Release date:
2026-07-06 13:08:43 UTC
Description:
- CVE-2013-0340: backport libexpat's billion-laughs / internal-entity-expansion
amplification protection into the bundled expat 2.2.8 tree (Modules/expat/).
xmlparse.c/expat.h/internal.h gain the libexpat 2.4.0 accounting machinery
(XML_SetBillionLaughsAttackProtectionMaximumAmplification /
...ActivationThreshold, default 100x after 8 MiB) and a new
XML_ERROR_AMPLIFICATION_LIMIT_BREACH; entity expansion that exceeds the
amplification limit is now rejected instead of expanding unbounded. Adapted
to coexist with the CloudLinux XML_SetHashSalt16Bytes extension; the system
expat is NOT used. New public symbols are namespaced in pyexpatns.h.
- CVE-2026-0865: reject C0/DEL control characters in wsgiref.headers.Headers
(Lib/wsgiref/headers.py); HTAB stays legal in values but not names. Backport
of gh-143916 (GH-143917) plus the HTAB follow-up (GH-144762).
- CVE-2026-1502: reject CR/LF and other illegal characters in HTTP CONNECT
tunnel host and request headers in HTTPConnection._tunnel()
(Lib/httplib.py), using the existing _contains_disallowed_url_pchar_re /
_is_legal_header_name / _is_illegal_header_value helpers. Backport of
gh-146211 (GH-146212).
- CVE-2026-6019: base64-encode the cookie value embedded in
Cookie.Morsel.js_output() and emit it via atob() to prevent template
injection (Lib/Cookie.py). Backport of gh-90309 (GH-148889), on top of
CVE-2026-3644.
- CVE-2026-9669: prevent bz2.BZ2Decompressor reuse after a decompression
error (Modules/bz2module.c). After libbz2 reports an error the stream is
inconsistent and re-entering it can overflow the output buffer; the
decompressor now records the error and raises ValueError on any further
decompress() call. Port of gh-150599 (GH-150600) to the 2.7 bz2 wrapper.
Updated packages:
-
alt-python27-2.7.18-37.el9.x86_64.rpm
sha:ec6cc8133a2233b959966c9788ef9d06c33d445f08f8950e01dbc574e17ed4fe
-
alt-python27-debug-2.7.18-37.el9.x86_64.rpm
sha:be89ab4dd1dda3a583b8302fc8ef8a07f0de1aa1c42b30c1a89aa92967ce4fb3
-
alt-python27-devel-2.7.18-37.el9.x86_64.rpm
sha:e059f9339208e1f52be23baa7ece9bff6a353968680f2d206f5eace924662761
-
alt-python27-libs-2.7.18-37.el9.x86_64.rpm
sha:f1ffad450070d11bdb27d62c9ed6f2d1408a6a5f10f7533d47ac8511d22c175c
-
alt-python27-test-2.7.18-37.el9.x86_64.rpm
sha:840e37ba1a261f3976e7da1b647041bff125ea3f614cd8ca9b96f523082427d9
-
alt-python27-tkinter-2.7.18-37.el9.x86_64.rpm
sha:2c55bb04355f5a0edc93ddbb5401e1fb30ae6b5d55ab47a0294aa36b2c8bb697
-
alt-python27-tools-2.7.18-37.el9.x86_64.rpm
sha:b1e50d5f71bbbff98c844d2374e97458052786cc56e3a5bc402b81985de551b3
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.