[CLSA-2026:1782382816] Fix CVE(s): CVE-2026-9669
Type:
security
Severity:
Important
Release date:
2026-06-25 10:20:33 UTC
Description:
* SECURITY UPDATE: bz2.BZ2Decompressor could be reused after a decompression error. libbz2 leaves the bz_stream in an inconsistent state after reporting an error, so re-entering BZ2_bzDecompress() on that stream could write past the output buffer, a stack buffer overflow (CWE-121). - debian/patches/CVE-2026-9669.patch: backport of cpython 5755d0f083 (gh-150599). Record the libbz2 error code in a new BZ2Decompressor bzerror field, clear needs_input on error, and raise ValueError("Decompressor is unusable after a previous error") on any subsequent decompress() call. - CVE-2026-9669
CVEs fixed:
Updated packages:
  • alt-python39_3.9.23-19_amd64.deb
    sha:2bdff7d898dbc3f09c2cdb10f65f64d1d2c58473
  • alt-python39-debug_3.9.23-19_amd64.deb
    sha:db629e3b59bd43a5bc1f688676d714d749e4b6c2
  • alt-python39-devel_3.9.23-19_amd64.deb
    sha:8ad8e7be492c4465b84250b852feb5efbd6d3273
  • alt-python39-idle_3.9.23-19_amd64.deb
    sha:eb56fa6579ec7add0e9f95b58c500d9fe78b2eaa
  • alt-python39-libs_3.9.23-19_amd64.deb
    sha:cb51b167203e5b5ea26a79a0d9bb9cfea1d43ac8
  • alt-python39-test_3.9.23-19_amd64.deb
    sha:a6a85dbee472abeb71e31abc5df2d2b86f24ceab
  • alt-python39-tkinter_3.9.23-19_amd64.deb
    sha:f94710a7a7b1c0e01c0bd10c0a28e9baed1af59c
  • alt-python39_3.9.23-19_arm64.deb
    sha:47b4c23ce22a31a1a7fbcb7da66be4c080bfdc2a
  • alt-python39-debug_3.9.23-19_arm64.deb
    sha:b99efe19f458ecdab5ef43f0b8b76553b5414dea
  • alt-python39-devel_3.9.23-19_arm64.deb
    sha:04a52473fbd45c19f5dcd6af475e4b10b18a855f
  • alt-python39-idle_3.9.23-19_arm64.deb
    sha:4570ced19b9ab18fb9be1f976d2b96fe340bce06
  • alt-python39-libs_3.9.23-19_arm64.deb
    sha:1c212dc5089d6925376fac917ceea1fd2563f4e9
  • alt-python39-test_3.9.23-19_arm64.deb
    sha:c12f17222be576c182463ff5f0b38daa9fc710cb
  • alt-python39-tkinter_3.9.23-19_arm64.deb
    sha:2ed0b840550077372ed2a747da297879ee5a9461
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.