[CLSA-2026:1781520608] alt-python36: Fix of 2 CVEs
Type:
security
Severity:
Important
Release date:
2026-06-15 10:51:40 UTC
Description:
- CVE-2025-15366: imaplib.IMAP4._command() concatenated each command argument into the wire-level command without inspecting it, so a caller passing user-controlled text could inject extra IMAP commands using CR/LF or other control characters. Reject any byte in [\x00-\x1F\x7F] with ValueError before concatenation (upstream gh-143921 / 6262704b; mirrors RHSA-2026:6464 python3-3.6.8-21.el7_9.4). - CVE-2025-15367: poplib.POP3._putcmd() encoded its argument and sent it to the server without inspecting it, allowing the same command injection via user()/pass_()/apop()/rpop()/top(). Reject any byte in [\x00-\x1F\x7F] with ValueError before sending (upstream gh-143923 / b234a2b6; mirrors RHSA-2026:6464 python3-3.6.8-21.el7_9.4).
Updated packages:
  • alt-python36-3.6.15-29.el7.x86_64.rpm
    sha:7cca99c8fe6f80cb7ab6f1ed4e09ea90751fc60deb7ad956efeb53e50341abdb
  • alt-python36-debug-3.6.15-29.el7.x86_64.rpm
    sha:7efd50d68f8dd586b25ebb278ff9a8c675f9dc6d5b01d53a52ad94cd4809b44e
  • alt-python36-devel-3.6.15-29.el7.x86_64.rpm
    sha:898323e58025b4bf6ecbc2970247adabb221f3b586de7465b3ea4bd509f640a3
  • alt-python36-libs-3.6.15-29.el7.x86_64.rpm
    sha:97bb277dce6999fc9495b27a32542f93930bc4fd4f55f965ef19d0adcfe0209e
  • alt-python36-test-3.6.15-29.el7.x86_64.rpm
    sha:d767e5ed5a043b2d713c6f212ba9c6b9cb8ffe3db4cc45db8a909ae345cc154b
  • alt-python36-tkinter-3.6.15-29.el7.x86_64.rpm
    sha:98bf76949d21e1f8b2ca40f07368cd4425f2b9cc5d86780453322437d60f4bed
  • alt-python36-tools-3.6.15-29.el7.x86_64.rpm
    sha:fa100651baace3f9ff1d56db47e307b693d9b43bcade176da680aa49f1f2448f
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.