[CLSA-2026:1777623116] Fix CVE(s): CVE-2021-28861, CVE-2024-0397, CVE-2024-6923, CVE-2026-1299

Type:

security

Severity:

Important

Release date:

2026-05-01 08:12:01 UTC

Description:

   * SECURITY UPDATE: header injection via newline in email.Generator
     - debian/patches/CVE-2026-1299.patch: add HeaderWriteError exception
       to Lib/email/errors.py, add NEWLINE_WITHOUT_FWSP regex to
       Lib/email/generator.py and check the header *value* in all four
       branches of Generator._write_headers(), raising HeaderWriteError
       when a CR/LF without folding whitespace is found. Updates
       test_embedded_header_via_string_rejected to expect
       HeaderWriteError instead of HeaderParseError. In Python 2.7 this
       single Generator-class hardening covers both upstream
       CVE-2026-1299 (BytesGenerator) and CVE-2024-6923 because
       BytesGenerator does not exist in 2.7.
     - CVE-2026-1299
   * SECURITY UPDATE: missing header-name newline check in email.Generator
     - debian/patches/CVE-2024-6923.patch: add NEWLINE_WITHOUT_FWSP check
       on the header *name* at the top of Generator._write_headers() in
       Lib/email/generator.py, raising HeaderWriteError when a CR/LF
       without folding whitespace is found in the header name. Documents
       HeaderWriteError in Doc/library/email.errors.rst and adds a
       test_invalid_header_format regression test in
       Lib/email/test/test_email_renamed.py.
     - CVE-2024-6923
   * SECURITY UPDATE: ssl.SSLContext data race in cert_store_stats /
     get_ca_certs
     - debian/patches/CVE-2024-0397.patch: backport of upstream 3.8
       commit 29c97287d2 ("[3.8] gh-114572: Fix locking in
       cert_store_stats and get_ca_certs"). Adds a polyfill of
       OpenSSL 3.3's X509_STORE_get1_objects() (deep-copy under
       X509_STORE_lock()) and replaces the shared, unlocked
       X509_STORE_get0_objects() calls in cert_store_stats() and
       get_ca_certs() in Modules/_ssl.c, preventing a memory race
       and potential use-after-free when an SSLContext is shared
       across multiple threads.
     - CVE-2024-0397
   * SECURITY UPDATE: open redirect in BaseHTTPServer when path starts
     with //
     - debian/patches/CVE-2021-28861.patch: backport of upstream commit
       4abab6b603 ("gh-87389: Fix an open redirection vulnerability in
       http.server"). In Lib/BaseHTTPServer.py, after the request line
       is parsed, collapse any leading run of '/' characters to a
       single '/' so an attacker-controlled '//evil.example/...' path
       cannot become an absolute scheme-less URI in a 301 Location
       header. Adds a regression test in Lib/test/test_httpservers.py.
     - CVE-2021-28861

Updated packages:

alt-python27_2.7.18-17_amd64.deb
sha:f9280104e7e198d3df2cf2561721a78675d205a4
alt-python27-debug_2.7.18-17_amd64.deb
sha:a3415b1a9974aed28f069e34c994e1922f641a3f
alt-python27-devel_2.7.18-17_amd64.deb
sha:545bb8ebb96932fbcd9d3601f76a9ee6d1ce56f3
alt-python27-idle_2.7.18-17_amd64.deb
sha:60c5bef8ec54625ae8d1bc69fb7b1a20bfd32207
alt-python27-libs_2.7.18-17_amd64.deb
sha:b39e93796048e763f62daafb1872b1e823c2e3ba
alt-python27-test_2.7.18-17_amd64.deb
sha:a001839e0ffdf76e89d56a87e41ce986ac35c7c9
alt-python27-tkinter_2.7.18-17_amd64.deb
sha:a40baf3d843596d027f6eceef6baca10b2a89228
alt-python27-tools_2.7.18-17_amd64.deb
sha:83108794e93fa95ce95a0767d236e79fc0c640e3

Notes:

This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.