Release date:
2026-05-01 08:57:31 UTC
Description:
* SECURITY UPDATE: header injection via newline in email.Generator
- debian/patches/CVE-2026-1299.patch: add HeaderWriteError exception
to Lib/email/errors.py, add NEWLINE_WITHOUT_FWSP regex to
Lib/email/generator.py and check the header *value* in all four
branches of Generator._write_headers(), raising HeaderWriteError
when a CR/LF without folding whitespace is found. Updates
test_embedded_header_via_string_rejected to expect
HeaderWriteError instead of HeaderParseError. In Python 2.7 this
single Generator-class hardening covers both upstream
CVE-2026-1299 (BytesGenerator) and CVE-2024-6923 because
BytesGenerator does not exist in 2.7.
- CVE-2026-1299
* SECURITY UPDATE: missing header-name newline check in email.Generator
- debian/patches/CVE-2024-6923.patch: add NEWLINE_WITHOUT_FWSP check
on the header *name* at the top of Generator._write_headers() in
Lib/email/generator.py, raising HeaderWriteError when a CR/LF
without folding whitespace is found in the header name. Documents
HeaderWriteError in Doc/library/email.errors.rst and adds a
test_invalid_header_format regression test in
Lib/email/test/test_email_renamed.py.
- CVE-2024-6923
* SECURITY UPDATE: ssl.SSLContext data race in cert_store_stats /
get_ca_certs
- debian/patches/CVE-2024-0397.patch: backport of upstream 3.8
commit 29c97287d2 ("[3.8] gh-114572: Fix locking in
cert_store_stats and get_ca_certs"). Adds a polyfill of
OpenSSL 3.3's X509_STORE_get1_objects() (deep-copy under
X509_STORE_lock()) and replaces the shared, unlocked
X509_STORE_get0_objects() calls in cert_store_stats() and
get_ca_certs() in Modules/_ssl.c, preventing a memory race
and potential use-after-free when an SSLContext is shared
across multiple threads.
- CVE-2024-0397
* SECURITY UPDATE: open redirect in BaseHTTPServer when path starts
with //
- debian/patches/CVE-2021-28861.patch: backport of upstream commit
4abab6b603 ("gh-87389: Fix an open redirection vulnerability in
http.server"). In Lib/BaseHTTPServer.py, after the request line
is parsed, collapse any leading run of '/' characters to a
single '/' so an attacker-controlled '//evil.example/...' path
cannot become an absolute scheme-less URI in a 301 Location
header. Adds a regression test in Lib/test/test_httpservers.py.
- CVE-2021-28861
Updated packages:
-
alt-python27_2.7.18-17_amd64.deb
sha:925c3a7989eae64b575c03df79b6a541b12b8200
-
alt-python27-debug_2.7.18-17_amd64.deb
sha:976e9d80eab4e7b449a8e977e0df8d643e2aa897
-
alt-python27-devel_2.7.18-17_amd64.deb
sha:7943dc502afdfba775f2c696d70c08cf2452fa1a
-
alt-python27-idle_2.7.18-17_amd64.deb
sha:60c5bef8ec54625ae8d1bc69fb7b1a20bfd32207
-
alt-python27-libs_2.7.18-17_amd64.deb
sha:0fa1c91d882f5ae287be6da56bab5ff8467611e2
-
alt-python27-test_2.7.18-17_amd64.deb
sha:e81e52eab4a1a87e2a218cc792a8c996af934a30
-
alt-python27-tkinter_2.7.18-17_amd64.deb
sha:5db72c03a674f64a60cb6af3ceed7524d4d8f574
-
alt-python27-tools_2.7.18-17_amd64.deb
sha:83108794e93fa95ce95a0767d236e79fc0c640e3
-
alt-python27_2.7.18-17_arm64.deb
sha:76e9ae780e29ae492633d442c1eeaa97bbd41921
-
alt-python27-debug_2.7.18-17_arm64.deb
sha:b9b9bb755537627cbc748311e33d8602f77f1c71
-
alt-python27-devel_2.7.18-17_arm64.deb
sha:f83487dd8740f31469871384e05136ad1eed9335
-
alt-python27-idle_2.7.18-17_arm64.deb
sha:efebc5c113967758d7f26dcac0d75eecbcaca614
-
alt-python27-libs_2.7.18-17_arm64.deb
sha:cbc17a7957f34f00c03f4c606641bbaff57e423d
-
alt-python27-test_2.7.18-17_arm64.deb
sha:109def285847056a17461e27f40ca8f6ff675023
-
alt-python27-tkinter_2.7.18-17_arm64.deb
sha:b02800008852fc78a1e52de9f3a46cb439e4008e
-
alt-python27-tools_2.7.18-17_arm64.deb
sha:8494695128bfe1ceeadecdb31baefba8affa778c
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.
