[CLSA-2026:1783336344] Fix CVE(s): CVE-2024-11168, CVE-2024-50602, CVE-2025-0938
Type:
security
Severity:
Moderate
Release date:
2026-07-06 11:12:46 UTC
Description:
* SECURITY UPDATE: improper validation of bracketed hosts in urlparse - debian/patches/CVE-2024-11168.patch: backport of cpython b2171a2fd4 (gh-103848). urlparse.urlsplit() accepted bracketed hosts that are neither valid IPv6 nor IPvFuture literals. Adds _check_bracketed_host() to Lib/urlparse.py, called from both the "http" fast-path and the generic branch. Python 2.7 has no ipaddress module, so the bracket content is validated with socket.inet_pton() (IPv4 in brackets rejected; otherwise must parse as IPv6). - CVE-2024-11168 * SECURITY UPDATE: NULL deref in bundled libexpat XML_StopParser - debian/patches/CVE-2024-50602.patch: backport of libexpat PR #915 (51c7019069b8) into the bundled Modules/expat/ (2.2.8). XML_StopParser() on a parser in the XML_INITIALIZED state left it in a state where XML_ResumeParser() crashed via a NULL dereference. XML_StopParser() now refuses to stop/suspend an unstarted parser, returning the new XML_ERROR_NOT_STARTED. - CVE-2024-50602 * SECURITY UPDATE: square brackets allowed in parsed URL domain names - debian/patches/CVE-2025-0938.patch: backport of cpython b8b4b713c5 (gh-105704). Completes CVE-2024-11168 by rejecting square brackets in plain domain names. Adds _check_bracketed_netloc() to Lib/urlparse.py (mirroring NetlocResultMixins._hostinfo()) and uses it in both branches of urlsplit() in place of the inline bracket extraction. - CVE-2025-0938
Updated packages:
  • alt-python27_2.7.18-22_amd64.deb
    sha:a872e57a08283f392e01ee428ff8f6b8937cb7e3
  • alt-python27-debug_2.7.18-22_amd64.deb
    sha:a56f2c7fa94267590dd55301ae6bf212b8cc601a
  • alt-python27-devel_2.7.18-22_amd64.deb
    sha:eca0efce458f3c78e2c8fc989a680cbf1275366c
  • alt-python27-idle_2.7.18-22_amd64.deb
    sha:d5e089f9684c0dddd5959fea25c00b798adc437e
  • alt-python27-libs_2.7.18-22_amd64.deb
    sha:c0bb40ec426029f3a156cc8638ded3dd6e310c11
  • alt-python27-test_2.7.18-22_amd64.deb
    sha:c9887611c25669746dcefae57e367e7750919381
  • alt-python27-tkinter_2.7.18-22_amd64.deb
    sha:9cc68898bd7702040302efaf46c03df3924c9951
  • alt-python27-tools_2.7.18-22_amd64.deb
    sha:0830b8d162f139173d0e32c33e8b6985a92bac4b
  • alt-python27_2.7.18-22_arm64.deb
    sha:33199149ab30cb38a066e046dd385d0676922904
  • alt-python27-debug_2.7.18-22_arm64.deb
    sha:e0669c29cace13de69f9222e45a607babb05b158
  • alt-python27-devel_2.7.18-22_arm64.deb
    sha:38e971950a1018dd5dfa362a7639d9938b802a6c
  • alt-python27-idle_2.7.18-22_arm64.deb
    sha:ce4ac4fc28f12cb89fc58d5626d7e3490e871b4b
  • alt-python27-libs_2.7.18-22_arm64.deb
    sha:26779038e2ed86c34996a187575c972c9a59dfdc
  • alt-python27-test_2.7.18-22_arm64.deb
    sha:58b975065433a7fa8f1d95c12bc5e45168c659a2
  • alt-python27-tkinter_2.7.18-22_arm64.deb
    sha:317ec2934f285e748d68b84c317accb7ddb595e6
  • alt-python27-tools_2.7.18-22_arm64.deb
    sha:07c1864f47443f84efda4fa6ecfc0902404d3d54
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.