Release date:
2026-05-01 10:10:57 UTC
Description:
- CVE-2026-1299: email.Generator now rejects header *values* containing
CR/LF that are not followed by folding whitespace by raising
HeaderWriteError. In Python 2.7 (which lacks BytesGenerator) this
single Generator-class hardening covers both upstream CVE-2026-1299
and CVE-2024-6923.
- CVE-2024-6923: email.Generator now rejects header *names* containing
CR/LF that are not followed by folding whitespace by raising
HeaderWriteError, preventing header injection through the header
name.
- CVE-2024-0397: ssl.SSLContext.cert_store_stats and get_ca_certs now
deep-copy the X509_STORE under X509_STORE_lock (via a backport of
OpenSSL 3.3's X509_STORE_get1_objects), fixing a memory race when an
SSLContext is shared across threads.
- CVE-2021-28861: BaseHTTPServer now collapses any leading run of '/'
in the request path to a single '/' to prevent an open-redirect via
//evil.example/... URIs in 301 Location headers.
Updated packages:
-
alt-python27-2.7.18-30.el8.x86_64.rpm
sha:0f1d5a12a7c94cdee8e5ca4e1b112a7ae1987830ad2b896419e0921330491475
-
alt-python27-debug-2.7.18-30.el8.x86_64.rpm
sha:553d07e1ee3166c54ed0c3f73633257a4b937efd292e25f57e6ba2c211121963
-
alt-python27-devel-2.7.18-30.el8.x86_64.rpm
sha:2155447dd22f675218e784096d3d8f3fbb7df486727f1654967c968dde6e3e29
-
alt-python27-libs-2.7.18-30.el8.x86_64.rpm
sha:ae1beb081051f5f168f4e9a5bd979516aebea1164d3066a2c111c2a4bf8da2b3
-
alt-python27-test-2.7.18-30.el8.x86_64.rpm
sha:dc9782e5cc9b5f4602c085c451eb4b89c9c8d51d53362c0c287d1a910a86da94
-
alt-python27-tkinter-2.7.18-30.el8.x86_64.rpm
sha:ea5e3d8448164276eefb1175fd1b191054f2208fc396ec3aba45113de4873a33
-
alt-python27-tools-2.7.18-30.el8.x86_64.rpm
sha:4fda04784bbfb9c5d589d528ac026be3069791bc0c319c457d97712fa81c631f
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.
