Release date:
2026-06-04 11:12:49 UTC
Description:
* SECURITY UPDATE: urllib.parse.urlsplit()/urlparse() did not validate
that bracketed [...] hosts were valid IPv6 or IPvFuture, enabling
SSRF-relevant differential parsing.
- debian/patches/CVE-2024-11168.patch: backport of cpython
29f348e232 (gh-103848, John James Utley). Adds _check_bracketed_host()
and calls it from urlsplit(); also backports ipaddress.IPv6Address
scope-id support (_split_scope_id) needed by the new check.
- CVE-2024-11168
* SECURITY UPDATE: follow-up to CVE-2024-11168; urlsplit()/urlparse()
still accepted square brackets in non-IPv6 hostnames, enabling
differential parsing across URL parsers.
- debian/patches/CVE-2025-0938.patch: backport of cpython
d89a5f6a6e (gh-105704, Seth Larson). Adds _check_bracketed_netloc()
to reject brackets that don't enclose a valid IPv6/IPvFuture host.
- CVE-2025-0938
* SECURITY UPDATE: email._header_value_parser folded address-list
separator commas through encoded-word, so the separating comma could
be unicode-encoded and misinterpreted by mail servers.
- debian/patches/CVE-2025-1795.patch: backport of cpython
09fab93c3d (gh-100884) plus the bundled regression follow-up
858b9e85fc (gh-118643) which fixes the AttributeError that
gh-100884 introduced when re-folding long address lists. Sets
ListSeparator.as_ew_allowed to False and routes the list-
separator token through the named constant.
- CVE-2025-1795
* SECURITY UPDATE: when folding a long email-header comment composed
of unfoldable characters, email._header_value_parser dropped the
enclosing parenthesis (and could omit the required leading space),
enabling header injection.
- debian/patches/CVE-2025-11468.patch: backport of cpython
61614a5e50 (gh-143935). Adds make_parenthesis_pairs() and a
comment-folding branch in _refold_parse_tree() that re-emits
parentheses around comment subparts.
- CVE-2025-11468
* SECURITY UPDATE: use-after-free in the unicode-escape decoder when
an error handler ('ignore'/'replace') was used.
- debian/patches/CVE-2025-4516.patch: backport of cpython
0d5d68f707 (gh-133767, Serhiy Storchaka). Replaces the buffer
pointer with an integer (first_invalid_escape_char) plus a
starts==initial_starts guard; adds binary-compat wrappers
_PyBytes_DecodeEscape2 and _PyUnicode_DecodeUnicodeEscapeInternal2.
- CVE-2025-4516
* SECURITY UPDATE: html.parser.HTMLParser had worst-case quadratic
complexity on crafted malformed input (e.g. unterminated tags or
comments at EOF), enabling amplified DoS.
- debian/patches/CVE-2025-6069.patch: backport of cpython
8d1b3dfa09 (gh-135462). Replaces the EOF-handling branch with
starttagopen.match/endtagopen.match/bogus-comment handling.
- CVE-2025-6069
Updated packages:
-
alt-python38_3.8.20-18_amd64.deb
sha:f93d991ff3eb5ee1a5d8028620af500cb917f50e
-
alt-python38-debug_3.8.20-18_amd64.deb
sha:a394cf1b740371e46aa0aaef0df70eaeeb1b95ad
-
alt-python38-devel_3.8.20-18_amd64.deb
sha:c451336947d34837216e50072da338d9104bcd19
-
alt-python38-idle_3.8.20-18_amd64.deb
sha:7c3439d77221cf7ddd9d22b5d1dd7405ce50a8d0
-
alt-python38-libs_3.8.20-18_amd64.deb
sha:ebe840eef0c3a4ca920476fec641a1cff1c78ce7
-
alt-python38-test_3.8.20-18_amd64.deb
sha:adf3334409d61123f49804b13bb70de4e9c88c7a
-
alt-python38-tkinter_3.8.20-18_amd64.deb
sha:c8028bf359c9643f84460d10e8a80c396745cffc
-
alt-python38_3.8.20-18_arm64.deb
sha:38227d775aa8ccb317134a98aaa3a6258364889a
-
alt-python38-debug_3.8.20-18_arm64.deb
sha:93a4837755ef922603e9c3b22fc154485a92051a
-
alt-python38-devel_3.8.20-18_arm64.deb
sha:cac1cdbceb65c1fbc4529b29725113b49f678739
-
alt-python38-idle_3.8.20-18_arm64.deb
sha:5bd4fc90d70abff1d451084a8094edacdfa4b2bb
-
alt-python38-libs_3.8.20-18_arm64.deb
sha:12726a2758a7c1857a7b96fa8422a12d6c69f6fa
-
alt-python38-test_3.8.20-18_arm64.deb
sha:c6da7ae89abb712e9b26415c042825cb0fad182b
-
alt-python38-tkinter_3.8.20-18_arm64.deb
sha:6f631c2e9988c004b73131bbe6e6b3528cffb5d1
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.
