Release date:
2026-07-06 13:20:52 UTC
Description:
- CVE-2013-0340: backport libexpat's billion-laughs / internal-entity-expansion
amplification protection into the bundled expat 2.2.8 tree (Modules/expat/).
xmlparse.c/expat.h/internal.h gain the libexpat 2.4.0 accounting machinery
(XML_SetBillionLaughsAttackProtectionMaximumAmplification /
...ActivationThreshold, default 100x after 8 MiB) and a new
XML_ERROR_AMPLIFICATION_LIMIT_BREACH; entity expansion that exceeds the
amplification limit is now rejected instead of expanding unbounded. Adapted
to coexist with the CloudLinux XML_SetHashSalt16Bytes extension; the system
expat is NOT used. New public symbols are namespaced in pyexpatns.h.
- CVE-2026-0865: reject C0/DEL control characters in wsgiref.headers.Headers
(Lib/wsgiref/headers.py); HTAB stays legal in values but not names. Backport
of gh-143916 (GH-143917) plus the HTAB follow-up (GH-144762).
- CVE-2026-1502: reject CR/LF and other illegal characters in HTTP CONNECT
tunnel host and request headers in HTTPConnection._tunnel()
(Lib/httplib.py), using the existing _contains_disallowed_url_pchar_re /
_is_legal_header_name / _is_illegal_header_value helpers. Backport of
gh-146211 (GH-146212).
- CVE-2026-6019: base64-encode the cookie value embedded in
Cookie.Morsel.js_output() and emit it via atob() to prevent template
injection (Lib/Cookie.py). Backport of gh-90309 (GH-148889), on top of
CVE-2026-3644.
- CVE-2026-9669: prevent bz2.BZ2Decompressor reuse after a decompression
error (Modules/bz2module.c). After libbz2 reports an error the stream is
inconsistent and re-entering it can overflow the output buffer; the
decompressor now records the error and raises ValueError on any further
decompress() call. Port of gh-150599 (GH-150600) to the 2.7 bz2 wrapper.
Updated packages:
-
alt-python27-2.7.18-37.el8.x86_64.rpm
sha:30e055505931f55f16677d495a5bfa1b1a04e70c3e566ed8030789e9e731d397
-
alt-python27-debug-2.7.18-37.el8.x86_64.rpm
sha:98bf8f2168c8477b0632005573f63da07a3d23f927036c237794fc136f266958
-
alt-python27-devel-2.7.18-37.el8.x86_64.rpm
sha:ed626c52ccf4735f58966b1e7bf28254c9da4a0755d48f4b689486c8ba594f48
-
alt-python27-libs-2.7.18-37.el8.x86_64.rpm
sha:a0a7054ff2a85b15edcd24c471c2e6d82fcc54d797f7acca9ba5fb1e726f9eed
-
alt-python27-test-2.7.18-37.el8.x86_64.rpm
sha:745fc8f690c802ec6a2f5ead292455ed37836727b43ef70ca02163f455460d1c
-
alt-python27-tkinter-2.7.18-37.el8.x86_64.rpm
sha:299245a179296c5a018f130ef82107e4945998516151174302fcaa374384f49b
-
alt-python27-tools-2.7.18-37.el8.x86_64.rpm
sha:ae5f07b2dc382c0053a43809247f7a260bfa1fc63826960fa5a78f85dbde0803
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.