Release date:
2026-07-10 17:05:13 UTC
Description:
- CVE-2026-0672: reject control characters in the Cookie module - add the
_has_control_character() helper and validate in Morsel.__setitem__,
Morsel.setdefault(), Morsel.set() and BaseCookie.output(). Applied as the
prerequisite for CVE-2026-3644; Python 2.7.5 shipped neither fix.
- CVE-2026-3644: reject control characters in Morsel.update(), the unpickling
path (Morsel.__setstate__) and Morsel.js_output().
- CVE-2026-4224: guard conv_content_model() in pyexpat with
Py_EnterRecursiveCall()/Py_LeaveRecursiveCall() to avoid a C stack overflow
when parsing a deeply nested content model in an inline DTD with a registered
ElementDeclHandler.
- CVE-2025-13462: skip the old-v7 AREGTYPE -> DIRTYPE normalization in tarfile
when reading a follow-up header (GNU long name/link or PAX extended header),
so crafted multi-block members are no longer misinterpreted.
Updated packages:
-
python-2.7.5-94.0.1.el7_9.tuxcare.els11.x86_64.rpm
sha:e183b1179a872c9cfab7a66b2e130d2105d2d8e6c079ecf125cade2cfffb1260
-
python-debug-2.7.5-94.0.1.el7_9.tuxcare.els11.x86_64.rpm
sha:e477ca84e0bb0a679659e7249486430fb47f7cabc166f94d6075300f88dd95f2
-
python-devel-2.7.5-94.0.1.el7_9.tuxcare.els11.x86_64.rpm
sha:7718374074ec8cf0e0c0006177b89f16127eb9969da41e4fa11927a69f16c0fb
-
python-libs-2.7.5-94.0.1.el7_9.tuxcare.els11.i686.rpm
sha:a669eee69b61b10089b46e129514df4afb98cb12ac090708da1c218bee7a793f
-
python-libs-2.7.5-94.0.1.el7_9.tuxcare.els11.x86_64.rpm
sha:64eaca941cefef3de6ac5fc205ecbe465b58be42cee593d957c200df6a737070
-
python-test-2.7.5-94.0.1.el7_9.tuxcare.els11.x86_64.rpm
sha:588a52049b9ab72b2a4e103f032baca01e074f0144b338b9c108e2017a10ea92
-
python-tools-2.7.5-94.0.1.el7_9.tuxcare.els11.x86_64.rpm
sha:3dc4440fd1474199848a741197d8866a1e02b00bd777d9ae9e82258aa7e6ce5b
-
tkinter-2.7.5-94.0.1.el7_9.tuxcare.els11.x86_64.rpm
sha:026a1bb9b8ada668c6efdc0da2638daa3d876b5b769dd1cfb4887c99f8b82a52
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.