Release date:
2026-05-07 14:43:29 UTC
Description:
* SECURITY UPDATE: binascii.a2b_base64 / base64.b64decode stop decoding
after the first padded quad, silently dropping any excess data. The
behaviour can lead to data being accepted that other implementations
process differently.
- debian/patches/CVE-2026-3446.patch: backport of upstream commits
4561f6418a (main), e31c55121620 (3.14), 1f9958f909c1 (3.13). Treats
the pad character as non-alphabet data per RFC 4648 section 3.3:
the loop in binascii_a2b_base64 no longer breaks out on a pad
sequence; a `pads` counter is added so post-loop validation still
raises "Incorrect padding" for inputs that do not satisfy
`quad_pos + pads == 4`. The unused `binascii_find_valid` helper
is removed.
- CVE-2026-3446
Updated packages:
-
alt-python27_2.7.18-18_amd64.deb
sha:2942a22edcb768d7aba89908be267c5b9d5d511f
-
alt-python27-debug_2.7.18-18_amd64.deb
sha:0cdc05b1641a0e70c91f3794bc22c66dae8dcce6
-
alt-python27-devel_2.7.18-18_amd64.deb
sha:28a7e0f7f44e20b4482c0227f8ac076cb758e2ce
-
alt-python27-idle_2.7.18-18_amd64.deb
sha:b30a09bf80010f1c7e3f82c3ee7110b89fa15827
-
alt-python27-libs_2.7.18-18_amd64.deb
sha:07b77af03c006c524218d92089d7449d4c653b7d
-
alt-python27-test_2.7.18-18_amd64.deb
sha:fdc66d7fa9728576623fb1fd33590f260c4ac46b
-
alt-python27-tkinter_2.7.18-18_amd64.deb
sha:3374fa48d1f7e1116e21718a20d80ebf0e41ab2f
-
alt-python27-tools_2.7.18-18_amd64.deb
sha:85d26a8e1d22015920d125e4d0ff6a1bc4c36c97
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.
