[CLSA-2026:1778612981] Fix CVE(s): CVE-2026-3446
Type:
security
Severity:
Moderate
Release date:
2026-05-14 08:43:51 UTC
Description:
* SECURITY UPDATE: binascii.a2b_base64 / base64.b64decode stop decoding after the first padded quad, silently dropping any excess data. The behaviour can lead to data being accepted that other implementations process differently. - debian/patches/CVE-2026-3446.patch: backport of upstream commits 4561f6418a (main), e31c55121620 (3.14), 1f9958f909c1 (3.13). Treats the pad character as non-alphabet data per RFC 4648 section 3.3: the loop in binascii_a2b_base64_impl no longer breaks out on a pad sequence; a `pads` counter is added so post-loop validation still raises "Incorrect padding" / "Invalid base64-encoded string" for inputs that do not satisfy `quad_pos + pads == 4`. The unused `binascii_find_valid` helper is removed. - CVE-2026-3446
Updated packages:
  • alt-python37_3.7.17-18_amd64.deb
    sha:bc984f3d100c0b1fa8879a9ccc89c5677a1a6c5c
  • alt-python37-debug_3.7.17-18_amd64.deb
    sha:64d460f1441e4ca34ceeaee5dbe3c925d41bb638
  • alt-python37-devel_3.7.17-18_amd64.deb
    sha:fa69ed93264618de859eec6e139d7d1f9664bc12
  • alt-python37-libs_3.7.17-18_amd64.deb
    sha:e5bceca23823eb79104a45e7d1c3399fe641c6ff
  • alt-python37-test_3.7.17-18_amd64.deb
    sha:f94e80b2a3d536db60fd3ad647ae0f9998ff7ce0
  • alt-python37-tkinter_3.7.17-18_amd64.deb
    sha:0bf3f693c6c7e868e2d8e9d741370b19feef0e98
  • alt-python37-tools_3.7.17-18_amd64.deb
    sha:99da49ab37395aa7fc738e3af13d2ad5937416d0
  • alt-python37_3.7.17-18_arm64.deb
    sha:8d2410ca64bc4f2fac456b9ad85e8db1f8074a31
  • alt-python37-debug_3.7.17-18_arm64.deb
    sha:f6dec364590f6a3d987209f37e53dcc2d8e8fb25
  • alt-python37-devel_3.7.17-18_arm64.deb
    sha:128a43a7ff29dcc096314b8d4bf7cd9c98cd5b21
  • alt-python37-libs_3.7.17-18_arm64.deb
    sha:ad3192e738424e5ecab1254c200ad04c0196351a
  • alt-python37-test_3.7.17-18_arm64.deb
    sha:d80313ce7bb29b80cc0a520313c8433a877f5f99
  • alt-python37-tkinter_3.7.17-18_arm64.deb
    sha:e99dd8ff0c24ec4109d90473f6792286a00135cd
  • alt-python37-tools_3.7.17-18_arm64.deb
    sha:e22f42528536f3b26ae8f98ab9111b8b36d0fcac
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.