[CLSA-2026:1782382453] Fix CVE(s): CVE-2026-9669
Type:
security
Severity:
Important
Release date:
2026-06-25 10:14:28 UTC
Description:
* SECURITY UPDATE: bz2.BZ2Decompressor could be reused after a decompression error. libbz2 leaves the bz_stream in an inconsistent state after reporting an error, so re-entering BZ2_bzDecompress() on that stream could write past the output buffer, a stack buffer overflow (CWE-121). - debian/patches/CVE-2026-9669.patch: backport of cpython 5755d0f083 (gh-150599). Record the libbz2 error code in a new BZ2Decompressor bzerror field, clear needs_input on error, and raise ValueError("Decompressor is unusable after a previous error") on any subsequent decompress() call. - CVE-2026-9669
CVEs fixed:
Updated packages:
  • alt-python39_3.9.23-19_amd64.deb
    sha:a59bbbf2dcc00108947e487779109f5fdcacaf4c
  • alt-python39-debug_3.9.23-19_amd64.deb
    sha:db629e3b59bd43a5bc1f688676d714d749e4b6c2
  • alt-python39-devel_3.9.23-19_amd64.deb
    sha:6f22a64143709fc05673d2bac5e9606de83f9232
  • alt-python39-idle_3.9.23-19_amd64.deb
    sha:c67388295410e328fa1fe8669980039a57c7c7b8
  • alt-python39-libs_3.9.23-19_amd64.deb
    sha:0e3fc460cb7501ddcf4abd3753c72e5b602c6249
  • alt-python39-test_3.9.23-19_amd64.deb
    sha:f7fe8cb2f587d7ed67dae42e32b4c1a83bdbf262
  • alt-python39-tkinter_3.9.23-19_amd64.deb
    sha:70f0e1d8818133ebfb69d65540fa09c4818b4aa8
  • alt-python39_3.9.23-19_arm64.deb
    sha:fff36e001c0768385fb1f1479e2865dfed6d6d21
  • alt-python39-debug_3.9.23-19_arm64.deb
    sha:b99efe19f458ecdab5ef43f0b8b76553b5414dea
  • alt-python39-devel_3.9.23-19_arm64.deb
    sha:b68b1fb39f201981f02c55bae1810db6ed39062d
  • alt-python39-idle_3.9.23-19_arm64.deb
    sha:d7e85e7d4714677975f4bddc8393026564b84beb
  • alt-python39-libs_3.9.23-19_arm64.deb
    sha:71f7f871ced03aecde7b4281ca0186a0b8c2530b
  • alt-python39-test_3.9.23-19_arm64.deb
    sha:55505637c2fb092ed77754927e529d3dcf3115bf
  • alt-python39-tkinter_3.9.23-19_arm64.deb
    sha:305787bb002633a04ebe0a281fe3a70cd4bc2e1a
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.