Release date:
2026-07-02 13:27:40 UTC
Description:
- CVE-2024-11168: urlparse.urlsplit() did not validate the content of
bracketed hosts, so domain names that are neither valid IPv6 nor
IPvFuture literals were accepted inside "[" "]". A new
_check_bracketed_host() is added (Lib/urlparse.py) and called from
both the "http" fast-path and the generic branch of urlsplit().
Python 2.7 has no ipaddress module, so the bracket content is
validated with socket.inet_pton() (IPv4 in brackets is rejected;
otherwise the content must parse as IPv6).
- CVE-2024-50602: a NULL pointer dereference in the bundled libexpat
(Modules/expat/, 2.2.8) when XML_StopParser() was called on a parser
in the XML_INITIALIZED state followed by XML_ResumeParser().
XML_StopParser() now refuses to stop/suspend an unstarted parser,
returning the new XML_ERROR_NOT_STARTED. Backport of libexpat PR
- CVE-2025-0938: completes CVE-2024-11168 by also rejecting square
brackets in plain domain names. _check_bracketed_netloc()
(Lib/urlparse.py) mirrors NetlocResultMixins._hostinfo() so data
before/after the brackets is rejected; it replaces the inline
bracket extraction in both branches of urlsplit().
Updated packages:
-
alt-python27-2.7.18-35.el9.x86_64.rpm
sha:3afd093c56a6553d366b55c9236f901fa61273fc613ed989841fb1e30c413d82
-
alt-python27-debug-2.7.18-35.el9.x86_64.rpm
sha:fd7aa996a49bedf2fe47ada5299af8240a14c86c24df93976fa19177724d56b6
-
alt-python27-devel-2.7.18-35.el9.x86_64.rpm
sha:f0aff997fcb29fdbf1e24e9110db7008505ba806dd75dc60554328f9e97316c8
-
alt-python27-libs-2.7.18-35.el9.x86_64.rpm
sha:f97357cd9bcf2b347e30a79bbfaf699f18c3a858028fbd74db40b0b06fb976e4
-
alt-python27-test-2.7.18-35.el9.x86_64.rpm
sha:bf9bb632632f6f311f3a905b11a1ef0605aa35168fb287a3d44bbdc4a17cde7e
-
alt-python27-tkinter-2.7.18-35.el9.x86_64.rpm
sha:d54c34ba5b85f10939bc2d186adbdc3f04f3c3439a7c699256857c0ed349640d
-
alt-python27-tools-2.7.18-35.el9.x86_64.rpm
sha:36b3304a054dd53f3987114a058e709a5f1c7e2bbd7f418975fa48b1395839b3
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.