[CLSA-2026:1781514930] alt-python36: Fix of 2 CVEs
Type:
security
Severity:
Important
Release date:
2026-06-15 09:16:59 UTC
Description:
- CVE-2025-15366: imaplib.IMAP4._command() concatenated each command argument into the wire-level command without inspecting it, so a caller passing user-controlled text could inject extra IMAP commands using CR/LF or other control characters. Reject any byte in [\x00-\x1F\x7F] with ValueError before concatenation (upstream gh-143921 / 6262704b; mirrors RHSA-2026:6464 python3-3.6.8-21.el7_9.4). - CVE-2025-15367: poplib.POP3._putcmd() encoded its argument and sent it to the server without inspecting it, allowing the same command injection via user()/pass_()/apop()/rpop()/top(). Reject any byte in [\x00-\x1F\x7F] with ValueError before sending (upstream gh-143923 / b234a2b6; mirrors RHSA-2026:6464 python3-3.6.8-21.el7_9.4).
Updated packages:
  • alt-python36-3.6.15-29.el8.x86_64.rpm
    sha:61f7bea42cff4a57f3effcd5761786359b40c342ccc3565edf2dfd8086b49094
  • alt-python36-debug-3.6.15-29.el8.x86_64.rpm
    sha:045d667834b84d4617b39a4589f2b401dcc987995b3dcb12a6c9912e12ea406d
  • alt-python36-devel-3.6.15-29.el8.x86_64.rpm
    sha:7e03f959eca3040655f2068a91d030932db777bfaf9f0680ae3debd252aa5990
  • alt-python36-libs-3.6.15-29.el8.x86_64.rpm
    sha:4884a0388c420cd2b4ad424c43215642fbafdc9be6938ecb0000532b13feb3c6
  • alt-python36-test-3.6.15-29.el8.x86_64.rpm
    sha:86f80fa78c4a8f7ce0062998958e4f3940002005ddc0964aebf3ed76716916de
  • alt-python36-tkinter-3.6.15-29.el8.x86_64.rpm
    sha:907cdeaa655f81a4aaa17fbd6a9985612ad094135b78b805edc15537f3699b16
  • alt-python36-tools-3.6.15-29.el8.x86_64.rpm
    sha:c36de4e01de05d462ace5017a68b6a5ff899e34bd252267219dbe7d8de15ecf3
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.