[CLSA-2026:1783343616] Fix of 8 CVEs
Type:
security
Severity:
Important
Release date:
2026-07-06 13:14:05 UTC
Description:
* SECURITY UPDATE: expat billion-laughs / entity-expansion amplification DoS - debian/patches/CVE-2013-0340.patch: backport libexpat's billion-laughs attack protection (libexpat PR #466 / 2.4.0) into the bundled expat 2.2.8 tree (Modules/expat/xmlparse.c, expat.h, internal.h). Adds the accounting machinery, XML_ERROR_AMPLIFICATION_LIMIT_BREACH and the XML_SetBillionLaughsAttackProtection{MaximumAmplification, ActivationThreshold} setters (default 100x after 8 MiB). The fix is applied to the bundled copy (not system expat) so it coexists with the CloudLinux XML_SetHashSalt16Bytes extension; new public symbols are namespaced in pyexpatns.h. - CVE-2013-0340 * SECURITY UPDATE: control characters accepted in wsgiref response headers - debian/patches/CVE-2026-0865.patch: backport of cpython gh-143916 (GH-143917) and the HTAB follow-up (GH-144762). wsgiref.headers.Headers (Lib/wsgiref/headers.py) now rejects C0/DEL control characters in header names and values; HTAB remains legal in values, not names. Adapted to 2.7 (positional _convert_string_type flag, no keyword-only argument). - CVE-2026-0865 * SECURITY UPDATE: CR/LF injection in HTTP CONNECT tunnel headers - debian/patches/CVE-2026-1502.patch: backport of cpython gh-146211 (GH-146212). HTTPConnection._tunnel() (Lib/httplib.py) validates the tunnel host and each tunnel request header with the existing _contains_disallowed_url_pchar_re / _is_legal_header_name / _is_illegal_header_value helpers, rejecting control characters. - CVE-2026-1502 * SECURITY UPDATE: template injection via cookie values in js_output() - debian/patches/CVE-2026-6019.patch: backport of cpython gh-90309 (GH-148889), on top of CVE-2026-3644. Cookie.Morsel.js_output() (Lib/Cookie.py) base64-encodes the cookie value and emits it via atob() so it cannot break out of the JS string literal. - CVE-2026-6019 * SECURITY UPDATE: bz2 decompressor reuse-after-error stack overflow - debian/patches/CVE-2026-9669.patch: port of cpython gh-150599 (GH-150600) to the 2.7 bz2 wrapper (Modules/bz2module.c). After libbz2 reports a decompression error the stream is inconsistent and reusing it can write past the output buffer; the decompressor now records the error and raises ValueError on any further decompress() call. - CVE-2026-9669
Updated packages:
  • alt-python27_2.7.18-24_amd64.deb
    sha:05ce8fc353cdba1809a0dee0c191af689c66a124
  • alt-python27-debug_2.7.18-24_amd64.deb
    sha:6617c22083bed6d1b5117c0b9da449ba26a4c103
  • alt-python27-devel_2.7.18-24_amd64.deb
    sha:90a07008ac8d4a727ed2fd6426fe560f9cdea03a
  • alt-python27-idle_2.7.18-24_amd64.deb
    sha:febff3ee1039742794ed3a555818b43808e2d5a3
  • alt-python27-libs_2.7.18-24_amd64.deb
    sha:04334da1ff17bd909a0b7ab8cb979de1744a4268
  • alt-python27-test_2.7.18-24_amd64.deb
    sha:eff348a06fbb76246ee42a1c2c15d2f3a68177da
  • alt-python27-tkinter_2.7.18-24_amd64.deb
    sha:3fd897934a351b1281a73a51db4b572ce4bceb67
  • alt-python27-tools_2.7.18-24_amd64.deb
    sha:efdb8155b792672da6aacc42182cb2e6540e102d
  • alt-python27_2.7.18-24_arm64.deb
    sha:d4434ecf3440ea73f04b525ba1eb7a16d8b5c953
  • alt-python27-debug_2.7.18-24_arm64.deb
    sha:73c30647cad0e47ba709b883ff879b697813c566
  • alt-python27-devel_2.7.18-24_arm64.deb
    sha:e7b1ddf6f9dad7fad877c6ad755531f12a4b89ae
  • alt-python27-idle_2.7.18-24_arm64.deb
    sha:e40a3d6ec829d75c86fbee5a392e88461cc98e35
  • alt-python27-libs_2.7.18-24_arm64.deb
    sha:fab7f5c17582dd9a5dc2cfcbd9923d78558bbbe2
  • alt-python27-test_2.7.18-24_arm64.deb
    sha:80a73444674eac2e2281d54a2813f3d72d4a4ae3
  • alt-python27-tkinter_2.7.18-24_arm64.deb
    sha:ff35ab6865e69e9ecb5f72aacf6b54b864ffdb60
  • alt-python27-tools_2.7.18-24_arm64.deb
    sha:130ba26b9ecf747ab4ad960967a5a37db30a314f
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.