Release date:
2026-06-15 14:24:26 UTC
Description:
- CVE-2025-15366: imaplib.IMAP4._command() concatenated each command
argument into the wire-level command without inspecting it, so a caller
passing user-controlled text could inject extra IMAP commands using
CR/LF or other control characters. Reject any byte in [\x00-\x1F\x7F]
with ValueError before concatenation (upstream gh-143921 /
6262704b; mirrors RHSA-2026:6464 python3-3.6.8-21.el7_9.4).
- CVE-2025-15367: poplib.POP3._putcmd() encoded its argument and sent it
to the server without inspecting it, allowing the same command
injection via user()/pass_()/apop()/rpop()/top(). Reject any byte in
[\x00-\x1F\x7F] with ValueError before sending (upstream gh-143923 /
b234a2b6; mirrors RHSA-2026:6464 python3-3.6.8-21.el7_9.4).
Updated packages:
-
alt-python36-3.6.15-29.el9.x86_64.rpm
sha:31998b2fa1cba21841b3396431ce3258092322f2174293cd24bf065deadce8bd
-
alt-python36-debug-3.6.15-29.el9.x86_64.rpm
sha:ab9a91d9f98d597069841a506de53b0eb4c360ea08b2ffa6401bdb8642fe24fa
-
alt-python36-devel-3.6.15-29.el9.x86_64.rpm
sha:fe340a0d8c9bf5b7cf972952d4b5546cb4c1340af900a37423317428045f0ab3
-
alt-python36-libs-3.6.15-29.el9.x86_64.rpm
sha:918fee496e3faf23b08fb55a3b36bfb3969c9d71ae5a19eba2ad1f7b3d253130
-
alt-python36-test-3.6.15-29.el9.x86_64.rpm
sha:1ffc6b4a262ed8c710f19e26c9b2d503667ab1f5f5956451d6336f885e02a4c6
-
alt-python36-tkinter-3.6.15-29.el9.x86_64.rpm
sha:8ac1e1f7e01df11f2e25c2306712105a0b3b791e0265efc8da86b6e3e4c6b417
-
alt-python36-tools-3.6.15-29.el9.x86_64.rpm
sha:4c4ca77285d1929f625eb03d8f90875adf9189c23ddabb1124076c28402bbaa4
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.