[CLSA-2026:1778148441] Fix CVE(s): CVE-2026-3446
Type:
security
Severity:
Moderate
Release date:
2026-05-07 10:07:28 UTC
Description:
* SECURITY UPDATE: binascii.a2b_base64 / base64.b64decode stop decoding after the first padded quad, silently dropping any excess data. The behaviour can lead to data being accepted that other implementations process differently. - debian/patches/CVE-2026-3446.patch: backport of upstream commits 4561f6418a (main), e31c55121620 (3.14), 1f9958f909c1 (3.13). Treats the pad character as non-alphabet data per RFC 4648 section 3.3: the loop in binascii_a2b_base64_impl no longer breaks out on a pad sequence; a `pads` counter tracks them so post-loop validation still raises "Incorrect padding" / "Invalid base64-encoded string" for inputs that do not satisfy `quad_pos + pads == 4`. The unused `done:` label is removed. - CVE-2026-3446
Updated packages:
  • alt-python39_3.9.23-13_amd64.deb
    sha:efed9183e5fdd0b332c1652f9bb91d488cce85f1
  • alt-python39-debug_3.9.23-13_amd64.deb
    sha:06853c62241462625a99d3db623bf7ef58daaa4c
  • alt-python39-devel_3.9.23-13_amd64.deb
    sha:4a5f50e51343b829a473603e522493fcfc67b521
  • alt-python39-idle_3.9.23-13_amd64.deb
    sha:657865d6b4f159aabd328801aa92f25e705bdad1
  • alt-python39-libs_3.9.23-13_amd64.deb
    sha:669f4c7188f70dc9aff4f40b09da37b9b35c735b
  • alt-python39-test_3.9.23-13_amd64.deb
    sha:883a30b95e64bb599a6582afb2ee16b09daa23bc
  • alt-python39-tkinter_3.9.23-13_amd64.deb
    sha:69d9307340d4751aba7f719eb5abe1ed253a8c64
  • alt-python39_3.9.23-13_arm64.deb
    sha:ab036973f60727dcb192cdd21b8a6263b314f0f0
  • alt-python39-debug_3.9.23-13_arm64.deb
    sha:d782e2deaad73cfa6ee7267e04340a6b9afbb52a
  • alt-python39-devel_3.9.23-13_arm64.deb
    sha:331c98159a94fab6b6f72b6a761c3e7419eb0df8
  • alt-python39-idle_3.9.23-13_arm64.deb
    sha:e7a5c97eeba7f711c04fa62f3a6d04b9a80054de
  • alt-python39-libs_3.9.23-13_arm64.deb
    sha:aec8396b3a5291225b64f5df52917a985521fd6d
  • alt-python39-test_3.9.23-13_arm64.deb
    sha:e7b04879f4d062f52f9e459cd5df145f70b4e32e
  • alt-python39-tkinter_3.9.23-13_arm64.deb
    sha:27b7a9ec1bd2adccbad86d58defb91d1d772bf3f
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.