[CLSA-2026:1782370892] alt-python36: Fix of CVE-2026-9669
Type:
security
Severity:
Important
Release date:
2026-06-25 07:01:48 UTC
Description:
- CVE-2026-9669: the bz2 BZ2Decompressor could be reused after a libbz2 decompression error; re-entering BZ2_bzDecompress() in that state can write past the end of a stack buffer (CWE-121). The decompressor now records the libbz2 error and refuses further decompress() calls with ValueError, becoming unusable after the first error (upstream gh-150599 / 5755d0f0, adapted to 3.6: plain needs_input reset and existing ACQUIRE_LOCK/RELEASE_LOCK wrappers, NEWS.d fragment omitted).
CVEs fixed:
Updated packages:
  • alt-python36-3.6.15-30.el7.x86_64.rpm
    sha:989fa787667995fbc65eee11276d7ae601c74df38f6dc6d8ebb263ffcbd9a5d3
  • alt-python36-debug-3.6.15-30.el7.x86_64.rpm
    sha:c38c224bd2ece7758347102ab84d8952fca31d416db7cb4e70161f0de43f8613
  • alt-python36-devel-3.6.15-30.el7.x86_64.rpm
    sha:cf41149dc82485ca2ab20297784d0bc10ea3c9d263b44b413e5409faa4405378
  • alt-python36-libs-3.6.15-30.el7.x86_64.rpm
    sha:92de407bdd7197f4fb093c426fb533d5efe4059bf2765d73e2b259aff551e1ad
  • alt-python36-test-3.6.15-30.el7.x86_64.rpm
    sha:38396f14ca1d07c95b2f0056c591e92b58f1ec3706e9d79ec205b8dae96edb67
  • alt-python36-tkinter-3.6.15-30.el7.x86_64.rpm
    sha:703b725665c2ad72962f0524c3cb03089a68f802220387b896ccb32a5d93cf8b
  • alt-python36-tools-3.6.15-30.el7.x86_64.rpm
    sha:0b01b9ff78eaf9ea482eeba634b7841675c5dc6fcc4b2696b14efd61f2b9f2a1
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.