[CLSA-2026:1782297615] alt-python36: Fix of CVE-2026-9669
Type:
security
Severity:
Important
Release date:
2026-06-24 10:40:32 UTC
Description:
- CVE-2026-9669: the bz2 BZ2Decompressor could be reused after a libbz2 decompression error; re-entering BZ2_bzDecompress() in that state can write past the end of a stack buffer (CWE-121). The decompressor now records the libbz2 error and refuses further decompress() calls with ValueError, becoming unusable after the first error (upstream gh-150599 / 5755d0f0, adapted to 3.6: plain needs_input reset and existing ACQUIRE_LOCK/RELEASE_LOCK wrappers, NEWS.d fragment omitted).
CVEs fixed:
Updated packages:
  • alt-python36-3.6.15-30.el9.x86_64.rpm
    sha:c51dd30efa1cc81004a3160f39d7f68d1729ffaff125de87d3e46bba80807392
  • alt-python36-debug-3.6.15-30.el9.x86_64.rpm
    sha:c5fdfc507b83680638eadbceec701afcbb89483b6b188fb66f07e4b8bea184b1
  • alt-python36-devel-3.6.15-30.el9.x86_64.rpm
    sha:c26c43d8b5c9d4b19175f7d3980a6b22820f052f3e392d0ef64999e9dfb8ca1a
  • alt-python36-libs-3.6.15-30.el9.x86_64.rpm
    sha:382ef48bed5b2c9c9dc9167b2b085a15ab816ef2e1dffbdfdc8e5c916fbe7292
  • alt-python36-test-3.6.15-30.el9.x86_64.rpm
    sha:3b2f6d653b0029e14008cdba5bcc937ddd92a84354c3c9d3b53b21a138692f98
  • alt-python36-tkinter-3.6.15-30.el9.x86_64.rpm
    sha:f8223adec602dbb479f168431ba9eb524eff47cd73c8cf2f2603e1b85c3a6bfa
  • alt-python36-tools-3.6.15-30.el9.x86_64.rpm
    sha:e43f8497d877c2551d40085bbf32726b86f6d71c5184a7cf18144d60078f745b
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.