[CLSA-2026:1777370607] Fix CVE(s): CVE-2024-0450, CVE-2026-6100

Type:

security

Severity:

Critical

Release date:

2026-04-28 10:03:33 UTC

Description:

   * SECURITY UPDATE: zipfile quoted-overlap zip bomb
     - debian/patches/CVE-2024-0450.patch: raise BadZipFile when an
       archive entry overlaps with another entry or the central
       directory, preventing quoted-overlap zip bombs with extreme
       compression ratios.
     - CVE-2024-0450
   * SECURITY UPDATE: use-after-free in lzma/bz2 decompressors
     - debian/patches/CVE-2026-6100.patch: null next_in at the error:
       label of decompress() in Modules/_bz2module.c and
       Modules/_lzmamodule.c so the decompressor cannot be re-used
       with a stale buffer pointer after a MemoryError.
     - CVE-2026-6100

Updated packages:

alt-python36_3.6.15-30_amd64.deb
sha:f8eb3a4d9ec730b5d00f140e9b32a28a7a5dae3b
alt-python36-debug_3.6.15-30_amd64.deb
sha:88ee42d43989fc1221bf3807c763b8e66e3a85cf
alt-python36-devel_3.6.15-30_amd64.deb
sha:499acc1f128a671b8ce5853eea1cc61ad362346c
alt-python36-libs_3.6.15-30_amd64.deb
sha:fc3f9f7ae29b478ae062e96c91f1bdd2769d95c3
alt-python36-test_3.6.15-30_amd64.deb
sha:9c1f705c7b256015bcd5554246a866550a6c66b4
alt-python36-tkinter_3.6.15-30_amd64.deb
sha:6e61fe4b5f903f6de80c4858b332a4dd45f1fbe8
alt-python36-tools_3.6.15-30_amd64.deb
sha:5ba02555254d171af8221a28d2d9a1edfe9ebd6b

Notes:

This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.