[CLSA-2026:1777390949] Fix CVE(s): CVE-2024-0450, CVE-2026-6100

Type:

security

Severity:

Critical

Release date:

2026-04-28 15:42:35 UTC

Description:

   * SECURITY UPDATE: zipfile quoted-overlap zip bomb
     - debian/patches/CVE-2024-0450.patch: raise BadZipFile when an
       archive entry overlaps with another entry or the central
       directory, preventing quoted-overlap zip bombs with extreme
       compression ratios.
     - CVE-2024-0450
   * SECURITY UPDATE: use-after-free in lzma/bz2 decompressors
     - debian/patches/CVE-2026-6100.patch: null next_in at the error:
       label of decompress() in Modules/_bz2module.c and
       Modules/_lzmamodule.c so the decompressor cannot be re-used
       with a stale buffer pointer after a MemoryError.
     - CVE-2026-6100

Updated packages:

alt-python36_3.6.15-30_amd64.deb
sha:94b0268815c58c8cbce4ae3b32a5e472340b1c33
alt-python36-debug_3.6.15-30_amd64.deb
sha:d30167018561b3d051a3ddb33b3981c0d6e44221
alt-python36-devel_3.6.15-30_amd64.deb
sha:b30ea00393f48aeb93c18ce5566b93346f106835
alt-python36-libs_3.6.15-30_amd64.deb
sha:dd5f413c4e8275febbb59a5b0cc97c356a98e1cb
alt-python36-test_3.6.15-30_amd64.deb
sha:1f4d13e13082ed90de32aabac587e9b49e08c9bf
alt-python36-tkinter_3.6.15-30_amd64.deb
sha:2e6f2c3cb35e4e8b94ac50550d111760472d02c6
alt-python36-tools_3.6.15-30_amd64.deb
sha:9f5ae7f764f317f3cbc2c0aa62a0bb463b9385e7

Notes:

This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.