Release date:
2026-06-24 09:23:15 UTC
Description:
* SECURITY UPDATE: a bz2.BZ2Decompressor could be reused after a libbz2
decompression error. Re-entering BZ2_bzDecompress() once libbz2 had
reported an error could write past the end of a stack buffer
(CWE-121, possible stack buffer overflow).
- debian/patches/CVE-2026-9669.patch: backport of cpython
5755d0f0 (gh-150599, Stan Ulbrych). Records the libbz2 error in a
new bzerror field, clears needs_input on the error path, and makes
decompress() raise ValueError ("Decompressor is unusable after a
previous error") on any subsequent call. Adapted to 3.6: plain
needs_input reset (no free-threading atomics) and the existing
ACQUIRE_LOCK/RELEASE_LOCK wrappers; NEWS.d fragment omitted as
3.6.15 ships a single Misc/NEWS.
- CVE-2026-9669
Updated packages:
-
alt-python36_3.6.15-39_amd64.deb
sha:38da3bbb2043ef209d5a8589d4055ad02452e42d
-
alt-python36-debug_3.6.15-39_amd64.deb
sha:58bda9104cccf68d0b8742934cf315066553df61
-
alt-python36-devel_3.6.15-39_amd64.deb
sha:fc37ec91efc68bb069a084f1fa8dd1e6e0b01fb2
-
alt-python36-libs_3.6.15-39_amd64.deb
sha:6668b834aee49820b60e96e2ad0ae4e16e52e043
-
alt-python36-test_3.6.15-39_amd64.deb
sha:4f5cc34a72fcc2a7f25c27dffc11a41976bae15f
-
alt-python36-tkinter_3.6.15-39_amd64.deb
sha:2cfb1df0f3b08f0d71642aaf701e6dc255bf31a5
-
alt-python36-tools_3.6.15-39_amd64.deb
sha:a6e10ace138412c00ccda9412c642154bcdcb6ce
-
alt-python36_3.6.15-39_arm64.deb
sha:552cc17093d8856be2a2a7871db8876defa5f9f1
-
alt-python36-debug_3.6.15-39_arm64.deb
sha:8236470f91fcc7a3f1a9b6089f5dfd8b0d2e7059
-
alt-python36-devel_3.6.15-39_arm64.deb
sha:b81659ae0474c93b5dfc9ef8694e4c59e9d6ca9a
-
alt-python36-libs_3.6.15-39_arm64.deb
sha:0d4f43712ca9713fcb64b0ad392aa54e2383e580
-
alt-python36-test_3.6.15-39_arm64.deb
sha:554ce72ccae29eea64710c04e41c8981dc2c4e74
-
alt-python36-tkinter_3.6.15-39_arm64.deb
sha:a68a3855872d846fff36beda8fe96bd119139d0f
-
alt-python36-tools_3.6.15-39_arm64.deb
sha:f337a993857064b6a9569f3f62f6371106531dbf
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.