Release date:
2026-06-24 10:19:51 UTC
Description:
* SECURITY UPDATE: a bz2.BZ2Decompressor could be reused after a libbz2
decompression error. Re-entering BZ2_bzDecompress() once libbz2 had
reported an error could write past the end of a stack buffer
(CWE-121, possible stack buffer overflow).
- debian/patches/CVE-2026-9669.patch: backport of cpython
5755d0f0 (gh-150599, Stan Ulbrych). Records the libbz2 error in a
new bzerror field, clears needs_input on the error path, and makes
decompress() raise ValueError ("Decompressor is unusable after a
previous error") on any subsequent call. Adapted to 3.6: plain
needs_input reset (no free-threading atomics) and the existing
ACQUIRE_LOCK/RELEASE_LOCK wrappers; NEWS.d fragment omitted as
3.6.15 ships a single Misc/NEWS.
- CVE-2026-9669
Updated packages:
-
alt-python36_3.6.15-39_amd64.deb
sha:1edcb94c48930daebabcca32fb4f4503e78efa36
-
alt-python36-debug_3.6.15-39_amd64.deb
sha:14bb4c73598cae570fb3e1ec75b6837989cd3733
-
alt-python36-devel_3.6.15-39_amd64.deb
sha:cea184343131d6913807a6e95cd08d20f04f17f5
-
alt-python36-libs_3.6.15-39_amd64.deb
sha:1a7e971ee0d896c0de528242ac9b59035c1189d1
-
alt-python36-test_3.6.15-39_amd64.deb
sha:d825977ff5a311b4b292414fa6060fa6bbbfa676
-
alt-python36-tkinter_3.6.15-39_amd64.deb
sha:07c64fd82898dda8bc080d7b6537225d910601c8
-
alt-python36-tools_3.6.15-39_amd64.deb
sha:f87bc5ec7e077454ea6da4259cbf987dea6af40d
-
alt-python36_3.6.15-39_arm64.deb
sha:342664ee6e91ac5b6b6354bccc57b88ea162e4c0
-
alt-python36-debug_3.6.15-39_arm64.deb
sha:e4a091fea96edde87352c441c3baae0dae2c241d
-
alt-python36-devel_3.6.15-39_arm64.deb
sha:7576feb133bab7dcb7626c0f69cfa7a69f82b7aa
-
alt-python36-libs_3.6.15-39_arm64.deb
sha:0b1bbd3995d20f30f1c97b4d5af0e80388c8c911
-
alt-python36-test_3.6.15-39_arm64.deb
sha:7ffae929cdcbc5e88b891c529b4d6b116d4aa736
-
alt-python36-tkinter_3.6.15-39_arm64.deb
sha:70d013b5d4b22a906da26c1f7e5f9973ca5102ca
-
alt-python36-tools_3.6.15-39_arm64.deb
sha:00315bf23a31402bff107543c3a4be8c5b8952de
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.