[CLSA-2026:1782998534] alt-python27: Fix of 3 CVEs
Type:
security
Severity:
Moderate
Release date:
2026-07-02 13:22:34 UTC
Description:
- CVE-2024-11168: urlparse.urlsplit() did not validate the content of bracketed hosts, so domain names that are neither valid IPv6 nor IPvFuture literals were accepted inside "[" "]". A new _check_bracketed_host() is added (Lib/urlparse.py) and called from both the "http" fast-path and the generic branch of urlsplit(). Python 2.7 has no ipaddress module, so the bracket content is validated with socket.inet_pton() (IPv4 in brackets is rejected; otherwise the content must parse as IPv6). - CVE-2024-50602: a NULL pointer dereference in the bundled libexpat (Modules/expat/, 2.2.8) when XML_StopParser() was called on a parser in the XML_INITIALIZED state followed by XML_ResumeParser(). XML_StopParser() now refuses to stop/suspend an unstarted parser, returning the new XML_ERROR_NOT_STARTED. Backport of libexpat PR - CVE-2025-0938: completes CVE-2024-11168 by also rejecting square brackets in plain domain names. _check_bracketed_netloc() (Lib/urlparse.py) mirrors NetlocResultMixins._hostinfo() so data before/after the brackets is rejected; it replaces the inline bracket extraction in both branches of urlsplit().
Updated packages:
  • alt-python27-2.7.18-35.el7.x86_64.rpm
    sha:00ec1c4d13cc8be15bba7991339ca22e8433da27594e46ccc804e3562fba543d
  • alt-python27-debug-2.7.18-35.el7.x86_64.rpm
    sha:3d6404091ba3aee4f380504b5c2fde674ae6e27e7feedd17b8045ba25070c1c9
  • alt-python27-devel-2.7.18-35.el7.x86_64.rpm
    sha:0308451ef5b78fbd012d83299e85caa7cff7cf30e02c88ec2261f8eac1968389
  • alt-python27-libs-2.7.18-35.el7.x86_64.rpm
    sha:bdaf09ff2bda2693281e734f66ded5fc2d8a57799f3025890cc280dd6a9013ad
  • alt-python27-test-2.7.18-35.el7.x86_64.rpm
    sha:8eaea7b2fcf06535a375e6ca400a424865d8074fdd3cf8d43c5a073ad58411fc
  • alt-python27-tkinter-2.7.18-35.el7.x86_64.rpm
    sha:1b4fd9583ae7759021d96af4abf9c20bc13f51dcbdfec1d4720edc0fa9444e37
  • alt-python27-tools-2.7.18-35.el7.x86_64.rpm
    sha:b48769e1cc2512b5331bfda6fb190d45f9ca0b6ef633c5cf8300b609c421741c
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.