Release date:
2026-06-10 12:25:12 UTC
Description:
- CVE-2025-15366: imaplib.IMAP4._command() concatenated each argument
into the wire-level command without inspecting it, so user-controlled
text (e.g. a username passed to IMAP4.login()) containing CR/LF or
other control characters could inject a second IMAP command. A
module-level _control_chars regex and a guard in _command() now reject
any argument containing a byte in [\x00-\x1F\x7F] with ValueError
before concatenation.
- CVE-2025-15367: poplib.POP3._putcmd() sent its argument to the server
without inspecting it, so user-controlled text passed to
user()/pass_()/apop()/rpop()/top() could inject a second POP3 command.
_putcmd() now rejects any argument containing a byte in [\x00-\x1F\x7F]
with ValueError before sending.
Updated packages:
-
alt-python27-2.7.18-34.el10.x86_64.rpm
sha:f1fce732fbcaae9a96cc8bbaf63c1119b62fb0d5dc43219998fe42bb4c26fce0
-
alt-python27-debug-2.7.18-34.el10.x86_64.rpm
sha:942fd0464ba96218f991cd46a0d78c178180066356b5c9a3fd7801b4029c7490
-
alt-python27-devel-2.7.18-34.el10.x86_64.rpm
sha:7e8a5f7a82fa1e7a5899eb074e4be120f4236f0665220d62c5bb1df708509cd3
-
alt-python27-libs-2.7.18-34.el10.x86_64.rpm
sha:42486e6c9e9d3e392a3483f322b8bbf03df6c2fd6cd7f352180a690b3839ec33
-
alt-python27-test-2.7.18-34.el10.x86_64.rpm
sha:ee8dd849bc6dc03824e1c1f625d9df3a3e71315bd6a60fa2d48d99a900f52662
-
alt-python27-tkinter-2.7.18-34.el10.x86_64.rpm
sha:5e025746ef010c3e0093613590f18606208c6250f5be1fa9e3aa6dc052a7746c
-
alt-python27-tools-2.7.18-34.el10.x86_64.rpm
sha:d3c9075db534d9b4c808f157b5a790713dac98de4efd6de84e3aa483baa08115
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.
