[CLSA-2026:1781176375] Fix CVE(s): CVE-2025-13462, CVE-2026-0672, CVE-2026-3644, CVE-2026-4224

Type:

security

Severity:

Critical

Release date:

2026-06-11 11:15:35 UTC

Description:

   * SECURITY UPDATE: C stack overflow (DoS) in pyexpat when parsing deeply
     nested DTD content models
     - debian/patches/CVE-2026-4224.patch: guard conv_content_model() in
       Modules/pyexpat.c with Py_EnterRecursiveCall/Py_LeaveRecursiveCall to
       bound recursion when a registered ElementDeclHandler converts a deeply
       nested content model.
     - CVE-2026-4224
   * SECURITY UPDATE: HTTP header injection via control characters in cookies
     - debian/patches/CVE-2026-0672.patch: reject control characters in
       Morsel.__setitem__()/set(), add a validating Morsel.setdefault()
       override, and guard BaseCookie.output() in Lib/Cookie.py.
     - CVE-2026-0672
   * SECURITY UPDATE: incomplete fix for CVE-2026-0672 (control characters in
     cookies via additional Morsel paths)
     - debian/patches/CVE-2026-3644.patch: add a validating Morsel.update()
       override and reject control characters in Morsel.js_output() in
       Lib/Cookie.py.
     - CVE-2026-3644
   * SECURITY UPDATE: tarfile member type confusion (regular file parsed as
     directory) via GNU long name/link headers
     - debian/patches/CVE-2025-13462.patch: skip the AREGTYPE->DIRTYPE
       normalization while reading GNU LONGNAME/LONGLINK and PAX follow-up
       headers (dircheck=False) in Lib/tarfile.py.
     - CVE-2025-13462

CVEs fixed:

Updated packages:

idle-python2.7_2.7.17-1~18.04ubuntu1.11+tuxcare.els14_all.deb
sha:16446aa6fd3e7792d0ec98adf86cb546f525630f
libpython2.7_2.7.17-1~18.04ubuntu1.11+tuxcare.els14_amd64.deb
sha:0ac939ed84a276624598be9e34ac96c88e8ae5cf
libpython2.7-dev_2.7.17-1~18.04ubuntu1.11+tuxcare.els14_amd64.deb
sha:32e00a418cffc5bc4182a4979ce19cea94e8f8da
libpython2.7-minimal_2.7.17-1~18.04ubuntu1.11+tuxcare.els14_amd64.deb
sha:a9ffb70106f7d81c396f903077913d7f4721b166
libpython2.7-stdlib_2.7.17-1~18.04ubuntu1.11+tuxcare.els14_amd64.deb
sha:035289f620779db38ae1ea235b4febfc4f2b1fc9
libpython2.7-testsuite_2.7.17-1~18.04ubuntu1.11+tuxcare.els14_all.deb
sha:6a4c097175169d3c6bd562d52cdb6c37026425b5
python2.7_2.7.17-1~18.04ubuntu1.11+tuxcare.els14_amd64.deb
sha:a7b682675de891902617f4577868d5bf6dd22085
python2.7-dev_2.7.17-1~18.04ubuntu1.11+tuxcare.els14_amd64.deb
sha:7d01d941896525321b6eee082db361b558bd55e9
python2.7-doc_2.7.17-1~18.04ubuntu1.11+tuxcare.els14_all.deb
sha:2d5227618f4a341d7c5518699d41ae76f1f648b7
python2.7-examples_2.7.17-1~18.04ubuntu1.11+tuxcare.els14_all.deb
sha:f2ef662ee2ebe48ad7fd65aca3a98d57167f0770
python2.7-minimal_2.7.17-1~18.04ubuntu1.11+tuxcare.els14_amd64.deb
sha:d0d03909d0f16cb554a1b2aacfb85d13b3dcc778

Notes:

This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.