[CLSA-2026:1778162260] Fix CVE(s): CVE-2026-3446

Type:

security

Severity:

Moderate

Release date:

2026-05-13 14:45:03 UTC

Description:

   * SECURITY UPDATE: binascii.a2b_base64 / base64.b64decode stop decoding
     after the first padded quad, silently dropping any excess data. The
     behaviour can lead to data being accepted that other implementations
     process differently.
     - debian/patches/CVE-2026-3446.patch: backport of upstream commits
       4561f6418a (main), e31c55121620 (3.14), 1f9958f909c1 (3.13). Treats
       the pad character as non-alphabet data per RFC 4648 section 3.3:
       the loop in binascii_a2b_base64_impl no longer breaks out on a pad
       sequence; a `pads` counter is added so post-loop validation still
       raises "Incorrect padding" for inputs that do not satisfy
       `quad_pos + pads == 4`. The unused `binascii_find_valid` helper
       is removed.
     - CVE-2026-3446

Updated packages:

alt-python36_3.6.15-32_amd64.deb
sha:54684bfafd02deb4f5c95bc16d65ca95f351e7f6
alt-python36-debug_3.6.15-32_amd64.deb
sha:e028f7a28ad04d62a7aca51877c6a35ecac2a505
alt-python36-devel_3.6.15-32_amd64.deb
sha:de09601f17bce6fa9759d5a6b50509838e54d84c
alt-python36-libs_3.6.15-32_amd64.deb
sha:0c4600be5e5c490dd2ae408ded935e5ca1072a59
alt-python36-test_3.6.15-32_amd64.deb
sha:3f8f19c4dc64b515cad2b54bd8ef042941515a83
alt-python36-tkinter_3.6.15-32_amd64.deb
sha:4ca01fc7a2d528fd60100e783f28a6ecb0c4a5da
alt-python36-tools_3.6.15-32_amd64.deb
sha:eabd6c3fd35df8bbcebf215e10fde5b6c85f42b1

Notes:

This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.