[CLSA-2026:1781518013] Fix CVE(s): CVE-2025-15366, CVE-2025-15367
Type:
security
Severity:
Important
Release date:
2026-06-15 10:08:09 UTC
Description:
* SECURITY UPDATE: imaplib.IMAP4._command() concatenated each command argument into the wire-level command without inspecting it, so a caller passing user-controlled text could inject additional IMAP commands using CR/LF or other control characters. - debian/patches/CVE-2025-15366.patch: backport of cpython 6262704b (gh-143921, Seth Larson). Adds a module-level _control_chars regex and rejects any byte in [\x00-\x1F\x7F] with ValueError before concatenating each argument. Upstream-main-only fix; mirrors Red Hat's python3-3.6.8-21.el7_9.4 (RHSA-2026:6464). - CVE-2025-15366 * SECURITY UPDATE: poplib.POP3._putcmd() encoded its argument and sent it to the server without inspecting it, allowing the same command injection via user() / pass_() / apop() / rpop() / top(). - debian/patches/CVE-2025-15367.patch: backport of cpython b234a2b6 (gh-143923, Seth Larson). Rejects any byte in [\x00-\x1F\x7F] with ValueError before sending. Upstream-main-only fix; mirrors Red Hat's python3-3.6.8-21.el7_9.4 (RHSA-2026:6464). - CVE-2025-15367
Updated packages:
  • alt-python36_3.6.15-38_amd64.deb
    sha:f94b66879746ac8374854dec92a2c1258fc833f6
  • alt-python36-debug_3.6.15-38_amd64.deb
    sha:74109589c50fe839d43604f358ceb641ee65db98
  • alt-python36-devel_3.6.15-38_amd64.deb
    sha:ca009ad7dcbba171859379e63804f17399f6417a
  • alt-python36-libs_3.6.15-38_amd64.deb
    sha:cb5425d12c122a84475ce7a9d41eef8a3668c5f5
  • alt-python36-test_3.6.15-38_amd64.deb
    sha:99450d7363c500f0af18a243b4386cc39ea44656
  • alt-python36-tkinter_3.6.15-38_amd64.deb
    sha:f7183f3af292e9005e1e8fb782bf40643591e524
  • alt-python36-tools_3.6.15-38_amd64.deb
    sha:134c05ab6348aaddcfefca6815cebc53cca8f398
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.