Release date:
2026-07-06 14:13:05 UTC
Description:
* SECURITY UPDATE: expat billion-laughs / entity-expansion amplification DoS
- debian/patches/CVE-2013-0340.patch: backport libexpat's billion-laughs
attack protection (libexpat PR #466 / 2.4.0) into the bundled expat
2.2.8 tree (Modules/expat/xmlparse.c, expat.h, internal.h). Adds the
accounting machinery, XML_ERROR_AMPLIFICATION_LIMIT_BREACH and the
XML_SetBillionLaughsAttackProtection{MaximumAmplification,
ActivationThreshold} setters (default 100x after 8 MiB). The fix is
applied to the bundled copy (not system expat) so it coexists with the
CloudLinux XML_SetHashSalt16Bytes extension; new public symbols are
namespaced in pyexpatns.h.
- CVE-2013-0340
* SECURITY UPDATE: control characters accepted in wsgiref response headers
- debian/patches/CVE-2026-0865.patch: backport of cpython gh-143916
(GH-143917) and the HTAB follow-up (GH-144762). wsgiref.headers.Headers
(Lib/wsgiref/headers.py) now rejects C0/DEL control characters in header
names and values; HTAB remains legal in values, not names. Adapted to
2.7 (positional _convert_string_type flag, no keyword-only argument).
- CVE-2026-0865
* SECURITY UPDATE: CR/LF injection in HTTP CONNECT tunnel headers
- debian/patches/CVE-2026-1502.patch: backport of cpython gh-146211
(GH-146212). HTTPConnection._tunnel() (Lib/httplib.py) validates the
tunnel host and each tunnel request header with the existing
_contains_disallowed_url_pchar_re / _is_legal_header_name /
_is_illegal_header_value helpers, rejecting control characters.
- CVE-2026-1502
* SECURITY UPDATE: template injection via cookie values in js_output()
- debian/patches/CVE-2026-6019.patch: backport of cpython gh-90309
(GH-148889), on top of CVE-2026-3644. Cookie.Morsel.js_output()
(Lib/Cookie.py) base64-encodes the cookie value and emits it via
atob() so it cannot break out of the JS string literal.
- CVE-2026-6019
* SECURITY UPDATE: bz2 decompressor reuse-after-error stack overflow
- debian/patches/CVE-2026-9669.patch: port of cpython gh-150599
(GH-150600) to the 2.7 bz2 wrapper (Modules/bz2module.c). After libbz2
reports a decompression error the stream is inconsistent and reusing it
can write past the output buffer; the decompressor now records the
error and raises ValueError on any further decompress() call.
- CVE-2026-9669
Updated packages:
-
alt-python27_2.7.18-24_amd64.deb
sha:dafea91942ef80cd12aec88ce66cd8d4f2fc1bb5
-
alt-python27-debug_2.7.18-24_amd64.deb
sha:8ef4b202aaff1edf5dbfc84c4014e90ab1f18197
-
alt-python27-devel_2.7.18-24_amd64.deb
sha:be7d04eb2bad1074bfc3ef0bb7dc3ff42b729464
-
alt-python27-idle_2.7.18-24_amd64.deb
sha:febff3ee1039742794ed3a555818b43808e2d5a3
-
alt-python27-libs_2.7.18-24_amd64.deb
sha:f35c629daf7cea6b38d212de33330d93030e73c0
-
alt-python27-test_2.7.18-24_amd64.deb
sha:b0e9888c3a37a4cec26d06c99e104dbacc2f105d
-
alt-python27-tkinter_2.7.18-24_amd64.deb
sha:c08cedd57a249d3e946a1d76886d5bbaacb86fed
-
alt-python27-tools_2.7.18-24_amd64.deb
sha:efdb8155b792672da6aacc42182cb2e6540e102d
-
alt-python27_2.7.18-24_arm64.deb
sha:67d2da6f0ac96eebd809572a85f5f6c18e01c422
-
alt-python27-debug_2.7.18-24_arm64.deb
sha:2262c748d0c2adadb01613edd4153d2ddc86a096
-
alt-python27-devel_2.7.18-24_arm64.deb
sha:609b431c137ab5b04c5f455215cd2b249fda5d44
-
alt-python27-idle_2.7.18-24_arm64.deb
sha:e40a3d6ec829d75c86fbee5a392e88461cc98e35
-
alt-python27-libs_2.7.18-24_arm64.deb
sha:cdf3107f768ffd65f6097403947b3e7affd4bae8
-
alt-python27-test_2.7.18-24_arm64.deb
sha:6b633f5f744754d92fb3122a27fde099a3c3cf82
-
alt-python27-tkinter_2.7.18-24_arm64.deb
sha:c06054f2d3791bdaef7d4092cce616abf7a263c9
-
alt-python27-tools_2.7.18-24_arm64.deb
sha:130ba26b9ecf747ab4ad960967a5a37db30a314f
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.