[CLSA-2026:1778979189] Fix CVE(s): CVE-2024-6232, CVE-2024-7592, CVE-2024-9287
Type:
security
Severity:
Important
Release date:
2026-05-17 00:53:13 UTC
Description:
* SECURITY UPDATE: ReDoS in tarfile PAX header parsing - debian/patches/CVE-2024-6232.patch: rewrite Lib/tarfile.py PAX-record parser to scan length-prefixed records via a bounded regex (_header_length_prefix_re) plus direct slicing, eliminating quadratic backtracking in three pre-existing regexes. Adapted from upstream commit 7d1f50cd (3.8 backport); walrus operator rewritten as assign-then-test for Python 3.7. - CVE-2024-6232 * SECURITY UPDATE: quadratic complexity in http.cookies._unquote - debian/patches/CVE-2024-7592.patch: replace the O(n^2) _OctalPatt/_QuotePatt while-loop in Lib/http/cookies.py with a single linear re.sub() driven by an alternation pattern and _unquote_replace callback. Verbatim from upstream commit 44e45835 / 3.8 backport a77ab244. - CVE-2024-7592 * SECURITY UPDATE: shell injection via venv activation script substitutions - debian/patches/CVE-2024-9287.patch: shell-quote __VENV_*__ placeholder substitutions in Lib/venv/__init__.py via shlex.quote (sh/csh/fish) and remove surrounding double-quotes from activate/activate.csh/activate.fish templates so the now-pre-quoted values splice safely. Adapted from upstream 3.9 backport 633555735a; Lib/venv/scripts/nt/Activate.ps1 deliberately untouched (matches upstream 3.9-3.12 backport scope). - CVE-2024-9287
Updated packages:
  • idle-python3.7_3.7.3-2+deb10u7+tuxcare.els2_all.deb
    sha:0f3b5e7c90ed01a89e6af6a759e455a2bdabde2b
  • libpython3.7_3.7.3-2+deb10u7+tuxcare.els2_amd64.deb
    sha:e6af5993d13125c2a9057b555d6ef95e4deb0b80
  • libpython3.7-dev_3.7.3-2+deb10u7+tuxcare.els2_amd64.deb
    sha:a23a5bd4b2d2e9039839a8c0e2c55f2104224323
  • libpython3.7-minimal_3.7.3-2+deb10u7+tuxcare.els2_amd64.deb
    sha:ff38a45c9035909b1f1ec600ce7382fb9384ece0
  • libpython3.7-stdlib_3.7.3-2+deb10u7+tuxcare.els2_amd64.deb
    sha:ed4a2415c89ab273d634c52d4c8dc6cf129a7204
  • libpython3.7-testsuite_3.7.3-2+deb10u7+tuxcare.els2_all.deb
    sha:56016eede93ffa27639e26155fca012d68431151
  • python3.7_3.7.3-2+deb10u7+tuxcare.els2_amd64.deb
    sha:9f09eac537b0b0873327b8cb6edf85963cef3925
  • python3.7-dev_3.7.3-2+deb10u7+tuxcare.els2_amd64.deb
    sha:7e323fe0970875e07658afdf5e9bec20ece9f103
  • python3.7-doc_3.7.3-2+deb10u7+tuxcare.els2_all.deb
    sha:f2bce9cd64f5a02d39c78a5d1d94cfbe9fcc20ee
  • python3.7-examples_3.7.3-2+deb10u7+tuxcare.els2_all.deb
    sha:f0623579b12aa40114879e967cb8490ccc3c1eff
  • python3.7-minimal_3.7.3-2+deb10u7+tuxcare.els2_amd64.deb
    sha:221496bbfd7c9c407cb9752edc544d88714048a3
  • python3.7-venv_3.7.3-2+deb10u7+tuxcare.els2_amd64.deb
    sha:62bf5bbebab0f97023f7c1c6ad4075432009dd2a
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.