[CLSA-2026:1782994801] alt-python27: Fix of 3 CVEs
Type:
security
Severity:
Moderate
Release date:
2026-07-02 12:20:26 UTC
Description:
- CVE-2024-11168: urlparse.urlsplit() did not validate the content of bracketed hosts, so domain names that are neither valid IPv6 nor IPvFuture literals were accepted inside "[" "]". A new _check_bracketed_host() is added (Lib/urlparse.py) and called from both the "http" fast-path and the generic branch of urlsplit(). Python 2.7 has no ipaddress module, so the bracket content is validated with socket.inet_pton() (IPv4 in brackets is rejected; otherwise the content must parse as IPv6). - CVE-2024-50602: a NULL pointer dereference in the bundled libexpat (Modules/expat/, 2.2.8) when XML_StopParser() was called on a parser in the XML_INITIALIZED state followed by XML_ResumeParser(). XML_StopParser() now refuses to stop/suspend an unstarted parser, returning the new XML_ERROR_NOT_STARTED. Backport of libexpat PR - CVE-2025-0938: completes CVE-2024-11168 by also rejecting square brackets in plain domain names. _check_bracketed_netloc() (Lib/urlparse.py) mirrors NetlocResultMixins._hostinfo() so data before/after the brackets is rejected; it replaces the inline bracket extraction in both branches of urlsplit().
Updated packages:
  • alt-python27-2.7.18-35.el10.x86_64.rpm
    sha:d85fb86a1589f2cb73fe219b314da89ef6cbc3cde8fcc9e643fef8dd9dd5c7c8
  • alt-python27-debug-2.7.18-35.el10.x86_64.rpm
    sha:a2cd857fdc86a905900bc4fd98e83f4fff87a7e34045279ffdc3ab4761c66016
  • alt-python27-devel-2.7.18-35.el10.x86_64.rpm
    sha:76a18304b994faf308f280c558a96a385d6d2962981ab0f4c6b3ec05c3b89865
  • alt-python27-libs-2.7.18-35.el10.x86_64.rpm
    sha:db9c263b1fc0d5f989caaf28a90bdb2f7c9ecf0c2508506a927a0f3f54336e3a
  • alt-python27-test-2.7.18-35.el10.x86_64.rpm
    sha:09f77518d016db20544ade3f22b8d6737d4b0eea45fbb492a00feda34d65f7e4
  • alt-python27-tkinter-2.7.18-35.el10.x86_64.rpm
    sha:5b002c0911a17fc5723a8219865d2c66166e3d691d2e22b324ca1cae1863ea32
  • alt-python27-tools-2.7.18-35.el10.x86_64.rpm
    sha:3f38739b2397377b22f25bfcd8ef87842c6a5b85c3e65e15f4b22ac14ca1701e
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.