Release date:
2026-05-01 10:00:29 UTC
Description:
- CVE-2026-1299: email.Generator now rejects header *values* containing
CR/LF that are not followed by folding whitespace by raising
HeaderWriteError. In Python 2.7 (which lacks BytesGenerator) this
single Generator-class hardening covers both upstream CVE-2026-1299
and CVE-2024-6923.
- CVE-2024-6923: email.Generator now rejects header *names* containing
CR/LF that are not followed by folding whitespace by raising
HeaderWriteError, preventing header injection through the header
name.
- CVE-2024-0397: ssl.SSLContext.cert_store_stats and get_ca_certs now
deep-copy the X509_STORE under X509_STORE_lock (via a backport of
OpenSSL 3.3's X509_STORE_get1_objects), fixing a memory race when an
SSLContext is shared across threads.
- CVE-2021-28861: BaseHTTPServer now collapses any leading run of '/'
in the request path to a single '/' to prevent an open-redirect via
//evil.example/... URIs in 301 Location headers.
Updated packages:
-
alt-python27-2.7.18-30.el10.x86_64.rpm
sha:872f87a4dbfa4c0a9e1cfb122e75010737d5a0be36b0b2723b1fdc5106c64082
-
alt-python27-debug-2.7.18-30.el10.x86_64.rpm
sha:90b9b16af27850decbf46d5ff2bcad3412111088edd6b656ec5a05a47e6a71f2
-
alt-python27-devel-2.7.18-30.el10.x86_64.rpm
sha:74adebedd13700c01288bbc83a9a787a23f5be083b9ca4a17ed371ff86bbc2d2
-
alt-python27-libs-2.7.18-30.el10.x86_64.rpm
sha:169f2b2aa34bf604aed59ea5e7f17cea2cd7364703ab2ecb2b1aaa318b4880d4
-
alt-python27-test-2.7.18-30.el10.x86_64.rpm
sha:408d9d3be4a3b4567ec239662ebd9047bad6361e81d11f5d3263548a8f042e90
-
alt-python27-tkinter-2.7.18-30.el10.x86_64.rpm
sha:38b4075a50582b4b8622bd0e321073aefd6752c789eeceb2a47869acb63ad8b2
-
alt-python27-tools-2.7.18-30.el10.x86_64.rpm
sha:1c97d375681b2cc44bbf5fce8908d2b097dc4b9d448fc43dec74cdcf32cd8478
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.
