[CLSA-2026:1778146199] Fix CVE(s): CVE-2026-3446
Type:
security
Severity:
Moderate
Release date:
2026-05-07 09:30:16 UTC
Description:
* SECURITY UPDATE: binascii.a2b_base64 / base64.b64decode stop decoding after the first padded quad, silently dropping any excess data. The behaviour can lead to data being accepted that other implementations process differently. - debian/patches/CVE-2026-3446.patch: backport of upstream commits 4561f6418a (main), e31c55121620 (3.14), 1f9958f909c1 (3.13). Treats the pad character as non-alphabet data per RFC 4648 section 3.3: the loop in binascii_a2b_base64_impl no longer breaks out on a pad sequence; a `pads` counter is added so post-loop validation still raises "Incorrect padding" / "Invalid base64-encoded string" for inputs that do not satisfy `quad_pos + pads == 4`. The unused `binascii_find_valid` helper is removed. - CVE-2026-3446
Updated packages:
  • alt-python38_3.8.20-15_amd64.deb
    sha:a4eb8e911f34803860c7ad8a4362ba062b6d9ad9
  • alt-python38-debug_3.8.20-15_amd64.deb
    sha:f7bd9e2df5788f2a7e5268c0b767969e26208df3
  • alt-python38-devel_3.8.20-15_amd64.deb
    sha:e0754ff137ed44b593d850c7d18cc1b01d9d49e3
  • alt-python38-idle_3.8.20-15_amd64.deb
    sha:b9af8ff7e89bdf2f28970020d904cdc700d71222
  • alt-python38-libs_3.8.20-15_amd64.deb
    sha:ff8a38f3527b5c30f7657428fa0220d8696c7b28
  • alt-python38-test_3.8.20-15_amd64.deb
    sha:617d601c58295d70c378f72e5ec59c9cf4a5b17b
  • alt-python38-tkinter_3.8.20-15_amd64.deb
    sha:6778ea7dc0fc69ec0159a4c976700b088826ef6b
  • alt-python38_3.8.20-15_arm64.deb
    sha:1c62a31d95cff0181fc0f61407574eb8438e7e03
  • alt-python38-debug_3.8.20-15_arm64.deb
    sha:64490d4389294504165d065b47aa26a3c54d5754
  • alt-python38-devel_3.8.20-15_arm64.deb
    sha:29c283f5caba2fd1f9deb431ac6219fee9b9ad83
  • alt-python38-idle_3.8.20-15_arm64.deb
    sha:f7b8bd335a315a2dd69188c4632563b5be5a8169
  • alt-python38-libs_3.8.20-15_arm64.deb
    sha:15badde3efcc97ae4717f88613fefaafd2bb00e1
  • alt-python38-test_3.8.20-15_arm64.deb
    sha:77a6e47c2262f33eeceb98a30f1182d8c7eebddb
  • alt-python38-tkinter_3.8.20-15_arm64.deb
    sha:16f18b73870518561aab995cbee1aded7814baff
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.