[CLSA-2026:1782377941] Fix CVE(s): CVE-2026-9669
Type:
security
Severity:
Important
Release date:
2026-06-25 08:59:16 UTC
Description:
* SECURITY UPDATE: bz2.BZ2Decompressor could write out of bounds (stack buffer overflow, CWE-121) when reused after a decompression error. Re-entering BZ2_bzDecompress() on a stream that libbz2 had already reported an error on left the internal state inconsistent. - debian/patches/CVE-2026-9669.patch: backport of cpython 5755d0f083949ff3c5bf3a37e673e24e306b036e (gh-150599). Records the libbz2 error in a new bzerror field and marks the decompressor unusable, so a subsequent decompress() raises ValueError instead of re-entering the corrupted stream. - CVE-2026-9669
CVEs fixed:
Updated packages:
  • alt-python38_3.8.20-21_amd64.deb
    sha:b1a189ee44685976d5f77af3aed534cad783c7c1
  • alt-python38-debug_3.8.20-21_amd64.deb
    sha:d3643459764d1a6dbbc18cfb6b6ae28351d80de3
  • alt-python38-devel_3.8.20-21_amd64.deb
    sha:9b873ca7ef251d946123e097ac602f378e36a1bf
  • alt-python38-idle_3.8.20-21_amd64.deb
    sha:bbb0ba198baf6d4b02af5e39f5448e0d13bd6d4a
  • alt-python38-libs_3.8.20-21_amd64.deb
    sha:1160df9f8d22b9a7ffd8c36fe08ea829b14b3444
  • alt-python38-test_3.8.20-21_amd64.deb
    sha:db483d93ef217c672753323adba02c9700e66f18
  • alt-python38-tkinter_3.8.20-21_amd64.deb
    sha:7e06e1e3de8219949b0d428ccb02505ac13b90ae
  • alt-python38_3.8.20-21_arm64.deb
    sha:a8b04d9205bfa120de1f4ba0699c1804fb2e3604
  • alt-python38-debug_3.8.20-21_arm64.deb
    sha:ba88f4a0ede0c9a755ce63d9eaa93dfd89324008
  • alt-python38-devel_3.8.20-21_arm64.deb
    sha:b6c1955a25c825e91191df6396acfa242a345765
  • alt-python38-idle_3.8.20-21_arm64.deb
    sha:c62d8939308e67600bcb92a65f61909039d8c5c3
  • alt-python38-libs_3.8.20-21_arm64.deb
    sha:eb0cb93070fe497c10ee6a2d30eac0bb8221b7f8
  • alt-python38-test_3.8.20-21_arm64.deb
    sha:3c40d7f22f3d3fa36685bac298f99e752f514e8b
  • alt-python38-tkinter_3.8.20-21_arm64.deb
    sha:97d22da7ec1cd7fed58d9785d9133bda98dc2f0f
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.