[CLSA-2026:1783343295] alt-python27: Fix of 8 CVEs
Type:
security
Severity:
Important
Release date:
2026-07-06 13:08:43 UTC
Description:
- CVE-2013-0340: backport libexpat's billion-laughs / internal-entity-expansion amplification protection into the bundled expat 2.2.8 tree (Modules/expat/). xmlparse.c/expat.h/internal.h gain the libexpat 2.4.0 accounting machinery (XML_SetBillionLaughsAttackProtectionMaximumAmplification / ...ActivationThreshold, default 100x after 8 MiB) and a new XML_ERROR_AMPLIFICATION_LIMIT_BREACH; entity expansion that exceeds the amplification limit is now rejected instead of expanding unbounded. Adapted to coexist with the CloudLinux XML_SetHashSalt16Bytes extension; the system expat is NOT used. New public symbols are namespaced in pyexpatns.h. - CVE-2026-0865: reject C0/DEL control characters in wsgiref.headers.Headers (Lib/wsgiref/headers.py); HTAB stays legal in values but not names. Backport of gh-143916 (GH-143917) plus the HTAB follow-up (GH-144762). - CVE-2026-1502: reject CR/LF and other illegal characters in HTTP CONNECT tunnel host and request headers in HTTPConnection._tunnel() (Lib/httplib.py), using the existing _contains_disallowed_url_pchar_re / _is_legal_header_name / _is_illegal_header_value helpers. Backport of gh-146211 (GH-146212). - CVE-2026-6019: base64-encode the cookie value embedded in Cookie.Morsel.js_output() and emit it via atob() to prevent template injection (Lib/Cookie.py). Backport of gh-90309 (GH-148889), on top of CVE-2026-3644. - CVE-2026-9669: prevent bz2.BZ2Decompressor reuse after a decompression error (Modules/bz2module.c). After libbz2 reports an error the stream is inconsistent and re-entering it can overflow the output buffer; the decompressor now records the error and raises ValueError on any further decompress() call. Port of gh-150599 (GH-150600) to the 2.7 bz2 wrapper.
Updated packages:
  • alt-python27-2.7.18-37.el9.x86_64.rpm
    sha:ec6cc8133a2233b959966c9788ef9d06c33d445f08f8950e01dbc574e17ed4fe
  • alt-python27-debug-2.7.18-37.el9.x86_64.rpm
    sha:be89ab4dd1dda3a583b8302fc8ef8a07f0de1aa1c42b30c1a89aa92967ce4fb3
  • alt-python27-devel-2.7.18-37.el9.x86_64.rpm
    sha:e059f9339208e1f52be23baa7ece9bff6a353968680f2d206f5eace924662761
  • alt-python27-libs-2.7.18-37.el9.x86_64.rpm
    sha:f1ffad450070d11bdb27d62c9ed6f2d1408a6a5f10f7533d47ac8511d22c175c
  • alt-python27-test-2.7.18-37.el9.x86_64.rpm
    sha:840e37ba1a261f3976e7da1b647041bff125ea3f614cd8ca9b96f523082427d9
  • alt-python27-tkinter-2.7.18-37.el9.x86_64.rpm
    sha:2c55bb04355f5a0edc93ddbb5401e1fb30ae6b5d55ab47a0294aa36b2c8bb697
  • alt-python27-tools-2.7.18-37.el9.x86_64.rpm
    sha:b1e50d5f71bbbff98c844d2374e97458052786cc56e3a5bc402b81985de551b3
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.