[CLSA-2026:1781173352] Fix CVE(s): CVE-2025-13462, CVE-2026-0672, CVE-2026-3644, CVE-2026-4224

Type:

security

Severity:

Critical

Release date:

2026-06-11 10:26:46 UTC

Description:

   * SECURITY UPDATE: C stack overflow (DoS) in pyexpat when parsing deeply
     nested DTD content models
     - debian/patches/CVE-2026-4224.patch: guard conv_content_model() in
       Modules/pyexpat.c with Py_EnterRecursiveCall/Py_LeaveRecursiveCall to
       bound recursion when a registered ElementDeclHandler converts a deeply
       nested content model.
     - CVE-2026-4224
   * SECURITY UPDATE: HTTP header injection via control characters in cookies
     - debian/patches/CVE-2026-0672.patch: add _has_control_character() and
       reject control characters in Morsel.__setitem__()/setdefault()/set()
       and BaseCookie.output() in Lib/http/cookies.py.
     - CVE-2026-0672
   * SECURITY UPDATE: incomplete fix for CVE-2026-0672 (control characters in
     cookies via additional Morsel paths)
     - debian/patches/CVE-2026-3644.patch: reject control characters in
       Morsel.update(), Morsel.__setstate__() and Morsel.js_output() in
       Lib/http/cookies.py.
     - CVE-2026-3644
   * SECURITY UPDATE: tarfile member type confusion (regular file parsed as
     directory) via GNU long name/link headers
     - debian/patches/CVE-2025-13462.patch: skip the AREGTYPE->DIRTYPE
       normalization while reading GNU LONGNAME/LONGLINK and PAX follow-up
       headers (dircheck=False) in Lib/tarfile.py.
     - CVE-2025-13462

CVEs fixed:

Updated packages:

idle-python3.5_3.5.2-2ubuntu0~16.04.13+tuxcare.els26_all.deb
sha:5ce9c1aff06c898c03dacf4d941679026f6e1160
libpython3.5_3.5.2-2ubuntu0~16.04.13+tuxcare.els26_amd64.deb
sha:39b613cd83a72f7734bd429ff8f30b213e0e53d0
libpython3.5-dev_3.5.2-2ubuntu0~16.04.13+tuxcare.els26_amd64.deb
sha:fe0b4083d9a12dde15272b2fbcf67e432b6996ca
libpython3.5-minimal_3.5.2-2ubuntu0~16.04.13+tuxcare.els26_amd64.deb
sha:3549c79c3df1de1e836c6fe4702be13d8d676736
libpython3.5-stdlib_3.5.2-2ubuntu0~16.04.13+tuxcare.els26_amd64.deb
sha:e4b9fc270eda1ec2c47c863d3c75d754d4b4fdcc
libpython3.5-testsuite_3.5.2-2ubuntu0~16.04.13+tuxcare.els26_all.deb
sha:f83df7333f2cdf6d93558386fa62a9455d360521
python3.5_3.5.2-2ubuntu0~16.04.13+tuxcare.els26_amd64.deb
sha:b31c3b866d1a0dafb2ac83d6093ef41decf35cd6
python3.5-dev_3.5.2-2ubuntu0~16.04.13+tuxcare.els26_amd64.deb
sha:92d121fcbeebe211f75ca4b10aaa3487adbac267
python3.5-doc_3.5.2-2ubuntu0~16.04.13+tuxcare.els26_all.deb
sha:3540568136fb2e284c615c77a71923720dfba79f
python3.5-examples_3.5.2-2ubuntu0~16.04.13+tuxcare.els26_all.deb
sha:f706d0dff0c98dd2f6f10458c7ed30fc043aef6f
python3.5-minimal_3.5.2-2ubuntu0~16.04.13+tuxcare.els26_amd64.deb
sha:7fe7bd8e75ff1a038901399e440de2aab0cc686e
python3.5-venv_3.5.2-2ubuntu0~16.04.13+tuxcare.els26_amd64.deb
sha:1e0c789ffb2a91ff52e671c548e8566b3863952e

Notes:

This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.