227() directly and
passed the attacker-controllable PASV host/port to target.sendport()
(SSRF). The CVE-2021-4189 PASV fix had been applied to makepasv()
but not ftpcp().
- debian/patches/CVE-2026-8328.patch: backport of cpython
eac4fe3b2c (gh-87451). Mirrors the getpeername() /
trust_server_pasv_ipv4_address logic in ftpcp().
- CVE-2026-8328
Updated packages:
-
alt-python38_3.8.20-19_amd64.deb
sha:abf85d9debd23ad5daf2e49972cd3990d7f1e068
-
alt-python38-debug_3.8.20-19_amd64.deb
sha:b2fb82c1a8f978bda16781f5ab2830991773ad38
-
alt-python38-devel_3.8.20-19_amd64.deb
sha:2150199d40f5d6955733eee929e7e38cafbc7dc7
-
alt-python38-idle_3.8.20-19_amd64.deb
sha:cec9c7a3ff743082cd551a4119559ce2b355091d
-
alt-python38-libs_3.8.20-19_amd64.deb
sha:35620a46afc3ea125d3ff6e0bd906254315cd84a
-
alt-python38-test_3.8.20-19_amd64.deb
sha:1c00999e06f88a5d6782571c5a8b893903895602
-
alt-python38-tkinter_3.8.20-19_amd64.deb
sha:eeb916f9adaa89a5e732147aa6cf757e9c28a689
-
alt-python38_3.8.20-19_arm64.deb
sha:99081132e34ebc7db37b47c70fabea05e5297ead
-
alt-python38-debug_3.8.20-19_arm64.deb
sha:bc313cfef29f76740f0a2f9953828e427bd90762
-
alt-python38-devel_3.8.20-19_arm64.deb
sha:de4bcf16cf43dbbd267f747f260901e712b866d3
-
alt-python38-idle_3.8.20-19_arm64.deb
sha:2e5fb5bc6f01aa1563c0e8295366dea884dd8b7e
-
alt-python38-libs_3.8.20-19_arm64.deb
sha:efb4c8b196da336bcf3033b00e03b5beba6f79b9
-
alt-python38-test_3.8.20-19_arm64.deb
sha:0871b6cfcc4ff07929d9c78e434cb1d074e5e977
-
alt-python38-tkinter_3.8.20-19_arm64.deb
sha:a44b7642fa929dd51b8aeb906ee9e9b46cbfe58f
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.
