Release date:
2026-06-03 17:18:26 UTC
Description:
* SECURITY UPDATE: rework the CVE-2026-7210 fix so the
XML_SetHashSalt16Bytes code path is no longer inert when the linked
libexpat does not bump XML_COMBINED_VERSION to 2.8.0 (Alpine system
libexpat).
- debian/patches/CVE-2026-7210.patch: rewritten. Declares
XML_SetHashSalt16Bytes as __attribute__((weak)) at the top of
Modules/pyexpat.c and replaces the compile-time
XML_COMBINED_VERSION / XML_HAS_SET_HASH_SALT_16_BYTES gate with a
single runtime "if (... != NULL)" check at every call site
(newxmlparseobject in pyexpat.c, the pyexpat C-API capsule init,
and _elementtree.c). RPM / Debian builds keep 16-byte mitigation
via bundled libexpat 2.5.0 + CVE-2026-41080; Alpine activates
the 16-byte path automatically the moment the system libexpat
ships the entropy fix; libexpat without the symbol falls back
to the legacy 8-byte XML_SetHashSalt path (no regression).
- CVE-2026-41080.patch is unchanged.
- CVE-2026-7210
* SECURITY UPDATE: urllib.parse.urlsplit / urlparse accepted bracketed
hosts that were not valid IPv6 / IPvFuture, enabling SSRF and
parser-differential attacks.
- debian/patches/CVE-2024-11168.patch: backport of cpython 3.11
b2171a2 (gh-103848, Seth Larson).
- CVE-2024-11168
* SECURITY UPDATE: bundled libexpat 2.5.0 crashes in XML_ResumeParser
when XML_StopParser is called on an unstarted parser (NULL deref).
- debian/patches/CVE-2024-50602.patch: backport of libexpat
51c70190 (PR #915). Alpine builds use system expat
(--with-system-expat) so this hardening affects only the
bundled-expat path used by RPM/Debian builds.
- CVE-2024-50602
* SECURITY UPDATE: urllib.parse.urlsplit / urlparse continued to accept
domain names containing square brackets after the CVE-2024-11168
fix; follow-up that completes the validation.
- debian/patches/CVE-2025-0938.patch: backport of cpython 3.10
b8b4b71 (gh-105704).
- CVE-2025-0938
* SECURITY UPDATE: bytes.decode("unicode_escape", errors="ignore" or
"replace") could trigger a use-after-free when the error handler
reallocated the input buffer.
- debian/patches/CVE-2025-4516.patch: backport of cpython 3.9
8d35fd1b (gh-129648, Serhiy Storchaka). Captures the initial
starts pointer and only stores *first_invalid_escape when
starts == initial_starts.
- CVE-2025-4516
* SECURITY UPDATE: ftplib.ftpcp() was not updated when CVE-2021-4189
was fixed; still passed raw server-supplied PASV host / port to
target.sendport().
- debian/patches/CVE-2026-8328.patch: backport of cpython
eac4fe3b (gh-87451, PR #149648). Applies the CVE-2021-4189
hardening to ftpcp() using source.sock.getpeername()[0]
unless trust_server_pasv_ipv4_address is set.
- CVE-2026-8328
Updated packages:
-
alt-python37_3.7.17-21_amd64.deb
sha:05a50c99ba3e763921cc4cdc8de7214ede296a00
-
alt-python37-debug_3.7.17-21_amd64.deb
sha:e54df1edd18ceb0c791982f4dbfa7fbd641d19fe
-
alt-python37-devel_3.7.17-21_amd64.deb
sha:283ff98daf62ebca0adb67a53cab5892e7bb9f83
-
alt-python37-libs_3.7.17-21_amd64.deb
sha:a56e5f1cd1b2919ff2a0894b490483128de68f6a
-
alt-python37-test_3.7.17-21_amd64.deb
sha:b72d99da77d21bb8b073ff425bab71699c1039a1
-
alt-python37-tkinter_3.7.17-21_amd64.deb
sha:69daef70b89112aa5ddbdb8a0695a0669ac61067
-
alt-python37-tools_3.7.17-21_amd64.deb
sha:566496782f593211915519e44d4ae04afeade2c6
-
alt-python37_3.7.17-21_arm64.deb
sha:660a49361d0618852531adc3313a8460986b5bc5
-
alt-python37-debug_3.7.17-21_arm64.deb
sha:8bfd4aa3ca6cf53361c6e250cbc5369c073a5261
-
alt-python37-devel_3.7.17-21_arm64.deb
sha:90033df74ff002e8a0e6ff770e5000e6e6831561
-
alt-python37-libs_3.7.17-21_arm64.deb
sha:7b7ac0c1ed394e986e3b997fda276d34672253f8
-
alt-python37-test_3.7.17-21_arm64.deb
sha:d0c4066e3d302621410b4c80fcbe2ee2c3d38a0b
-
alt-python37-tkinter_3.7.17-21_arm64.deb
sha:ee1cef8116ecc3627047e34c06acc62d2830b675
-
alt-python37-tools_3.7.17-21_arm64.deb
sha:e7a064077ce12ab7d15defc3246fa08d686248c0
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.
