[CLSA-2026:1782296677] alt-python36: Fix of CVE-2026-9669
Type:
security
Severity:
Important
Release date:
2026-06-24 10:24:53 UTC
Description:
- CVE-2026-9669: the bz2 BZ2Decompressor could be reused after a libbz2 decompression error; re-entering BZ2_bzDecompress() in that state can write past the end of a stack buffer (CWE-121). The decompressor now records the libbz2 error and refuses further decompress() calls with ValueError, becoming unusable after the first error (upstream gh-150599 / 5755d0f0, adapted to 3.6: plain needs_input reset and existing ACQUIRE_LOCK/RELEASE_LOCK wrappers, NEWS.d fragment omitted).
CVEs fixed:
Updated packages:
  • alt-python36-3.6.15-30.el8.x86_64.rpm
    sha:7bd2f2bbdf187c5cd16a7a04d39d80f1976d9cf38329e975284099f04690e526
  • alt-python36-debug-3.6.15-30.el8.x86_64.rpm
    sha:8150eae16072e6b62ae52e2c44303a432fede131dc8ea212ebe5fe1c478edd66
  • alt-python36-devel-3.6.15-30.el8.x86_64.rpm
    sha:c09d937a64817f6a4d868708801b2f8cd0687a48b828ac17439b5cb7d117a438
  • alt-python36-libs-3.6.15-30.el8.x86_64.rpm
    sha:e8eef573882b0bc67114be0523db83a95141c4af6f7ec6e24981f1d9a885ced7
  • alt-python36-test-3.6.15-30.el8.x86_64.rpm
    sha:fad2cc6f3f08e01e4d4007c680aa0f178d2255c7860231cfed6c542a64b6f7ef
  • alt-python36-tkinter-3.6.15-30.el8.x86_64.rpm
    sha:9b11ba5d26c01264152b34518b64da6da0df48a683cad1856d2776e229a08aed
  • alt-python36-tools-3.6.15-30.el8.x86_64.rpm
    sha:eb6008f848997775979d82ac83c9fae3da76898163ea8116f330824fa96c730d
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.