[CLSA-2026:1781520060] alt-python36: Fix of 2 CVEs
Type:
security
Severity:
Important
Release date:
2026-06-15 10:42:12 UTC
Description:
- CVE-2025-15366: imaplib.IMAP4._command() concatenated each command argument into the wire-level command without inspecting it, so a caller passing user-controlled text could inject extra IMAP commands using CR/LF or other control characters. Reject any byte in [\x00-\x1F\x7F] with ValueError before concatenation (upstream gh-143921 / 6262704b; mirrors RHSA-2026:6464 python3-3.6.8-21.el7_9.4). - CVE-2025-15367: poplib.POP3._putcmd() encoded its argument and sent it to the server without inspecting it, allowing the same command injection via user()/pass_()/apop()/rpop()/top(). Reject any byte in [\x00-\x1F\x7F] with ValueError before sending (upstream gh-143923 / b234a2b6; mirrors RHSA-2026:6464 python3-3.6.8-21.el7_9.4).
Updated packages:
  • alt-python36-3.6.15-29.el10.x86_64.rpm
    sha:6d25579d0a36e527120668bd9be571b9971ae3b7a872ce95a89f557f62b10f6d
  • alt-python36-debug-3.6.15-29.el10.x86_64.rpm
    sha:2a047dc578a2d8d4c0c7e3077d21f5d8c977af9a44f2d790c5f3480d40ba0bf3
  • alt-python36-devel-3.6.15-29.el10.x86_64.rpm
    sha:1f0c81f8c500862c57d7bdff7cc42184b967c11f81a6d1309b3e0447d51212f6
  • alt-python36-libs-3.6.15-29.el10.x86_64.rpm
    sha:f830ac4a00284e67e9562d5f86bb29f0fc2cc020ba2fd14f3ef4f223437cc903
  • alt-python36-test-3.6.15-29.el10.x86_64.rpm
    sha:c1e866ee6d3268cfd32861ca4956e145412e4cb6a3289cd91b621ebc8b8cb554
  • alt-python36-tkinter-3.6.15-29.el10.x86_64.rpm
    sha:3493e88acdb90a9badd7d57a99d4b20c162425bc155a03af6228726b3097d847
  • alt-python36-tools-3.6.15-29.el10.x86_64.rpm
    sha:7aa01635c7c78722d8e22d043b9fc1f72ebb4cf3b75ae33847fbe92e5bf68354
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.