[CLSA-2026:1782295459] alt-python36: Fix of CVE-2026-9669
Type:
security
Severity:
Important
Release date:
2026-06-24 10:04:36 UTC
Description:
- CVE-2026-9669: the bz2 BZ2Decompressor could be reused after a libbz2 decompression error; re-entering BZ2_bzDecompress() in that state can write past the end of a stack buffer (CWE-121). The decompressor now records the libbz2 error and refuses further decompress() calls with ValueError, becoming unusable after the first error (upstream gh-150599 / 5755d0f0, adapted to 3.6: plain needs_input reset and existing ACQUIRE_LOCK/RELEASE_LOCK wrappers, NEWS.d fragment omitted).
CVEs fixed:
Updated packages:
  • alt-python36-3.6.15-30.el10.x86_64.rpm
    sha:ff55231724202d48b285d36637af6065ae10fa70da2c4a452e50fb128597e51a
  • alt-python36-debug-3.6.15-30.el10.x86_64.rpm
    sha:0cf5f59e926c54006cc86d62fbe6d9cb876335a5ac9d6d9242ba513d0ec423ab
  • alt-python36-devel-3.6.15-30.el10.x86_64.rpm
    sha:de2e101026278f389419fb9b61fa4134c6406ff2f899692030a4ea9565bb3b72
  • alt-python36-libs-3.6.15-30.el10.x86_64.rpm
    sha:23be7eed2ce4a8f1d72a63bb21deb4f13b0d76828d8c2963d9131d75d83f2246
  • alt-python36-test-3.6.15-30.el10.x86_64.rpm
    sha:a94ae3810c198a6b6e3db6504bb2578b1f35bff079e0825a07553fe78e93964a
  • alt-python36-tkinter-3.6.15-30.el10.x86_64.rpm
    sha:242b401507db18f4df9a8e3ef1f6c2684b5b7d7ddcced51715c7b0389670cbf4
  • alt-python36-tools-3.6.15-30.el10.x86_64.rpm
    sha:7009f87b1e19108acf78d64c8d41e50825a67e957285929b20a35ca33f05f981
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.