Release date:
2026-05-01 10:15:15 UTC
Description:
- CVE-2026-1299: email.Generator now rejects header *values* containing
CR/LF that are not followed by folding whitespace by raising
HeaderWriteError. In Python 2.7 (which lacks BytesGenerator) this
single Generator-class hardening covers both upstream CVE-2026-1299
and CVE-2024-6923.
- CVE-2024-6923: email.Generator now rejects header *names* containing
CR/LF that are not followed by folding whitespace by raising
HeaderWriteError, preventing header injection through the header
name.
- CVE-2024-0397: ssl.SSLContext.cert_store_stats and get_ca_certs now
deep-copy the X509_STORE under X509_STORE_lock (via a backport of
OpenSSL 3.3's X509_STORE_get1_objects), fixing a memory race when an
SSLContext is shared across threads.
- CVE-2021-28861: BaseHTTPServer now collapses any leading run of '/'
in the request path to a single '/' to prevent an open-redirect via
//evil.example/... URIs in 301 Location headers.
Updated packages:
-
alt-python27-2.7.18-30.el9.x86_64.rpm
sha:10a90440d71ac54e8a1677423949c09ec0cc63981a0f4da4d3cdd64769d2129c
-
alt-python27-debug-2.7.18-30.el9.x86_64.rpm
sha:428e63226276712e5b5ad96bc50dc64a5b809959e7596416aacecccbdf403015
-
alt-python27-devel-2.7.18-30.el9.x86_64.rpm
sha:9b847236fd159bdca5bca37f861a441c07a829f7ee1bf1eb3cd22d2ff1e1a2df
-
alt-python27-libs-2.7.18-30.el9.x86_64.rpm
sha:bea2c668e773be4a51d158830d6bb65efb1d362892c37427c8344eabbefe584a
-
alt-python27-test-2.7.18-30.el9.x86_64.rpm
sha:365660b0b406fa99a6e296462029b9c2560d83f73cb92585748f90ebc1cdd74d
-
alt-python27-tkinter-2.7.18-30.el9.x86_64.rpm
sha:46594937ca2d586e165f54f3badd2f6f1b2f86ebc1e373e631063333f68ca31a
-
alt-python27-tools-2.7.18-30.el9.x86_64.rpm
sha:d09a625a3df30a6504de0c42b1c088a27fbd26e9c454f67379e40c18cc15ee49
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.
