Release date:
2026-05-04 14:32:19 UTC
Description:
* SECURITY UPDATE: email.BytesGenerator did not quote newlines in
serialized headers, allowing header injection when a custom header
class (e.g. LiteralHeader) bypasses the email folding rules. This is
a bypass of CVE-2024-6923, which only added the validation to the
text Generator class.
- debian/patches/CVE-2026-1299.patch: mirror the
verify_generated_headers / NEWLINE_WITHOUT_FWSP check from
Generator._write_headers into BytesGenerator._write_headers in
Lib/email/generator.py, raising HeaderWriteError on unsafely
folded or delimited headers; extend test_email tests to cover
message.as_bytes().
- CVE-2026-1299
Updated packages:
-
alt-python39_3.9.23-12_amd64.deb
sha:f163727065d317041bd7efe68f483a22682994a3
-
alt-python39-debug_3.9.23-12_amd64.deb
sha:75ec3a358e5f2b866b803a3c51b797d8f52376e3
-
alt-python39-devel_3.9.23-12_amd64.deb
sha:685d06c2e600e1e98c64a5f3fe5923c36e340088
-
alt-python39-idle_3.9.23-12_amd64.deb
sha:c3d97c9bfe1d059c32c6e449609737d739f3d7a4
-
alt-python39-libs_3.9.23-12_amd64.deb
sha:327997031a0c6a2080708db513257957a5885971
-
alt-python39-test_3.9.23-12_amd64.deb
sha:82887319a7acc3137f85e15da2a620097c8c07e0
-
alt-python39-tkinter_3.9.23-12_amd64.deb
sha:10ae97cdc494ffb754c9e6d7b08f894af2d75031
-
alt-python39_3.9.23-12_arm64.deb
sha:87fdf39300abfc55c03f80ebc6b960099de4dc25
-
alt-python39-debug_3.9.23-12_arm64.deb
sha:7f100c723c4f9a7b6918b2ec22ce10afc7a836c0
-
alt-python39-devel_3.9.23-12_arm64.deb
sha:36882258556c09d7a21c894009c0eb9493554492
-
alt-python39-idle_3.9.23-12_arm64.deb
sha:1cd6912c6a72d4f390a0142166157967320c78e2
-
alt-python39-libs_3.9.23-12_arm64.deb
sha:8c32dc33b1e1013d01cd10c813592d839ea39981
-
alt-python39-test_3.9.23-12_arm64.deb
sha:18c37cc5ea20ea394c68d5e0819bba8360084dee
-
alt-python39-tkinter_3.9.23-12_arm64.deb
sha:28938f28e4a8e49bc3be720ec32e49d213caabbc
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.
