[CLSA-2026:1782295188] Fix CVE(s): CVE-2026-9669
Type:
security
Severity:
Important
Release date:
2026-06-24 10:00:05 UTC
Description:
* SECURITY UPDATE: a bz2.BZ2Decompressor could be reused after a libbz2 decompression error. Re-entering BZ2_bzDecompress() once libbz2 had reported an error could write past the end of a stack buffer (CWE-121, possible stack buffer overflow). - debian/patches/CVE-2026-9669.patch: backport of cpython 5755d0f0 (gh-150599, Stan Ulbrych). Records the libbz2 error in a new bzerror field, clears needs_input on the error path, and makes decompress() raise ValueError ("Decompressor is unusable after a previous error") on any subsequent call. Adapted to 3.6: plain needs_input reset (no free-threading atomics) and the existing ACQUIRE_LOCK/RELEASE_LOCK wrappers; NEWS.d fragment omitted as 3.6.15 ships a single Misc/NEWS. - CVE-2026-9669
CVEs fixed:
Updated packages:
  • alt-python36_3.6.15-39_amd64.deb
    sha:78ac3c0d9320bb87f6bfc920a2f319f6e65b0b33
  • alt-python36-debug_3.6.15-39_amd64.deb
    sha:98054e3d9873a8975b9d07bffbf1ea97de4df2b5
  • alt-python36-devel_3.6.15-39_amd64.deb
    sha:e0f360a8c628c99fd7ca23c4c92d76428f6ecc3f
  • alt-python36-libs_3.6.15-39_amd64.deb
    sha:e76e3b700c7002f08e16b22c18ed114d27dd00f2
  • alt-python36-test_3.6.15-39_amd64.deb
    sha:b895bb7e51934ac15517a950e7f68a0d0a0f9437
  • alt-python36-tkinter_3.6.15-39_amd64.deb
    sha:9cc128c153f842f649c855d261ed208ad46f5d33
  • alt-python36-tools_3.6.15-39_amd64.deb
    sha:80e06d69d689ef3ed02541a70b14c84495d8af9f
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.