[CLSA-2026:1778151185] Fix CVE(s): CVE-2026-3446
Type:
security
Severity:
Moderate
Release date:
2026-05-07 11:31:50 UTC
Description:
* SECURITY UPDATE: binascii.a2b_base64 / base64.b64decode stop decoding after the first padded quad, silently dropping any excess data. The behaviour can lead to data being accepted that other implementations process differently. - debian/patches/CVE-2026-3446.patch: backport of upstream commits 4561f6418a (main), e31c55121620 (3.14), 1f9958f909c1 (3.13). Treats the pad character as non-alphabet data per RFC 4648 section 3.3: the loop in binascii_a2b_base64_impl no longer breaks out on a pad sequence; a `pads` counter tracks them so post-loop validation still raises "Incorrect padding" / "Invalid base64-encoded string" for inputs that do not satisfy `quad_pos + pads == 4`. The unused `done:` label is removed. - CVE-2026-3446
Updated packages:
  • alt-python39_3.9.23-13_amd64.deb
    sha:1a8ef2041b95f7eadc50e3b6c0612c09f0a23273
  • alt-python39-debug_3.9.23-13_amd64.deb
    sha:06853c62241462625a99d3db623bf7ef58daaa4c
  • alt-python39-devel_3.9.23-13_amd64.deb
    sha:1fc19265dec2a9ea80e794b8041687647092303e
  • alt-python39-idle_3.9.23-13_amd64.deb
    sha:4410a2e87a390f4d77179a3f8d6f6f6375ce920c
  • alt-python39-libs_3.9.23-13_amd64.deb
    sha:d0eb2143867cbc0c9cb987bb9510b3453f8f6b0f
  • alt-python39-test_3.9.23-13_amd64.deb
    sha:ee391c993e6fedd95b12b09b7aba5e1e211083a6
  • alt-python39-tkinter_3.9.23-13_amd64.deb
    sha:7f22c04d5393558551f672e6344ceb5b50e20570
  • alt-python39_3.9.23-13_arm64.deb
    sha:0bccf4ecc42fe9116e2e1ed2cf79ac7256f64e7b
  • alt-python39-debug_3.9.23-13_arm64.deb
    sha:d782e2deaad73cfa6ee7267e04340a6b9afbb52a
  • alt-python39-devel_3.9.23-13_arm64.deb
    sha:4375176e6efddc8d60e01e510160e9cdc3633f7c
  • alt-python39-idle_3.9.23-13_arm64.deb
    sha:fcc2fde990606447d0283d60c85e3c153a9407b8
  • alt-python39-libs_3.9.23-13_arm64.deb
    sha:a563d2cf0cf346ec22c6cf6b3599aa3fe69363aa
  • alt-python39-test_3.9.23-13_arm64.deb
    sha:3bcd064b7c7be9ca1bfaaeae8c76bc052aa41f61
  • alt-python39-tkinter_3.9.23-13_arm64.deb
    sha:63c03af6dc5d067048520eaaa3e575b69721d8a6
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.