[CLSA-2026:1781521190] alt-python36: Fix of 2 CVEs
Type:
security
Severity:
Important
Release date:
2026-06-15 14:24:26 UTC
Description:
- CVE-2025-15366: imaplib.IMAP4._command() concatenated each command argument into the wire-level command without inspecting it, so a caller passing user-controlled text could inject extra IMAP commands using CR/LF or other control characters. Reject any byte in [\x00-\x1F\x7F] with ValueError before concatenation (upstream gh-143921 / 6262704b; mirrors RHSA-2026:6464 python3-3.6.8-21.el7_9.4). - CVE-2025-15367: poplib.POP3._putcmd() encoded its argument and sent it to the server without inspecting it, allowing the same command injection via user()/pass_()/apop()/rpop()/top(). Reject any byte in [\x00-\x1F\x7F] with ValueError before sending (upstream gh-143923 / b234a2b6; mirrors RHSA-2026:6464 python3-3.6.8-21.el7_9.4).
Updated packages:
  • alt-python36-3.6.15-29.el9.x86_64.rpm
    sha:31998b2fa1cba21841b3396431ce3258092322f2174293cd24bf065deadce8bd
  • alt-python36-debug-3.6.15-29.el9.x86_64.rpm
    sha:ab9a91d9f98d597069841a506de53b0eb4c360ea08b2ffa6401bdb8642fe24fa
  • alt-python36-devel-3.6.15-29.el9.x86_64.rpm
    sha:fe340a0d8c9bf5b7cf972952d4b5546cb4c1340af900a37423317428045f0ab3
  • alt-python36-libs-3.6.15-29.el9.x86_64.rpm
    sha:918fee496e3faf23b08fb55a3b36bfb3969c9d71ae5a19eba2ad1f7b3d253130
  • alt-python36-test-3.6.15-29.el9.x86_64.rpm
    sha:1ffc6b4a262ed8c710f19e26c9b2d503667ab1f5f5956451d6336f885e02a4c6
  • alt-python36-tkinter-3.6.15-29.el9.x86_64.rpm
    sha:8ac1e1f7e01df11f2e25c2306712105a0b3b791e0265efc8da86b6e3e4c6b417
  • alt-python36-tools-3.6.15-29.el9.x86_64.rpm
    sha:4c4ca77285d1929f625eb03d8f90875adf9189c23ddabb1124076c28402bbaa4
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.