[CLSA-2026:1780310801] Fix CVE(s): CVE-2026-7210
Type:
security
Severity:
Critical
Release date:
2026-06-01 10:46:53 UTC
Description:
* SECURITY UPDATE: xml.parsers.expat and xml.etree.ElementTree used insufficient entropy for the Expat hash-flooding salt (only the 8-byte Py_hash_t field _Py_HashSecret.expat.hashsalt was passed to XML_SetHashSalt), allowing a crafted XML document to trigger hash flooding in Expat's internal hash tables. Full mitigation requires libexpat 2.8.0+ at runtime (or a distro-backported equivalent that exports XML_SetHashSalt16Bytes). - debian/patches/CVE-2026-7210.patch: backport of cpython 24b8f12544 (gh-149018, Stan Ulbrych). Adds a 16-byte hashsalt16 field to _Py_HashSecret.expat and prefers the new XML_SetHashSalt16Bytes API in both Modules/pyexpat.c (newxmlparseobject + capi export) and Modules/_elementtree.c (XMLParser.__init__); the legacy XML_SetHashSalt path is kept as fallback when the loaded libexpat does not export the new symbol. The symbol is declared __attribute__((weak)) in Modules/pyexpat.c so the same source path works whether the build links against bundled libexpat 2.8.0+ or a distro libexpat 2.5/2.7 that backports the entropy fix without bumping XML_COMBINED_VERSION (Debian, Ubuntu, RHEL/CL, Alpine). - CVE-2026-7210
CVEs fixed:
Updated packages:
  • alt-python38_3.8.20-17_amd64.deb
    sha:7c9597f17fd512254cc79600bfec1d00f45497a9
  • alt-python38-debug_3.8.20-17_amd64.deb
    sha:dd00bcdd96e8e88a0253245df5a853d0fa986394
  • alt-python38-devel_3.8.20-17_amd64.deb
    sha:9fffa4ca4107468eb4cfd5a590d0387227771539
  • alt-python38-idle_3.8.20-17_amd64.deb
    sha:946f7c7ce4e9666c1fa60d81fe33d4d1766a8378
  • alt-python38-libs_3.8.20-17_amd64.deb
    sha:9f562414284e6eada4306099a4dc7af1c652522b
  • alt-python38-test_3.8.20-17_amd64.deb
    sha:cab0298143ec161229f597836c8897b67d095edc
  • alt-python38-tkinter_3.8.20-17_amd64.deb
    sha:c1c122e00d70647034a6de196feb4b85585bb80e
  • alt-python38_3.8.20-17_arm64.deb
    sha:f6113d1cf0aa6af780dfb740f4ea6e9a35b74f15
  • alt-python38-debug_3.8.20-17_arm64.deb
    sha:d75c2537abcbd870a3ae1e726badfc4d8ec4426b
  • alt-python38-devel_3.8.20-17_arm64.deb
    sha:59fc8539beeb31c1be3c0c6c91bf192fd96e46a4
  • alt-python38-idle_3.8.20-17_arm64.deb
    sha:7c79030036661a741a64f3c2b3afa9014492eace
  • alt-python38-libs_3.8.20-17_arm64.deb
    sha:ae0af7a690af16815dd145b002b8c14b939a89c0
  • alt-python38-test_3.8.20-17_arm64.deb
    sha:9e23c349fb455fb164d8e93b7b9d56882f1a803f
  • alt-python38-tkinter_3.8.20-17_arm64.deb
    sha:f93e6ee98982a687966b8f7d48e2fb7c363006bf
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.