Release date:
2026-05-01 08:17:06 UTC
Description:
* SECURITY UPDATE: header injection via newline in email.Generator
- debian/patches/CVE-2026-1299.patch: add HeaderWriteError exception
to Lib/email/errors.py, add NEWLINE_WITHOUT_FWSP regex to
Lib/email/generator.py and check the header *value* in all four
branches of Generator._write_headers(), raising HeaderWriteError
when a CR/LF without folding whitespace is found. Updates
test_embedded_header_via_string_rejected to expect
HeaderWriteError instead of HeaderParseError. In Python 2.7 this
single Generator-class hardening covers both upstream
CVE-2026-1299 (BytesGenerator) and CVE-2024-6923 because
BytesGenerator does not exist in 2.7.
- CVE-2026-1299
* SECURITY UPDATE: missing header-name newline check in email.Generator
- debian/patches/CVE-2024-6923.patch: add NEWLINE_WITHOUT_FWSP check
on the header *name* at the top of Generator._write_headers() in
Lib/email/generator.py, raising HeaderWriteError when a CR/LF
without folding whitespace is found in the header name. Documents
HeaderWriteError in Doc/library/email.errors.rst and adds a
test_invalid_header_format regression test in
Lib/email/test/test_email_renamed.py.
- CVE-2024-6923
* SECURITY UPDATE: ssl.SSLContext data race in cert_store_stats /
get_ca_certs
- debian/patches/CVE-2024-0397.patch: backport of upstream 3.8
commit 29c97287d2 ("[3.8] gh-114572: Fix locking in
cert_store_stats and get_ca_certs"). Adds a polyfill of
OpenSSL 3.3's X509_STORE_get1_objects() (deep-copy under
X509_STORE_lock()) and replaces the shared, unlocked
X509_STORE_get0_objects() calls in cert_store_stats() and
get_ca_certs() in Modules/_ssl.c, preventing a memory race
and potential use-after-free when an SSLContext is shared
across multiple threads.
- CVE-2024-0397
* SECURITY UPDATE: open redirect in BaseHTTPServer when path starts
with //
- debian/patches/CVE-2021-28861.patch: backport of upstream commit
4abab6b603 ("gh-87389: Fix an open redirection vulnerability in
http.server"). In Lib/BaseHTTPServer.py, after the request line
is parsed, collapse any leading run of '/' characters to a
single '/' so an attacker-controlled '//evil.example/...' path
cannot become an absolute scheme-less URI in a 301 Location
header. Adds a regression test in Lib/test/test_httpservers.py.
- CVE-2021-28861
Updated packages:
-
alt-python27_2.7.18-17_amd64.deb
sha:7735a0a653cc9ab4c8502d3232d17ba910d92748
-
alt-python27-debug_2.7.18-17_amd64.deb
sha:72a8aad3c7b1453237048f6adbacc3e552a335e4
-
alt-python27-devel_2.7.18-17_amd64.deb
sha:0621ddb550e82ee41a035cbdeb917c963192542e
-
alt-python27-idle_2.7.18-17_amd64.deb
sha:60c5bef8ec54625ae8d1bc69fb7b1a20bfd32207
-
alt-python27-libs_2.7.18-17_amd64.deb
sha:166167552b6ab0f3a81c7b8a61a0362adbbd5047
-
alt-python27-test_2.7.18-17_amd64.deb
sha:0240aba402e2bf00d441ed1509225ba7206d4f10
-
alt-python27-tkinter_2.7.18-17_amd64.deb
sha:0609d922b55bcc3d5f19cb7bf9567caa2213fa2d
-
alt-python27-tools_2.7.18-17_amd64.deb
sha:83108794e93fa95ce95a0767d236e79fc0c640e3
-
alt-python27_2.7.18-17_arm64.deb
sha:a5a23b3383cf7b3ae8b554baa5bac9062aa20089
-
alt-python27-debug_2.7.18-17_arm64.deb
sha:0674944d403005ba6519077368eea6c4abafcdb2
-
alt-python27-devel_2.7.18-17_arm64.deb
sha:de035d0d03893e8dfa4d95beecd19a3ff4859b98
-
alt-python27-idle_2.7.18-17_arm64.deb
sha:efebc5c113967758d7f26dcac0d75eecbcaca614
-
alt-python27-libs_2.7.18-17_arm64.deb
sha:64f0335d2b467d72e7a7b09463c2b5f639dff18e
-
alt-python27-test_2.7.18-17_arm64.deb
sha:a5ab22cafc4faf1d21f7d42a254a4f6a53729e9d
-
alt-python27-tkinter_2.7.18-17_arm64.deb
sha:18baf89d3d08b89027649dc2988c4053e32e7631
-
alt-python27-tools_2.7.18-17_arm64.deb
sha:8494695128bfe1ceeadecdb31baefba8affa778c
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.
