Release date:
2026-06-13 10:33:02 UTC
Description:
- CVE-2026-7210: seed Expat's hash-flooding protection with a full 16 bytes
(128 bits) of entropy via XML_SetHashSalt16Bytes() when the loaded libexpat
provides it (detected via a weak symbol), instead of the brute-forceable
8-byte XML_SetHashSalt(); the pyexpat CAPI gains a SetHashSalt16Bytes
pointer appended at the end of the struct (capsule magic unchanged) and
_Py_HashSecret_t gains a 16-byte hashsalt16 field. Both call sites fall back
to the legacy 8-byte API when the salt is all zeros (hash randomization off,
the default) so Expat keeps self-seeding. Paired with the libexpat
CVE-2026-41080 backport that exports the symbol; requires
expat >= 2.1.0-15.0.7.el7_9.tuxcare.els3, the release shipping it
Updated packages:
-
python-2.7.5-94.0.1.el7_9.tuxcare.els9.x86_64.rpm
sha:26a0868e128399a247cdf1eb096979f526c734442a44b114e6786724ab1db502
-
python-debug-2.7.5-94.0.1.el7_9.tuxcare.els9.x86_64.rpm
sha:643c3773bbfed51cb92c78a13ea257840d62754165b578e89a1e652019398110
-
python-devel-2.7.5-94.0.1.el7_9.tuxcare.els9.x86_64.rpm
sha:d6942231a1873cbe1c8d6144a24cdb6c4e2a374748fd4509d2aa5f9c968c155d
-
python-libs-2.7.5-94.0.1.el7_9.tuxcare.els9.i686.rpm
sha:f80fe1842cc381b2e237ba4ae5658e6ff6060c4d9b9121327e7538c3547c6a3a
-
python-libs-2.7.5-94.0.1.el7_9.tuxcare.els9.x86_64.rpm
sha:4579dc607f8c09023740105fe660de02cadfb834f52db60676b38c41715d2a3d
-
python-test-2.7.5-94.0.1.el7_9.tuxcare.els9.x86_64.rpm
sha:1d6a482bd5fcaf91fe3a1aa80eb0033eb38317517f454187ac00cdf02fd4c71d
-
python-tools-2.7.5-94.0.1.el7_9.tuxcare.els9.x86_64.rpm
sha:4115ccd03d037f5229229125510f9ed42992878cffc955e2d7d4afdab42fff90
-
tkinter-2.7.5-94.0.1.el7_9.tuxcare.els9.x86_64.rpm
sha:ef2ee8eaf3bcec2885936bdad0c678629dda2cf980a2d5ce74326622037b58a1
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.
