{ "document": { "aggregate_severity": { "text": "Critical" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" }, { "category": "details", "text": "Commit: d1181c70178c78a9fec2116dbe6403c32f96a867-dirty", "title": "Details" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "https://cve.tuxcare.com/els-alt-python/releases/CLSA-2026:1778774997", "url": "https://cve.tuxcare.com/els-alt-python/releases/CLSA-2026:1778774997" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_alt_python/alpinelinux3.23/advisories/2026/clsa-2026_1778774997.json" } ], "tracking": { "current_release_date": "2026-05-14T16:11:35Z", "generator": { "date": "2026-05-14T16:11:35Z", "engine": { "name": "pyCSAF" } }, "id": "CLSA-2026:1778774997", "initial_release_date": "2026-05-14T16:11:35Z", "revision_history": [ { "date": "2026-05-14T16:11:35Z", "number": "1", "summary": "Initial version" } ], "status": "final", "version": "1" }, "title": "Update of alt-python39-wheel" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Alpine Linux 3.23", "product": { "name": "Alpine Linux 3.23", "product_id": "Alpine-Linux-3.23", "product_identification_helper": { "cpe": "cpe:2.3:o:alpinelinux:alpine_linux:3.23:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "Alpine Linux" } ], "category": "vendor", "name": "Alpine Linux" }, { "branches": [ { "branches": [ { "category": "product_version", "name": "alt-python39-wheel-0.37.0-rr3.x86_64", "product": { "name": "alt-python39-wheel-0.37.0-rr3.x86_64", "product_id": "alt-python39-wheel-0.37.0-rr3.x86_64", "product_identification_helper": { "purl": "pkg:apk/tuxcare/alt-python39-wheel@0.37.0-rr3?arch=x86_64&os_name=alpine&os_version=3.23" } } }, { "category": "product_version", "name": "alt-python39-wheel-wheel-0.37.0-rr3.x86_64", "product": { "name": "alt-python39-wheel-wheel-0.37.0-rr3.x86_64", "product_id": "alt-python39-wheel-wheel-0.37.0-rr3.x86_64", "product_identification_helper": { "purl": "pkg:apk/tuxcare/alt-python39-wheel-wheel@0.37.0-rr3?arch=x86_64&os_name=alpine&os_version=3.23" } } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_version", "name": "alt-python39-wheel-0.37.0-rr3.aarch64", "product": { "name": "alt-python39-wheel-0.37.0-rr3.aarch64", "product_id": "alt-python39-wheel-0.37.0-rr3.aarch64", "product_identification_helper": { "purl": "pkg:apk/tuxcare/alt-python39-wheel@0.37.0-rr3?arch=aarch64&os_name=alpine&os_version=3.23" } } }, { "category": "product_version", "name": "alt-python39-wheel-wheel-0.37.0-rr3.aarch64", "product": { "name": "alt-python39-wheel-wheel-0.37.0-rr3.aarch64", "product_id": "alt-python39-wheel-wheel-0.37.0-rr3.aarch64", "product_identification_helper": { "purl": "pkg:apk/tuxcare/alt-python39-wheel-wheel@0.37.0-rr3?arch=aarch64&os_name=alpine&os_version=3.23" } } } ], "category": "architecture", "name": "aarch64" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "alt-python39-wheel-0.37.0-rr3.x86_64 as a component of Alpine Linux 3.23", "product_id": "Alpine-Linux-3.23:alt-python39-wheel-0.37.0-rr3.x86_64" }, "product_reference": "alt-python39-wheel-0.37.0-rr3.x86_64", "relates_to_product_reference": "Alpine-Linux-3.23" }, { "category": "default_component_of", "full_product_name": { "name": "alt-python39-wheel-0.37.0-rr3.aarch64 as a component of Alpine Linux 3.23", "product_id": "Alpine-Linux-3.23:alt-python39-wheel-0.37.0-rr3.aarch64" }, "product_reference": "alt-python39-wheel-0.37.0-rr3.aarch64", "relates_to_product_reference": "Alpine-Linux-3.23" }, { "category": "default_component_of", "full_product_name": { "name": "alt-python39-wheel-wheel-0.37.0-rr3.x86_64 as a component of Alpine Linux 3.23", "product_id": "Alpine-Linux-3.23:alt-python39-wheel-wheel-0.37.0-rr3.x86_64" }, "product_reference": "alt-python39-wheel-wheel-0.37.0-rr3.x86_64", "relates_to_product_reference": "Alpine-Linux-3.23" }, { "category": "default_component_of", "full_product_name": { "name": "alt-python39-wheel-wheel-0.37.0-rr3.aarch64 as a component of Alpine Linux 3.23", "product_id": "Alpine-Linux-3.23:alt-python39-wheel-wheel-0.37.0-rr3.aarch64" }, "product_reference": "alt-python39-wheel-wheel-0.37.0-rr3.aarch64", "relates_to_product_reference": "Alpine-Linux-3.23" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-6100", "cwe": { "id": "CWE-825", "name": "Expired Pointer Dereference" }, "notes": [ { "category": "description", "text": "Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition.\nThe vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Alpine-Linux-3.23:alt-python39-wheel-0.37.0-rr3.aarch64", "Alpine-Linux-3.23:alt-python39-wheel-0.37.0-rr3.x86_64", "Alpine-Linux-3.23:alt-python39-wheel-wheel-0.37.0-rr3.aarch64", "Alpine-Linux-3.23:alt-python39-wheel-wheel-0.37.0-rr3.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els-alt-python/cve/CVE-2026-6100" } ], "release_date": "2026-04-13T17:15:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-05-14T16:09:59.880772Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els-alt-python/releases/CLSA-2026:1778774997", "product_ids": [ "Alpine-Linux-3.23:alt-python39-wheel-0.37.0-rr3.aarch64", "Alpine-Linux-3.23:alt-python39-wheel-0.37.0-rr3.x86_64", "Alpine-Linux-3.23:alt-python39-wheel-wheel-0.37.0-rr3.aarch64", "Alpine-Linux-3.23:alt-python39-wheel-wheel-0.37.0-rr3.x86_64" ], "url": "https://cve.tuxcare.com/els-alt-python/releases/CLSA-2026:1778774997" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Alpine-Linux-3.23:alt-python39-wheel-0.37.0-rr3.aarch64", "Alpine-Linux-3.23:alt-python39-wheel-0.37.0-rr3.x86_64", "Alpine-Linux-3.23:alt-python39-wheel-wheel-0.37.0-rr3.aarch64", "Alpine-Linux-3.23:alt-python39-wheel-wheel-0.37.0-rr3.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] }, { "cve": "CVE-2025-8194", "cwe": { "id": "CWE-835", "name": "Loop with Unreachable Exit Condition ('Infinite Loop')" }, "notes": [ { "category": "description", "text": "There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. \nThis vulnerability can be mitigated by including the following patch after importing the “tarfile” module:  https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Alpine-Linux-3.23:alt-python39-wheel-0.37.0-rr3.aarch64", "Alpine-Linux-3.23:alt-python39-wheel-0.37.0-rr3.x86_64", "Alpine-Linux-3.23:alt-python39-wheel-wheel-0.37.0-rr3.aarch64", "Alpine-Linux-3.23:alt-python39-wheel-wheel-0.37.0-rr3.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els-alt-python/cve/CVE-2025-8194" } ], "release_date": "2025-07-28T18:42:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-05-14T16:09:59.880772Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els-alt-python/releases/CLSA-2026:1778774997", "product_ids": [ "Alpine-Linux-3.23:alt-python39-wheel-0.37.0-rr3.aarch64", "Alpine-Linux-3.23:alt-python39-wheel-0.37.0-rr3.x86_64", "Alpine-Linux-3.23:alt-python39-wheel-wheel-0.37.0-rr3.aarch64", "Alpine-Linux-3.23:alt-python39-wheel-wheel-0.37.0-rr3.x86_64" ], "url": "https://cve.tuxcare.com/els-alt-python/releases/CLSA-2026:1778774997" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Alpine-Linux-3.23:alt-python39-wheel-0.37.0-rr3.aarch64", "Alpine-Linux-3.23:alt-python39-wheel-0.37.0-rr3.x86_64", "Alpine-Linux-3.23:alt-python39-wheel-wheel-0.37.0-rr3.aarch64", "Alpine-Linux-3.23:alt-python39-wheel-wheel-0.37.0-rr3.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] }, { "cve": "CVE-2025-15282", "cwe": { "id": "CWE-93", "name": "Improper Neutralization of CRLF Sequences ('CRLF Injection')" }, "notes": [ { "category": "description", "text": "User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Alpine-Linux-3.23:alt-python39-wheel-0.37.0-rr3.aarch64", "Alpine-Linux-3.23:alt-python39-wheel-0.37.0-rr3.x86_64", "Alpine-Linux-3.23:alt-python39-wheel-wheel-0.37.0-rr3.aarch64", "Alpine-Linux-3.23:alt-python39-wheel-wheel-0.37.0-rr3.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els-alt-python/cve/CVE-2025-15282" } ], "release_date": "2026-01-20T21:35:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-05-14T16:09:59.880772Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els-alt-python/releases/CLSA-2026:1778774997", "product_ids": [ "Alpine-Linux-3.23:alt-python39-wheel-0.37.0-rr3.aarch64", "Alpine-Linux-3.23:alt-python39-wheel-0.37.0-rr3.x86_64", "Alpine-Linux-3.23:alt-python39-wheel-wheel-0.37.0-rr3.aarch64", "Alpine-Linux-3.23:alt-python39-wheel-wheel-0.37.0-rr3.x86_64" ], "url": "https://cve.tuxcare.com/els-alt-python/releases/CLSA-2026:1778774997" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N", "version": "3.1" }, "products": [ "Alpine-Linux-3.23:alt-python39-wheel-0.37.0-rr3.aarch64", "Alpine-Linux-3.23:alt-python39-wheel-0.37.0-rr3.x86_64", "Alpine-Linux-3.23:alt-python39-wheel-wheel-0.37.0-rr3.aarch64", "Alpine-Linux-3.23:alt-python39-wheel-wheel-0.37.0-rr3.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] }, { "cve": "CVE-2025-12084", "cwe": { "id": "CWE-407", "name": "Inefficient Algorithmic Complexity" }, "notes": [ { "category": "description", "text": "When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Alpine-Linux-3.23:alt-python39-wheel-0.37.0-rr3.aarch64", "Alpine-Linux-3.23:alt-python39-wheel-0.37.0-rr3.x86_64", "Alpine-Linux-3.23:alt-python39-wheel-wheel-0.37.0-rr3.aarch64", "Alpine-Linux-3.23:alt-python39-wheel-wheel-0.37.0-rr3.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els-alt-python/cve/CVE-2025-12084" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/027f21e417b26eed4505ac2db101a4352b7c51a0", "url": "https://github.com/python/cpython/commit/027f21e417b26eed4505ac2db101a4352b7c51a0" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/08d8e18ad81cd45bc4a27d6da478b51ea49486e4", "url": "https://github.com/python/cpython/commit/08d8e18ad81cd45bc4a27d6da478b51ea49486e4" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/27648a1818749ef44c420afe6173af6868715437", "url": "https://github.com/python/cpython/commit/27648a1818749ef44c420afe6173af6868715437" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/41f468786762348960486c166833a218a0a436af", "url": "https://github.com/python/cpython/commit/41f468786762348960486c166833a218a0a436af" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/57937a8e5e293f0dcba5115f7b7a11b1e0c9a273", "url": "https://github.com/python/cpython/commit/57937a8e5e293f0dcba5115f7b7a11b1e0c9a273" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/8d2d7bb2e754f8649a68ce4116271a4932f76907", "url": "https://github.com/python/cpython/commit/8d2d7bb2e754f8649a68ce4116271a4932f76907" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/9c9dda6625a2a90d2a06c657eee021d6be19842d", "url": "https://github.com/python/cpython/commit/9c9dda6625a2a90d2a06c657eee021d6be19842d" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/a46c10ec9d4050ab67b8a932e0859a2ea60c3cb8", "url": "https://github.com/python/cpython/commit/a46c10ec9d4050ab67b8a932e0859a2ea60c3cb8" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/a696ba8b4d42fd632afc9bc88ad830a2e4cceed8", "url": "https://github.com/python/cpython/commit/a696ba8b4d42fd632afc9bc88ad830a2e4cceed8" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/c97e87593063d84a2bd9fe7068b30eb44de23dc0", "url": "https://github.com/python/cpython/commit/c97e87593063d84a2bd9fe7068b30eb44de23dc0" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/ddcd2acd85d891a53e281c773b3093f9db953964", "url": "https://github.com/python/cpython/commit/ddcd2acd85d891a53e281c773b3093f9db953964" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/e91c11449cad34bac3ea55ee09ca557691d92b53", "url": "https://github.com/python/cpython/commit/e91c11449cad34bac3ea55ee09ca557691d92b53" }, { "category": "external", "summary": "https://github.com/python/cpython/issues/142145", "url": "https://github.com/python/cpython/issues/142145" }, { "category": "external", "summary": "https://github.com/python/cpython/pull/142146", "url": "https://github.com/python/cpython/pull/142146" } ], "release_date": "2025-12-03T19:15:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-05-14T16:09:59.880772Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els-alt-python/releases/CLSA-2026:1778774997", "product_ids": [ "Alpine-Linux-3.23:alt-python39-wheel-0.37.0-rr3.aarch64", "Alpine-Linux-3.23:alt-python39-wheel-0.37.0-rr3.x86_64", "Alpine-Linux-3.23:alt-python39-wheel-wheel-0.37.0-rr3.aarch64", "Alpine-Linux-3.23:alt-python39-wheel-wheel-0.37.0-rr3.x86_64" ], "url": "https://cve.tuxcare.com/els-alt-python/releases/CLSA-2026:1778774997" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1" }, "products": [ "Alpine-Linux-3.23:alt-python39-wheel-0.37.0-rr3.aarch64", "Alpine-Linux-3.23:alt-python39-wheel-0.37.0-rr3.x86_64", "Alpine-Linux-3.23:alt-python39-wheel-wheel-0.37.0-rr3.aarch64", "Alpine-Linux-3.23:alt-python39-wheel-wheel-0.37.0-rr3.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] }, { "cve": "CVE-2026-1299", "cwe": { "id": "CWE-93", "name": "Improper Neutralization of CRLF Sequences ('CRLF Injection')" }, "notes": [ { "category": "description", "text": "The \nemail module, specifically the \"BytesGenerator\" class, didn’t properly quote newlines for email headers when \nserializing an email message allowing for header injection when an email\nis serialized. This is only applicable if using \"LiteralHeader\" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in \"BytesGenerator\".", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Alpine-Linux-3.23:alt-python39-wheel-0.37.0-rr3.aarch64", "Alpine-Linux-3.23:alt-python39-wheel-0.37.0-rr3.x86_64", "Alpine-Linux-3.23:alt-python39-wheel-wheel-0.37.0-rr3.aarch64", "Alpine-Linux-3.23:alt-python39-wheel-wheel-0.37.0-rr3.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els-alt-python/cve/CVE-2026-1299" } ], "release_date": "2026-01-23T16:27:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-05-14T16:09:59.880772Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els-alt-python/releases/CLSA-2026:1778774997", "product_ids": [ "Alpine-Linux-3.23:alt-python39-wheel-0.37.0-rr3.aarch64", "Alpine-Linux-3.23:alt-python39-wheel-0.37.0-rr3.x86_64", "Alpine-Linux-3.23:alt-python39-wheel-wheel-0.37.0-rr3.aarch64", "Alpine-Linux-3.23:alt-python39-wheel-wheel-0.37.0-rr3.x86_64" ], "url": "https://cve.tuxcare.com/els-alt-python/releases/CLSA-2026:1778774997" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N", "version": "3.1" }, "products": [ "Alpine-Linux-3.23:alt-python39-wheel-0.37.0-rr3.aarch64", "Alpine-Linux-3.23:alt-python39-wheel-0.37.0-rr3.x86_64", "Alpine-Linux-3.23:alt-python39-wheel-wheel-0.37.0-rr3.aarch64", "Alpine-Linux-3.23:alt-python39-wheel-wheel-0.37.0-rr3.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] }, { "cve": "CVE-2026-3644", "cwe": { "id": "CWE-791", "name": "Incomplete Filtering of Special Elements" }, "notes": [ { "category": "description", "text": "The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Alpine-Linux-3.23:alt-python39-wheel-0.37.0-rr3.aarch64", "Alpine-Linux-3.23:alt-python39-wheel-0.37.0-rr3.x86_64", "Alpine-Linux-3.23:alt-python39-wheel-wheel-0.37.0-rr3.aarch64", "Alpine-Linux-3.23:alt-python39-wheel-wheel-0.37.0-rr3.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els-alt-python/cve/CVE-2026-3644" } ], "release_date": "2026-03-16T17:37:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-05-14T16:09:59.880772Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els-alt-python/releases/CLSA-2026:1778774997", "product_ids": [ "Alpine-Linux-3.23:alt-python39-wheel-0.37.0-rr3.aarch64", "Alpine-Linux-3.23:alt-python39-wheel-0.37.0-rr3.x86_64", "Alpine-Linux-3.23:alt-python39-wheel-wheel-0.37.0-rr3.aarch64", "Alpine-Linux-3.23:alt-python39-wheel-wheel-0.37.0-rr3.x86_64" ], "url": "https://cve.tuxcare.com/els-alt-python/releases/CLSA-2026:1778774997" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1" }, "products": [ "Alpine-Linux-3.23:alt-python39-wheel-0.37.0-rr3.aarch64", "Alpine-Linux-3.23:alt-python39-wheel-0.37.0-rr3.x86_64", "Alpine-Linux-3.23:alt-python39-wheel-wheel-0.37.0-rr3.aarch64", "Alpine-Linux-3.23:alt-python39-wheel-wheel-0.37.0-rr3.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] }, { "cve": "CVE-2025-13837", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "notes": [ { "category": "description", "text": "When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Alpine-Linux-3.23:alt-python39-wheel-0.37.0-rr3.aarch64", "Alpine-Linux-3.23:alt-python39-wheel-0.37.0-rr3.x86_64", "Alpine-Linux-3.23:alt-python39-wheel-wheel-0.37.0-rr3.aarch64", "Alpine-Linux-3.23:alt-python39-wheel-wheel-0.37.0-rr3.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els-alt-python/cve/CVE-2025-13837" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/568342cfc8f002d9a15f30238f26b9d2e0e79036", "url": "https://github.com/python/cpython/commit/568342cfc8f002d9a15f30238f26b9d2e0e79036" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/5a8b19677d818fb41ee55f310233772e15aa1a2b", "url": "https://github.com/python/cpython/commit/5a8b19677d818fb41ee55f310233772e15aa1a2b" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/694922cf40aa3a28f898b5f5ee08b71b4922df70", "url": "https://github.com/python/cpython/commit/694922cf40aa3a28f898b5f5ee08b71b4922df70" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/71fa8eb8233b37f16c88b6e3e583b461b205d1ba", "url": "https://github.com/python/cpython/commit/71fa8eb8233b37f16c88b6e3e583b461b205d1ba" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/b64441e4852383645af5b435411a6f849dd1b4cb", "url": "https://github.com/python/cpython/commit/b64441e4852383645af5b435411a6f849dd1b4cb" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/cefee7d118a26ef6cd43db59bb9d98ca9a331111", "url": "https://github.com/python/cpython/commit/cefee7d118a26ef6cd43db59bb9d98ca9a331111" }, { "category": "external", "summary": "https://github.com/python/cpython/issues/119342", "url": "https://github.com/python/cpython/issues/119342" }, { "category": "external", "summary": "https://github.com/python/cpython/pull/119343", "url": "https://github.com/python/cpython/pull/119343" }, { "category": "external", "summary": "https://mail.python.org/archives/list/security-announce@python.org/thread/2X5IBCJXRQAZ5PSERLHMSJFBHFR3QM2C/", "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/2X5IBCJXRQAZ5PSERLHMSJFBHFR3QM2C/" } ], "release_date": "2025-12-01T18:16:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-05-14T16:09:59.880772Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els-alt-python/releases/CLSA-2026:1778774997", "product_ids": [ "Alpine-Linux-3.23:alt-python39-wheel-0.37.0-rr3.aarch64", "Alpine-Linux-3.23:alt-python39-wheel-0.37.0-rr3.x86_64", "Alpine-Linux-3.23:alt-python39-wheel-wheel-0.37.0-rr3.aarch64", "Alpine-Linux-3.23:alt-python39-wheel-wheel-0.37.0-rr3.x86_64" ], "url": "https://cve.tuxcare.com/els-alt-python/releases/CLSA-2026:1778774997" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Alpine-Linux-3.23:alt-python39-wheel-0.37.0-rr3.aarch64", "Alpine-Linux-3.23:alt-python39-wheel-0.37.0-rr3.x86_64", "Alpine-Linux-3.23:alt-python39-wheel-wheel-0.37.0-rr3.aarch64", "Alpine-Linux-3.23:alt-python39-wheel-wheel-0.37.0-rr3.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] }, { "cve": "CVE-2026-4519", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "description", "text": "The webbrowser.open() API would accept leading dashes in the URL which \ncould be handled as command line options for certain web browsers. New \nbehavior rejects leading dashes. Users are recommended to sanitize URLs \nprior to passing to webbrowser.open().", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Alpine-Linux-3.23:alt-python39-wheel-0.37.0-rr3.aarch64", "Alpine-Linux-3.23:alt-python39-wheel-0.37.0-rr3.x86_64", "Alpine-Linux-3.23:alt-python39-wheel-wheel-0.37.0-rr3.aarch64", "Alpine-Linux-3.23:alt-python39-wheel-wheel-0.37.0-rr3.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els-alt-python/cve/CVE-2026-4519" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/3681d47a440865aead912a054d4599087b4270dd", "url": "https://github.com/python/cpython/commit/3681d47a440865aead912a054d4599087b4270dd" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/43fe06b96f6a6cf5cfd5bdab20b8649374956866", "url": "https://github.com/python/cpython/commit/43fe06b96f6a6cf5cfd5bdab20b8649374956866" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/591ed890270c5697b013bf637029fb3e6cd2d73e", "url": "https://github.com/python/cpython/commit/591ed890270c5697b013bf637029fb3e6cd2d73e" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/594b5a05dc9913880ac92eded440defbf32a28d1", "url": "https://github.com/python/cpython/commit/594b5a05dc9913880ac92eded440defbf32a28d1" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/82a24a4442312bdcfc4c799885e8b3e00990f02b", "url": "https://github.com/python/cpython/commit/82a24a4442312bdcfc4c799885e8b3e00990f02b" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/89bfb8e5ed3c7caa241028f1a4eac5f6275a46a4", "url": "https://github.com/python/cpython/commit/89bfb8e5ed3c7caa241028f1a4eac5f6275a46a4" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/9669a912a0e329c094e992204d6bdb8787024d76", "url": "https://github.com/python/cpython/commit/9669a912a0e329c094e992204d6bdb8787024d76" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/96fc5048605863c7b6fd6289643feb0e97edd96c", "url": "https://github.com/python/cpython/commit/96fc5048605863c7b6fd6289643feb0e97edd96c" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/ad4d5ba32af4d80b0dfa2ba9d8203bfb219e60a5", "url": "https://github.com/python/cpython/commit/ad4d5ba32af4d80b0dfa2ba9d8203bfb219e60a5" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/cbba6119391112aba9c5aebf7b94aea447922c48", "url": "https://github.com/python/cpython/commit/cbba6119391112aba9c5aebf7b94aea447922c48" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/cc023511238ad93ecc8796157c6f9139a2bb2932", "url": "https://github.com/python/cpython/commit/cc023511238ad93ecc8796157c6f9139a2bb2932" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/ceac1efc66516ac387eef2c9a0ce671895b44f03", "url": "https://github.com/python/cpython/commit/ceac1efc66516ac387eef2c9a0ce671895b44f03" }, { "category": "external", "summary": "https://github.com/python/cpython/issues/143930", "url": "https://github.com/python/cpython/issues/143930" }, { "category": "external", "summary": "https://github.com/python/cpython/pull/143931", "url": "https://github.com/python/cpython/pull/143931" }, { "category": "external", "summary": "https://mail.python.org/archives/list/security-announce@python.org/thread/AY5NDSS433JK56Q7Q5IS7B37QFZVVOUS/", "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/AY5NDSS433JK56Q7Q5IS7B37QFZVVOUS/" }, { "category": "external", "summary": "http://www.openwall.com/lists/oss-security/2026/03/20/1", "url": "http://www.openwall.com/lists/oss-security/2026/03/20/1" } ], "release_date": "2026-03-20T15:16:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-05-14T16:09:59.880772Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els-alt-python/releases/CLSA-2026:1778774997", "product_ids": [ "Alpine-Linux-3.23:alt-python39-wheel-0.37.0-rr3.aarch64", "Alpine-Linux-3.23:alt-python39-wheel-0.37.0-rr3.x86_64", "Alpine-Linux-3.23:alt-python39-wheel-wheel-0.37.0-rr3.aarch64", "Alpine-Linux-3.23:alt-python39-wheel-wheel-0.37.0-rr3.x86_64" ], "url": "https://cve.tuxcare.com/els-alt-python/releases/CLSA-2026:1778774997" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1" }, "products": [ "Alpine-Linux-3.23:alt-python39-wheel-0.37.0-rr3.aarch64", "Alpine-Linux-3.23:alt-python39-wheel-0.37.0-rr3.x86_64", "Alpine-Linux-3.23:alt-python39-wheel-wheel-0.37.0-rr3.aarch64", "Alpine-Linux-3.23:alt-python39-wheel-wheel-0.37.0-rr3.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Low" } ] }, { "cve": "CVE-2026-3446", "cwe": { "id": "CWE-1286", "name": "Improper Validation of Syntactic Correctness of Input" }, "notes": [ { "category": "description", "text": "When calling base64.b64decode() or related functions the decoding process would stop after encountering the first padded quad regardless of whether there was more information to be processed. This can lead to data being accepted which may be processed differently by other implementations. Use \"validate=True\" to enable stricter processing of base64 data.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Alpine-Linux-3.23:alt-python39-wheel-0.37.0-rr3.aarch64", "Alpine-Linux-3.23:alt-python39-wheel-0.37.0-rr3.x86_64", "Alpine-Linux-3.23:alt-python39-wheel-wheel-0.37.0-rr3.aarch64", "Alpine-Linux-3.23:alt-python39-wheel-wheel-0.37.0-rr3.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els-alt-python/cve/CVE-2026-3446" } ], "release_date": "2026-04-10T18:17:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-05-14T16:09:59.880772Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els-alt-python/releases/CLSA-2026:1778774997", "product_ids": [ "Alpine-Linux-3.23:alt-python39-wheel-0.37.0-rr3.aarch64", "Alpine-Linux-3.23:alt-python39-wheel-0.37.0-rr3.x86_64", "Alpine-Linux-3.23:alt-python39-wheel-wheel-0.37.0-rr3.aarch64", "Alpine-Linux-3.23:alt-python39-wheel-wheel-0.37.0-rr3.x86_64" ], "url": "https://cve.tuxcare.com/els-alt-python/releases/CLSA-2026:1778774997" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" }, "products": [ "Alpine-Linux-3.23:alt-python39-wheel-0.37.0-rr3.aarch64", "Alpine-Linux-3.23:alt-python39-wheel-0.37.0-rr3.x86_64", "Alpine-Linux-3.23:alt-python39-wheel-wheel-0.37.0-rr3.aarch64", "Alpine-Linux-3.23:alt-python39-wheel-wheel-0.37.0-rr3.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] }, { "cve": "CVE-2026-4224", "cwe": { "id": "CWE-805", "name": "Buffer Access with Incorrect Length Value" }, "notes": [ { "category": "description", "text": "When an Expat parser with a registered ElementDeclHandler parses an inline\ndocument type definition containing a deeply nested content model a C stack\noverflow occurs.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Alpine-Linux-3.23:alt-python39-wheel-0.37.0-rr3.aarch64", "Alpine-Linux-3.23:alt-python39-wheel-0.37.0-rr3.x86_64", "Alpine-Linux-3.23:alt-python39-wheel-wheel-0.37.0-rr3.aarch64", "Alpine-Linux-3.23:alt-python39-wheel-wheel-0.37.0-rr3.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els-alt-python/cve/CVE-2026-4224" } ], "release_date": "2026-03-16T17:52:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-05-14T16:09:59.880772Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els-alt-python/releases/CLSA-2026:1778774997", "product_ids": [ "Alpine-Linux-3.23:alt-python39-wheel-0.37.0-rr3.aarch64", "Alpine-Linux-3.23:alt-python39-wheel-0.37.0-rr3.x86_64", "Alpine-Linux-3.23:alt-python39-wheel-wheel-0.37.0-rr3.aarch64", "Alpine-Linux-3.23:alt-python39-wheel-wheel-0.37.0-rr3.x86_64" ], "url": "https://cve.tuxcare.com/els-alt-python/releases/CLSA-2026:1778774997" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Alpine-Linux-3.23:alt-python39-wheel-0.37.0-rr3.aarch64", "Alpine-Linux-3.23:alt-python39-wheel-0.37.0-rr3.x86_64", "Alpine-Linux-3.23:alt-python39-wheel-wheel-0.37.0-rr3.aarch64", "Alpine-Linux-3.23:alt-python39-wheel-wheel-0.37.0-rr3.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] }, { "cve": "CVE-2026-0672", "cwe": { "id": "CWE-93", "name": "Improper Neutralization of CRLF Sequences ('CRLF Injection')" }, "notes": [ { "category": "description", "text": "When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Alpine-Linux-3.23:alt-python39-wheel-0.37.0-rr3.aarch64", "Alpine-Linux-3.23:alt-python39-wheel-0.37.0-rr3.x86_64", "Alpine-Linux-3.23:alt-python39-wheel-wheel-0.37.0-rr3.aarch64", "Alpine-Linux-3.23:alt-python39-wheel-wheel-0.37.0-rr3.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els-alt-python/cve/CVE-2026-0672" } ], "release_date": "2026-01-20T21:52:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-05-14T16:09:59.880772Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els-alt-python/releases/CLSA-2026:1778774997", "product_ids": [ "Alpine-Linux-3.23:alt-python39-wheel-0.37.0-rr3.aarch64", "Alpine-Linux-3.23:alt-python39-wheel-0.37.0-rr3.x86_64", "Alpine-Linux-3.23:alt-python39-wheel-wheel-0.37.0-rr3.aarch64", "Alpine-Linux-3.23:alt-python39-wheel-wheel-0.37.0-rr3.x86_64" ], "url": "https://cve.tuxcare.com/els-alt-python/releases/CLSA-2026:1778774997" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N", "version": "3.1" }, "products": [ "Alpine-Linux-3.23:alt-python39-wheel-0.37.0-rr3.aarch64", "Alpine-Linux-3.23:alt-python39-wheel-0.37.0-rr3.x86_64", "Alpine-Linux-3.23:alt-python39-wheel-wheel-0.37.0-rr3.aarch64", "Alpine-Linux-3.23:alt-python39-wheel-wheel-0.37.0-rr3.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] }, { "cve": "CVE-2025-6075", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "notes": [ { "category": "description", "text": "If the value passed to os.path.expandvars() is user-controlled a \nperformance degradation is possible when expanding environment \nvariables.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Alpine-Linux-3.23:alt-python39-wheel-0.37.0-rr3.aarch64", "Alpine-Linux-3.23:alt-python39-wheel-0.37.0-rr3.x86_64", "Alpine-Linux-3.23:alt-python39-wheel-wheel-0.37.0-rr3.aarch64", "Alpine-Linux-3.23:alt-python39-wheel-wheel-0.37.0-rr3.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els-alt-python/cve/CVE-2025-6075" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/2e6150adccaaf5bd95d4c19dfd04a36e0b325d8c", "url": "https://github.com/python/cpython/commit/2e6150adccaaf5bd95d4c19dfd04a36e0b325d8c" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/5dceb93486176e6b4a6d9754491005113eb23427", "url": "https://github.com/python/cpython/commit/5dceb93486176e6b4a6d9754491005113eb23427" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/631ba3407e3348ccd56ce5160c4fb2c5dc5f4d84", "url": "https://github.com/python/cpython/commit/631ba3407e3348ccd56ce5160c4fb2c5dc5f4d84" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/892747b4cf0f95ba8beb51c0d0658bfaa381ebca", "url": "https://github.com/python/cpython/commit/892747b4cf0f95ba8beb51c0d0658bfaa381ebca" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/9ab89c026aa9611c4b0b67c288b8303a480fe742", "url": "https://github.com/python/cpython/commit/9ab89c026aa9611c4b0b67c288b8303a480fe742" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/c8a5f3435c342964e0a432cc9fb448b7dbecd1ba", "url": "https://github.com/python/cpython/commit/c8a5f3435c342964e0a432cc9fb448b7dbecd1ba" }, { "category": "external", "summary": "https://github.com/python/cpython/commit/f029e8db626ddc6e3a3beea4eff511a71aaceb5c", "url": "https://github.com/python/cpython/commit/f029e8db626ddc6e3a3beea4eff511a71aaceb5c" }, { "category": "external", "summary": "https://github.com/python/cpython/issues/136065", "url": "https://github.com/python/cpython/issues/136065" }, { "category": "external", "summary": "https://mail.python.org/archives/list/security-announce@python.org/thread/IUP5QJ6D4KK6ULHOMPC7DPNKRYQTQNLA/", "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/IUP5QJ6D4KK6ULHOMPC7DPNKRYQTQNLA/" } ], "release_date": "2025-10-31T17:15:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-05-14T16:09:59.880772Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els-alt-python/releases/CLSA-2026:1778774997", "product_ids": [ "Alpine-Linux-3.23:alt-python39-wheel-0.37.0-rr3.aarch64", "Alpine-Linux-3.23:alt-python39-wheel-0.37.0-rr3.x86_64", "Alpine-Linux-3.23:alt-python39-wheel-wheel-0.37.0-rr3.aarch64", "Alpine-Linux-3.23:alt-python39-wheel-wheel-0.37.0-rr3.x86_64" ], "url": "https://cve.tuxcare.com/els-alt-python/releases/CLSA-2026:1778774997" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Alpine-Linux-3.23:alt-python39-wheel-0.37.0-rr3.aarch64", "Alpine-Linux-3.23:alt-python39-wheel-0.37.0-rr3.x86_64", "Alpine-Linux-3.23:alt-python39-wheel-wheel-0.37.0-rr3.aarch64", "Alpine-Linux-3.23:alt-python39-wheel-wheel-0.37.0-rr3.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] } ] }