[CLSA-2026:1783340757] alt-python27: Fix of 8 CVEs
Type:
security
Severity:
Important
Release date:
2026-07-06 12:26:27 UTC
Description:
- CVE-2013-0340: backport libexpat's billion-laughs / internal-entity-expansion amplification protection into the bundled expat 2.2.8 tree (Modules/expat/). xmlparse.c/expat.h/internal.h gain the libexpat 2.4.0 accounting machinery (XML_SetBillionLaughsAttackProtectionMaximumAmplification / ...ActivationThreshold, default 100x after 8 MiB) and a new XML_ERROR_AMPLIFICATION_LIMIT_BREACH; entity expansion that exceeds the amplification limit is now rejected instead of expanding unbounded. Adapted to coexist with the CloudLinux XML_SetHashSalt16Bytes extension; the system expat is NOT used. New public symbols are namespaced in pyexpatns.h. - CVE-2026-0865: reject C0/DEL control characters in wsgiref.headers.Headers (Lib/wsgiref/headers.py); HTAB stays legal in values but not names. Backport of gh-143916 (GH-143917) plus the HTAB follow-up (GH-144762). - CVE-2026-1502: reject CR/LF and other illegal characters in HTTP CONNECT tunnel host and request headers in HTTPConnection._tunnel() (Lib/httplib.py), using the existing _contains_disallowed_url_pchar_re / _is_legal_header_name / _is_illegal_header_value helpers. Backport of gh-146211 (GH-146212). - CVE-2026-6019: base64-encode the cookie value embedded in Cookie.Morsel.js_output() and emit it via atob() to prevent template injection (Lib/Cookie.py). Backport of gh-90309 (GH-148889), on top of CVE-2026-3644. - CVE-2026-9669: prevent bz2.BZ2Decompressor reuse after a decompression error (Modules/bz2module.c). After libbz2 reports an error the stream is inconsistent and re-entering it can overflow the output buffer; the decompressor now records the error and raises ValueError on any further decompress() call. Port of gh-150599 (GH-150600) to the 2.7 bz2 wrapper.
Updated packages:
  • alt-python27-2.7.18-37.el10.x86_64.rpm
    sha:941a53522eb2770a913f00b51d5114c2366e6fba7ae56b861e27b6b78bd22037
  • alt-python27-debug-2.7.18-37.el10.x86_64.rpm
    sha:455a770d5de3340983bbcf44f5ccf12e5559b97ce78f74a8b67aabdbc4b52785
  • alt-python27-devel-2.7.18-37.el10.x86_64.rpm
    sha:eebfe8429ecd1e7cbd1c4d5482407f3f34455dc5d2122ae1e830e39224bc0b1e
  • alt-python27-libs-2.7.18-37.el10.x86_64.rpm
    sha:c3faab997e3fcb42095dbc315fbd803208ca8162eb9e04d3fcb9a361ad17f904
  • alt-python27-test-2.7.18-37.el10.x86_64.rpm
    sha:efe43710b60c4491c28e68a49a76517e60c93bca992fa2ec949dcee65ab878e2
  • alt-python27-tkinter-2.7.18-37.el10.x86_64.rpm
    sha:e169730c38d8bfa36e838dd15e6bb0782dedc93e713540507d87de1b822a3b9f
  • alt-python27-tools-2.7.18-37.el10.x86_64.rpm
    sha:444f32e6a1ff231964060ba8e35d28790f5752548ec88499c1737fb899bfc99a
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.