[CLSA-2026:1782998194] Fix CVE(s): CVE-2024-11168, CVE-2024-50602, CVE-2025-0938
Type:
security
Severity:
Moderate
Release date:
2026-07-02 13:16:54 UTC
Description:
* SECURITY UPDATE: improper validation of bracketed hosts in urlparse - debian/patches/CVE-2024-11168.patch: backport of cpython b2171a2fd4 (gh-103848). urlparse.urlsplit() accepted bracketed hosts that are neither valid IPv6 nor IPvFuture literals. Adds _check_bracketed_host() to Lib/urlparse.py, called from both the "http" fast-path and the generic branch. Python 2.7 has no ipaddress module, so the bracket content is validated with socket.inet_pton() (IPv4 in brackets rejected; otherwise must parse as IPv6). - CVE-2024-11168 * SECURITY UPDATE: NULL deref in bundled libexpat XML_StopParser - debian/patches/CVE-2024-50602.patch: backport of libexpat PR #915 (51c7019069b8) into the bundled Modules/expat/ (2.2.8). XML_StopParser() on a parser in the XML_INITIALIZED state left it in a state where XML_ResumeParser() crashed via a NULL dereference. XML_StopParser() now refuses to stop/suspend an unstarted parser, returning the new XML_ERROR_NOT_STARTED. - CVE-2024-50602 * SECURITY UPDATE: square brackets allowed in parsed URL domain names - debian/patches/CVE-2025-0938.patch: backport of cpython b8b4b713c5 (gh-105704). Completes CVE-2024-11168 by rejecting square brackets in plain domain names. Adds _check_bracketed_netloc() to Lib/urlparse.py (mirroring NetlocResultMixins._hostinfo()) and uses it in both branches of urlsplit() in place of the inline bracket extraction. - CVE-2025-0938
Updated packages:
  • alt-python27_2.7.18-22_amd64.deb
    sha:428046a1aa8fab69b0950e4dc90677b7df8f695e
  • alt-python27-debug_2.7.18-22_amd64.deb
    sha:3c089d33cbf1711ecc28b6b024eae3d13dc54e45
  • alt-python27-devel_2.7.18-22_amd64.deb
    sha:84cbd360078bc062564fc6d20bc89cbfe5bdad9c
  • alt-python27-idle_2.7.18-22_amd64.deb
    sha:d5e089f9684c0dddd5959fea25c00b798adc437e
  • alt-python27-libs_2.7.18-22_amd64.deb
    sha:6c36461fbc6440c4f04785afa5cf1ca83edc6ff5
  • alt-python27-test_2.7.18-22_amd64.deb
    sha:de6fd0a4dec67292ad5c198fc06c6ad727d57b0a
  • alt-python27-tkinter_2.7.18-22_amd64.deb
    sha:7ddbf4d51cae479bf5cc6547cffc312443e3b78d
  • alt-python27-tools_2.7.18-22_amd64.deb
    sha:0830b8d162f139173d0e32c33e8b6985a92bac4b
  • alt-python27_2.7.18-22_arm64.deb
    sha:c0d004c6bd52f3d7c047afef76b6b796e5a441fa
  • alt-python27-debug_2.7.18-22_arm64.deb
    sha:afa0e1e69bf60b56ab1248b84e483516934090c7
  • alt-python27-devel_2.7.18-22_arm64.deb
    sha:377724c4d0408391e94fbb44c3888e41b59b9258
  • alt-python27-idle_2.7.18-22_arm64.deb
    sha:ce4ac4fc28f12cb89fc58d5626d7e3490e871b4b
  • alt-python27-libs_2.7.18-22_arm64.deb
    sha:41679111d7d47c1cbd02cb3b3231df48fba33298
  • alt-python27-test_2.7.18-22_arm64.deb
    sha:fdf4544669d6b8fd3907734f306e1c6f41e83eae
  • alt-python27-tkinter_2.7.18-22_arm64.deb
    sha:211ed2a6bc6fae0101504b45684a9ebdccc5d1e1
  • alt-python27-tools_2.7.18-22_arm64.deb
    sha:07c1864f47443f84efda4fa6ecfc0902404d3d54
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.