Release date:
2026-05-01 13:30:22 UTC
Description:
* SECURITY UPDATE: email.BytesGenerator did not quote newlines in
serialized headers, allowing header injection when a custom header
class (e.g. LiteralHeader) bypasses the email folding rules. This is
a bypass of CVE-2024-6923, which only added the validation to the
text Generator class.
- debian/patches/CVE-2026-1299.patch: mirror the
verify_generated_headers / NEWLINE_WITHOUT_FWSP check from
Generator._write_headers into BytesGenerator._write_headers in
Lib/email/generator.py, raising HeaderWriteError on unsafely
folded or delimited headers; extend test_email tests to cover
message.as_bytes().
- CVE-2026-1299
Updated packages:
-
alt-python39_3.9.23-12_amd64.deb
sha:3e96ede395869c9949d78210a4a9e83679c9a600
-
alt-python39-debug_3.9.23-12_amd64.deb
sha:75ec3a358e5f2b866b803a3c51b797d8f52376e3
-
alt-python39-devel_3.9.23-12_amd64.deb
sha:c66896679f342bca23b9ced28cc17897d27a7714
-
alt-python39-idle_3.9.23-12_amd64.deb
sha:f8f070199a5e3a27049cdb793c5757c01d618540
-
alt-python39-libs_3.9.23-12_amd64.deb
sha:e3daa9128aa18a5ae5ff1975ff18ed70c076f2bc
-
alt-python39-test_3.9.23-12_amd64.deb
sha:42220c83e42eaaf76f6733b52c308ee5aaca7d65
-
alt-python39-tkinter_3.9.23-12_amd64.deb
sha:659c6b4f049ba91e06143dadaff7b661306d0a23
-
alt-python39_3.9.23-12_arm64.deb
sha:7b0a0685e9f4857e72646d522d92aee316a063fb
-
alt-python39-debug_3.9.23-12_arm64.deb
sha:7f100c723c4f9a7b6918b2ec22ce10afc7a836c0
-
alt-python39-devel_3.9.23-12_arm64.deb
sha:4a34424dbf6c3c18aaa5c09f2b82c43f2096dfe9
-
alt-python39-idle_3.9.23-12_arm64.deb
sha:c4159050f9377c84885ff12b237f82d2b0ba232e
-
alt-python39-libs_3.9.23-12_arm64.deb
sha:0e9addf582be9e5301aec22b1b110082ad4dd53c
-
alt-python39-test_3.9.23-12_arm64.deb
sha:623dee6753ff0e48d365afb0fb8412234cac521e
-
alt-python39-tkinter_3.9.23-12_arm64.deb
sha:fc9490af6cb118b37437a39204b2aceac269a7cc
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.
