[CLSA-2026:1778146538] Fix CVE(s): CVE-2026-3446
Type:
security
Severity:
Moderate
Release date:
2026-05-07 09:35:45 UTC
Description:
* SECURITY UPDATE: binascii.a2b_base64 / base64.b64decode stop decoding after the first padded quad, silently dropping any excess data. The behaviour can lead to data being accepted that other implementations process differently. - debian/patches/CVE-2026-3446.patch: backport of upstream commits 4561f6418a (main), e31c55121620 (3.14), 1f9958f909c1 (3.13). Treats the pad character as non-alphabet data per RFC 4648 section 3.3: the loop in binascii_a2b_base64_impl no longer breaks out on a pad sequence; a `pads` counter is added so post-loop validation still raises "Incorrect padding" / "Invalid base64-encoded string" for inputs that do not satisfy `quad_pos + pads == 4`. The unused `binascii_find_valid` helper is removed. - CVE-2026-3446
Updated packages:
  • alt-python38_3.8.20-15_amd64.deb
    sha:a57522ad830aceaa457f819cc886cbb6379064f7
  • alt-python38-debug_3.8.20-15_amd64.deb
    sha:ec6e4304cf78ed5df11191af88c5c660d477d748
  • alt-python38-devel_3.8.20-15_amd64.deb
    sha:372bc5bff3f4f432240fb4dc1b6ba97632dd60da
  • alt-python38-idle_3.8.20-15_amd64.deb
    sha:80fc4719ef47830b8f651a414d038c556d0dd57b
  • alt-python38-libs_3.8.20-15_amd64.deb
    sha:8f1cf0f3f6aac2d0319980ac554a51f75769778c
  • alt-python38-test_3.8.20-15_amd64.deb
    sha:02ab72bceb808c4da4c23a7091526ea3a2b21915
  • alt-python38-tkinter_3.8.20-15_amd64.deb
    sha:a7ed514f367d92c21ccc603de895698f981a45f8
  • alt-python38_3.8.20-15_arm64.deb
    sha:7c8c5afadc090f64e1ef2ef9783ba99c27ab2603
  • alt-python38-debug_3.8.20-15_arm64.deb
    sha:85d1a9fb2f4a4bccb02a82aa91002b55c969af3a
  • alt-python38-devel_3.8.20-15_arm64.deb
    sha:0d2b8be00874cb9f6d285e412f08e62872c66713
  • alt-python38-idle_3.8.20-15_arm64.deb
    sha:ff35d08e630f9192646b7cdc50f4daef1e353577
  • alt-python38-libs_3.8.20-15_arm64.deb
    sha:57c7fbb9bdfc23a5cbdbbaf07a0151e04bcf2bd7
  • alt-python38-test_3.8.20-15_arm64.deb
    sha:00bfbd15da6cdcbd018b279e3783506d050be31f
  • alt-python38-tkinter_3.8.20-15_arm64.deb
    sha:66cb5bbb06ca1eec01b5833c9089de1cbb45be90
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.