[CLSA-2026:1782999164] alt-python27: Fix of 3 CVEs
Type:
security
Severity:
Moderate
Release date:
2026-07-02 13:33:05 UTC
Description:
- CVE-2024-11168: urlparse.urlsplit() did not validate the content of bracketed hosts, so domain names that are neither valid IPv6 nor IPvFuture literals were accepted inside "[" "]". A new _check_bracketed_host() is added (Lib/urlparse.py) and called from both the "http" fast-path and the generic branch of urlsplit(). Python 2.7 has no ipaddress module, so the bracket content is validated with socket.inet_pton() (IPv4 in brackets is rejected; otherwise the content must parse as IPv6). - CVE-2024-50602: a NULL pointer dereference in the bundled libexpat (Modules/expat/, 2.2.8) when XML_StopParser() was called on a parser in the XML_INITIALIZED state followed by XML_ResumeParser(). XML_StopParser() now refuses to stop/suspend an unstarted parser, returning the new XML_ERROR_NOT_STARTED. Backport of libexpat PR - CVE-2025-0938: completes CVE-2024-11168 by also rejecting square brackets in plain domain names. _check_bracketed_netloc() (Lib/urlparse.py) mirrors NetlocResultMixins._hostinfo() so data before/after the brackets is rejected; it replaces the inline bracket extraction in both branches of urlsplit().
Updated packages:
  • alt-python27-2.7.18-35.el8.x86_64.rpm
    sha:8573a9f5fd94f56f15898b6ca376f65f4d11e6dd8447c6b18253c166ccba4ba9
  • alt-python27-debug-2.7.18-35.el8.x86_64.rpm
    sha:578b7f0c6643e418341a94d1d683d3e33ace1e89b9e04de5426726dbc0933395
  • alt-python27-devel-2.7.18-35.el8.x86_64.rpm
    sha:1c050f257e23fc42bba3f9e522ed629cea94625f109b851f646abe0f3eed9c0b
  • alt-python27-libs-2.7.18-35.el8.x86_64.rpm
    sha:3d8904c3f6b0bbb43c905c7bf6747c9b9609b66dbffb5e7826df97cb19114e93
  • alt-python27-test-2.7.18-35.el8.x86_64.rpm
    sha:79cf5766e0431032d4eb7fc389e1f9abed462381a0f4b63c8af94e2a780dc234
  • alt-python27-tkinter-2.7.18-35.el8.x86_64.rpm
    sha:db1c3af24576d9a6a3a5e4616d6be6c2ad8be8750c1c76da37244bcd3e197abc
  • alt-python27-tools-2.7.18-35.el8.x86_64.rpm
    sha:ef539f0aea4a01e3c5805d5417292e920896538dde6bce3e4b1e90b359b8f724
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.