Release date:
2026-05-01 10:04:26 UTC
Description:
- CVE-2026-1299: email.Generator now rejects header *values* containing
CR/LF that are not followed by folding whitespace by raising
HeaderWriteError. In Python 2.7 (which lacks BytesGenerator) this
single Generator-class hardening covers both upstream CVE-2026-1299
and CVE-2024-6923.
- CVE-2024-6923: email.Generator now rejects header *names* containing
CR/LF that are not followed by folding whitespace by raising
HeaderWriteError, preventing header injection through the header
name.
- CVE-2024-0397: ssl.SSLContext.cert_store_stats and get_ca_certs now
deep-copy the X509_STORE under X509_STORE_lock (via a backport of
OpenSSL 3.3's X509_STORE_get1_objects), fixing a memory race when an
SSLContext is shared across threads.
- CVE-2021-28861: BaseHTTPServer now collapses any leading run of '/'
in the request path to a single '/' to prevent an open-redirect via
//evil.example/... URIs in 301 Location headers.
Updated packages:
-
alt-python27-2.7.18-30.el7.x86_64.rpm
sha:0417fd17964b6b467e75cb29aa29aea0b38f3cd3e51dc9ad8290ad4258f04eba
-
alt-python27-debug-2.7.18-30.el7.x86_64.rpm
sha:168379b8939cc4a42988e02cb138ada9456c0c8e624162e84c3095ce84cde935
-
alt-python27-devel-2.7.18-30.el7.x86_64.rpm
sha:858d5760a21ff5f8cf6914907125bdbbfc5aa1791c3508fca697a6fa111a8037
-
alt-python27-libs-2.7.18-30.el7.x86_64.rpm
sha:9b605d09a8312fbff06edb4a1ddc7986711c511c574b83f4e4f505533fc19a80
-
alt-python27-test-2.7.18-30.el7.x86_64.rpm
sha:9b77899179b6d62d0cde784ef42466a07d88b608dd78f853aa112af04306165d
-
alt-python27-tkinter-2.7.18-30.el7.x86_64.rpm
sha:40d794c6e08398f1953e98f2855b9193cf1ed2a71821494b519a9785248dd0e0
-
alt-python27-tools-2.7.18-30.el7.x86_64.rpm
sha:f8945bb48a21d4912cc6218ff11179b6ea9737508645ff737a0c30a4e41ec6e7
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.
