[CLSA-2026:1781173318] Fix CVE(s): CVE-2025-15366, CVE-2025-15367
Type:
security
Severity:
Important
Release date:
2026-06-11 10:25:20 UTC
Description:
* SECURITY UPDATE: imaplib.IMAP4._command() concatenated each argument into the wire command without validation, so an argument embedding CR/LF (or any other C0 control / DEL byte) could inject a second IMAP command. - debian/patches/CVE-2025-15366.patch: backport of cpython 6262704b13 (gh-143921). Adds the _control_chars [\x00-\x1F\x7F] regex and raises ValueError in _command() before appending an offending argument. - CVE-2025-15366 * SECURITY UPDATE: poplib.POP3._putcmd() wrote its argument to the POP3 socket without validation, allowing the same CR/LF command-injection via the POP3 command API. - debian/patches/CVE-2025-15367.patch: backport of cpython b234a2b675 (gh-143923). Rejects lines matching [\x00-\x1F\x7F] with ValueError in _putcmd() before they are written. - CVE-2025-15367
CVEs fixed:
Updated packages:
  • alt-python38_3.8.20-20_amd64.deb
    sha:27556d175fe1c4020aaa98058f41f2b528eae7d2
  • alt-python38-debug_3.8.20-20_amd64.deb
    sha:eb6e9386fe49f4972673e8f34e199ad34672f5a0
  • alt-python38-devel_3.8.20-20_amd64.deb
    sha:f0b89664fdfceddd355f036d1d2ac2ba97112476
  • alt-python38-idle_3.8.20-20_amd64.deb
    sha:09fc6bd1e54afbaa53bda456e1d5567b504d768b
  • alt-python38-libs_3.8.20-20_amd64.deb
    sha:495eec6ac3e55c28e5fde7bc9dbb2804d57a0e1c
  • alt-python38-test_3.8.20-20_amd64.deb
    sha:b0d3654c7452e9e27bcf5cd2478251477bfb6426
  • alt-python38-tkinter_3.8.20-20_amd64.deb
    sha:8e2225bd5998ac69db550d8dff455e0181118e24
  • alt-python38_3.8.20-20_arm64.deb
    sha:a729cdd714e74fd7c434fdb9699209efe5efa9bb
  • alt-python38-debug_3.8.20-20_arm64.deb
    sha:398d0e3da0e005e680329693b5b54082d76f36e9
  • alt-python38-devel_3.8.20-20_arm64.deb
    sha:978399b44973fdbd97bb4dbe64e6fe693d19bc50
  • alt-python38-idle_3.8.20-20_arm64.deb
    sha:a172798c065499b9cc469942d34baaebb568aa6e
  • alt-python38-libs_3.8.20-20_arm64.deb
    sha:0391eab45c79aecf0b66f58a7b7261e3326bf64d
  • alt-python38-test_3.8.20-20_arm64.deb
    sha:07f00fc4bfc0c4324051822a86d885d1cfc7c837
  • alt-python38-tkinter_3.8.20-20_arm64.deb
    sha:94e9cb19f371fbb8ae27c48def67a61b4fefb5be
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.