[CLSA-2026:1781174666] Fix CVE(s): CVE-2025-13462, CVE-2026-0672, CVE-2026-3644, CVE-2026-4224

Type:

security

Severity:

Critical

Release date:

2026-06-11 10:47:05 UTC

Description:

   * SECURITY UPDATE: C stack overflow (DoS) in pyexpat when parsing deeply
     nested DTD content models
     - debian/patches/CVE-2026-4224.patch: guard conv_content_model() in
       Modules/pyexpat.c with Py_EnterRecursiveCall/Py_LeaveRecursiveCall to
       bound recursion when a registered ElementDeclHandler converts a deeply
       nested content model.
     - CVE-2026-4224
   * SECURITY UPDATE: HTTP header injection via control characters in cookies
     - debian/patches/CVE-2026-0672.patch: add _has_control_character() and
       reject control characters in Morsel.__setitem__()/setdefault()/set()
       and BaseCookie.output() in Lib/http/cookies.py.
     - CVE-2026-0672
   * SECURITY UPDATE: incomplete fix for CVE-2026-0672 (control characters in
     cookies via additional Morsel paths)
     - debian/patches/CVE-2026-3644.patch: reject control characters in
       Morsel.update(), Morsel.__setstate__() and Morsel.js_output() in
       Lib/http/cookies.py.
     - CVE-2026-3644
   * SECURITY UPDATE: tarfile member type confusion (regular file parsed as
     directory) via GNU long name/link headers
     - debian/patches/CVE-2025-13462.patch: skip the AREGTYPE->DIRTYPE
       normalization while reading GNU LONGNAME/LONGLINK and PAX follow-up
       headers (dircheck=False) in Lib/tarfile.py.
     - CVE-2025-13462

CVEs fixed:

Updated packages:

idle-python3.6_3.6.9-1~18.04ubuntu1.12+tuxcare.els23_all.deb
sha:4b603820ccb8bff5ba7aa71741c7c3d1668ddc4e
libpython3.6_3.6.9-1~18.04ubuntu1.12+tuxcare.els23_amd64.deb
sha:275d90474437784796fc93188edbb4436a278ede
libpython3.6-dev_3.6.9-1~18.04ubuntu1.12+tuxcare.els23_amd64.deb
sha:80df3efb32eae298aab7ced43ce6dadfeff15396
libpython3.6-minimal_3.6.9-1~18.04ubuntu1.12+tuxcare.els23_amd64.deb
sha:2577fbc00a6ac03e26792ced204a78e96caaee64
libpython3.6-stdlib_3.6.9-1~18.04ubuntu1.12+tuxcare.els23_amd64.deb
sha:2c9249a17e19ecbc294f793e66fb39ecc6af5d09
libpython3.6-testsuite_3.6.9-1~18.04ubuntu1.12+tuxcare.els23_all.deb
sha:da649410c74e082e69ade416e939300e94b7dea8
python3.6_3.6.9-1~18.04ubuntu1.12+tuxcare.els23_amd64.deb
sha:899b1c97f22920283ee8822e0d28f18134688d43
python3.6-dev_3.6.9-1~18.04ubuntu1.12+tuxcare.els23_amd64.deb
sha:c2e517196c188c42d9714043669d1eb66b47154d
python3.6-doc_3.6.9-1~18.04ubuntu1.12+tuxcare.els23_all.deb
sha:b040e0891b3a8efa25b313b7b3851f02f3ea57df
python3.6-examples_3.6.9-1~18.04ubuntu1.12+tuxcare.els23_all.deb
sha:f1460a8d35f53d074a9ccb38913f92d1c5cb5f24
python3.6-minimal_3.6.9-1~18.04ubuntu1.12+tuxcare.els23_amd64.deb
sha:4a5ae10fe9560b9315588ef3ec01f1b5cc5272a1
python3.6-venv_3.6.9-1~18.04ubuntu1.12+tuxcare.els23_amd64.deb
sha:30bf0fbb54f20babb5f5806f6d2b2f1af3975aff

Notes:

This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.