[CLSA-2026:1782378789] Fix CVE(s): CVE-2026-9669
Type:
security
Severity:
Important
Release date:
2026-06-25 09:13:24 UTC
Description:
* SECURITY UPDATE: bz2.BZ2Decompressor could write out of bounds (stack buffer overflow, CWE-121) when reused after a decompression error. Re-entering BZ2_bzDecompress() on a stream that libbz2 had already reported an error on left the internal state inconsistent. - debian/patches/CVE-2026-9669.patch: backport of cpython 5755d0f083949ff3c5bf3a37e673e24e306b036e (gh-150599). Records the libbz2 error in a new bzerror field and marks the decompressor unusable, so a subsequent decompress() raises ValueError instead of re-entering the corrupted stream. - CVE-2026-9669
CVEs fixed:
Updated packages:
  • alt-python38_3.8.20-21_amd64.deb
    sha:878e094699c8ad86b70775b10a1a898b1ec1d922
  • alt-python38-debug_3.8.20-21_amd64.deb
    sha:e51f24a046a80ce05b705f479f9e3858db7a3270
  • alt-python38-devel_3.8.20-21_amd64.deb
    sha:4a634bfc37c53a6b4ff8db5dd2a49d8b9d2381c0
  • alt-python38-idle_3.8.20-21_amd64.deb
    sha:7824779bce9caec35b59b4f93b4e697e4f828a02
  • alt-python38-libs_3.8.20-21_amd64.deb
    sha:3239850b52f0d03917c769ca99a4f4d64fc7c26f
  • alt-python38-test_3.8.20-21_amd64.deb
    sha:a7f1d30c65cde161101829cf847b1d3d3bb99fae
  • alt-python38-tkinter_3.8.20-21_amd64.deb
    sha:f1ddacf2be723bdff05c21db8615393ea8561801
  • alt-python38_3.8.20-21_arm64.deb
    sha:25be59b2adc8351a8fcb032bd1f46fa5eb1458f6
  • alt-python38-debug_3.8.20-21_arm64.deb
    sha:4f14c5e0ac7dbddb44d209e450aa7c5b92020725
  • alt-python38-devel_3.8.20-21_arm64.deb
    sha:4f03c66df7fff09d5e45252db2605c7f7b269f0a
  • alt-python38-idle_3.8.20-21_arm64.deb
    sha:d253a322c0f99d06d7cb07d0bac4b50fe2b0983d
  • alt-python38-libs_3.8.20-21_arm64.deb
    sha:3522832b6e32456a7f82f57fb495d77fd7db252a
  • alt-python38-test_3.8.20-21_arm64.deb
    sha:9f88fba1a471ae8c544c0cb2d0e69ecc6b4abe59
  • alt-python38-tkinter_3.8.20-21_arm64.deb
    sha:2c50122652f8520a92e0c39b661e9015d37e4b12
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.