{ "document": { "aggregate_severity": { "text": "Critical" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" }, { "category": "details", "text": "* SECURITY UPDATE: zipfile quoted-overlap zip bomb\n - debian/patches/CVE-2024-0450.patch: raise BadZipFile when an\n archive entry overlaps with another entry or the central\n directory, preventing quoted-overlap zip bombs with extreme\n compression ratios.\n - CVE-2024-0450\n * SECURITY UPDATE: use-after-free in lzma/bz2 decompressors\n - debian/patches/CVE-2026-6100.patch: null next_in at the error:\n label of decompress() in Modules/_bz2module.c and\n Modules/_lzmamodule.c so the decompressor cannot be re-used\n with a stale buffer pointer after a MemoryError.\n - CVE-2026-6100", "title": "Details" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "https://cve.tuxcare.com/els-alt-python/releases/CLSA-2026:1777384579", "url": "https://cve.tuxcare.com/els-alt-python/releases/CLSA-2026:1777384579" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_alt_python/debian11/advisories/2026/clsa-2026_1777384579.json" } ], "tracking": { "current_release_date": "2026-04-28T13:57:04Z", "generator": { "date": "2026-04-28T13:57:04Z", "engine": { "name": "pyCSAF" } }, "id": "CLSA-2026:1777384579", "initial_release_date": "2026-04-28T13:57:04Z", "revision_history": [ { "date": "2026-04-28T13:57:04Z", "number": "1", "summary": "Initial version" } ], "status": "final", "version": "1" }, "title": "Fix CVE(s): CVE-2024-0450, CVE-2026-6100" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Debian 11", "product": { "name": "Debian 11", "product_id": "Debian-11", "product_identification_helper": { "cpe": "cpe:2.3:o:debian:debian_linux:11:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "Debian" } ], "category": "vendor", "name": "Software in the Public Interest, Inc." }, { "branches": [ { "branches": [ { "category": "product_version", "name": "alt-python36-debug-0:3.6.15-30.amd64", "product": { "name": "alt-python36-debug-0:3.6.15-30.amd64", "product_id": "alt-python36-debug-0:3.6.15-30.amd64", "product_identification_helper": { "purl": "pkg:deb/tuxcare/alt-python36-debug@3.6.15-30?arch=amd64&os_name=debian&os_version=11" } } }, { "category": "product_version", "name": "alt-python36-libs-0:3.6.15-30.amd64", "product": { "name": "alt-python36-libs-0:3.6.15-30.amd64", "product_id": "alt-python36-libs-0:3.6.15-30.amd64", "product_identification_helper": { "purl": "pkg:deb/tuxcare/alt-python36-libs@3.6.15-30?arch=amd64&os_name=debian&os_version=11" } } }, { "category": "product_version", "name": "alt-python36-devel-0:3.6.15-30.amd64", "product": { "name": "alt-python36-devel-0:3.6.15-30.amd64", "product_id": "alt-python36-devel-0:3.6.15-30.amd64", "product_identification_helper": { "purl": "pkg:deb/tuxcare/alt-python36-devel@3.6.15-30?arch=amd64&os_name=debian&os_version=11" } } }, { "category": "product_version", "name": "alt-python36-tkinter-0:3.6.15-30.amd64", "product": { "name": "alt-python36-tkinter-0:3.6.15-30.amd64", "product_id": "alt-python36-tkinter-0:3.6.15-30.amd64", "product_identification_helper": { "purl": "pkg:deb/tuxcare/alt-python36-tkinter@3.6.15-30?arch=amd64&os_name=debian&os_version=11" } } }, { "category": "product_version", "name": "alt-python36-0:3.6.15-30.amd64", "product": { "name": "alt-python36-0:3.6.15-30.amd64", "product_id": "alt-python36-0:3.6.15-30.amd64", "product_identification_helper": { "purl": "pkg:deb/tuxcare/alt-python36@3.6.15-30?arch=amd64&os_name=debian&os_version=11" } } }, { "category": "product_version", "name": "alt-python36-test-0:3.6.15-30.amd64", "product": { "name": "alt-python36-test-0:3.6.15-30.amd64", "product_id": "alt-python36-test-0:3.6.15-30.amd64", "product_identification_helper": { "purl": "pkg:deb/tuxcare/alt-python36-test@3.6.15-30?arch=amd64&os_name=debian&os_version=11" } } }, { "category": "product_version", "name": "alt-python36-tools-0:3.6.15-30.amd64", "product": { "name": "alt-python36-tools-0:3.6.15-30.amd64", "product_id": "alt-python36-tools-0:3.6.15-30.amd64", "product_identification_helper": { "purl": "pkg:deb/tuxcare/alt-python36-tools@3.6.15-30?arch=amd64&os_name=debian&os_version=11" } } } ], "category": "architecture", "name": "amd64" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "alt-python36-debug-0:3.6.15-30.amd64 as a component of Debian 11", "product_id": "Debian-11:alt-python36-debug-0:3.6.15-30.amd64" }, "product_reference": "alt-python36-debug-0:3.6.15-30.amd64", "relates_to_product_reference": "Debian-11" }, { "category": "default_component_of", "full_product_name": { "name": "alt-python36-libs-0:3.6.15-30.amd64 as a component of Debian 11", "product_id": "Debian-11:alt-python36-libs-0:3.6.15-30.amd64" }, "product_reference": "alt-python36-libs-0:3.6.15-30.amd64", "relates_to_product_reference": "Debian-11" }, { "category": "default_component_of", "full_product_name": { "name": "alt-python36-devel-0:3.6.15-30.amd64 as a component of Debian 11", "product_id": "Debian-11:alt-python36-devel-0:3.6.15-30.amd64" }, "product_reference": "alt-python36-devel-0:3.6.15-30.amd64", "relates_to_product_reference": "Debian-11" }, { "category": "default_component_of", "full_product_name": { "name": "alt-python36-tkinter-0:3.6.15-30.amd64 as a component of Debian 11", "product_id": "Debian-11:alt-python36-tkinter-0:3.6.15-30.amd64" }, "product_reference": "alt-python36-tkinter-0:3.6.15-30.amd64", "relates_to_product_reference": "Debian-11" }, { "category": "default_component_of", "full_product_name": { "name": "alt-python36-0:3.6.15-30.amd64 as a component of Debian 11", "product_id": "Debian-11:alt-python36-0:3.6.15-30.amd64" }, "product_reference": "alt-python36-0:3.6.15-30.amd64", "relates_to_product_reference": "Debian-11" }, { "category": "default_component_of", "full_product_name": { "name": "alt-python36-test-0:3.6.15-30.amd64 as a component of Debian 11", "product_id": "Debian-11:alt-python36-test-0:3.6.15-30.amd64" }, "product_reference": "alt-python36-test-0:3.6.15-30.amd64", "relates_to_product_reference": "Debian-11" }, { "category": "default_component_of", "full_product_name": { "name": "alt-python36-tools-0:3.6.15-30.amd64 as a component of Debian 11", "product_id": "Debian-11:alt-python36-tools-0:3.6.15-30.amd64" }, "product_reference": "alt-python36-tools-0:3.6.15-30.amd64", "relates_to_product_reference": "Debian-11" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-6100", "cwe": { "id": "CWE-825", "name": "Expired Pointer Dereference" }, "notes": [ { "category": "description", "text": "Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition.\nThe vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Debian-11:alt-python36-0:3.6.15-30.amd64", "Debian-11:alt-python36-debug-0:3.6.15-30.amd64", "Debian-11:alt-python36-devel-0:3.6.15-30.amd64", "Debian-11:alt-python36-libs-0:3.6.15-30.amd64", "Debian-11:alt-python36-test-0:3.6.15-30.amd64", "Debian-11:alt-python36-tkinter-0:3.6.15-30.amd64", "Debian-11:alt-python36-tools-0:3.6.15-30.amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els-alt-python/cve/CVE-2026-6100" } ], "release_date": "2026-04-13T17:15:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-04-28T13:56:23.683033Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els-alt-python/releases/CLSA-2026:1777384579", "product_ids": [ "Debian-11:alt-python36-0:3.6.15-30.amd64", "Debian-11:alt-python36-debug-0:3.6.15-30.amd64", "Debian-11:alt-python36-devel-0:3.6.15-30.amd64", "Debian-11:alt-python36-libs-0:3.6.15-30.amd64", "Debian-11:alt-python36-test-0:3.6.15-30.amd64", "Debian-11:alt-python36-tkinter-0:3.6.15-30.amd64", "Debian-11:alt-python36-tools-0:3.6.15-30.amd64" ], "url": "https://cve.tuxcare.com/els-alt-python/releases/CLSA-2026:1777384579" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Debian-11:alt-python36-0:3.6.15-30.amd64", "Debian-11:alt-python36-debug-0:3.6.15-30.amd64", "Debian-11:alt-python36-devel-0:3.6.15-30.amd64", "Debian-11:alt-python36-libs-0:3.6.15-30.amd64", "Debian-11:alt-python36-test-0:3.6.15-30.amd64", "Debian-11:alt-python36-tkinter-0:3.6.15-30.amd64", "Debian-11:alt-python36-tools-0:3.6.15-30.amd64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] }, { "cve": "CVE-2024-0450", "cwe": { "id": "CWE-450", "name": "Multiple Interpretations of UI Input" }, "notes": [ { "category": "description", "text": "An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.\nThe zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Debian-11:alt-python36-0:3.6.15-30.amd64", "Debian-11:alt-python36-debug-0:3.6.15-30.amd64", "Debian-11:alt-python36-devel-0:3.6.15-30.amd64", "Debian-11:alt-python36-libs-0:3.6.15-30.amd64", "Debian-11:alt-python36-test-0:3.6.15-30.amd64", "Debian-11:alt-python36-tkinter-0:3.6.15-30.amd64", "Debian-11:alt-python36-tools-0:3.6.15-30.amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els-alt-python/cve/CVE-2024-0450" } ], "release_date": "2024-03-19T00:00:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-04-28T13:56:23.683033Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els-alt-python/releases/CLSA-2026:1777384579", "product_ids": [ "Debian-11:alt-python36-0:3.6.15-30.amd64", "Debian-11:alt-python36-debug-0:3.6.15-30.amd64", "Debian-11:alt-python36-devel-0:3.6.15-30.amd64", "Debian-11:alt-python36-libs-0:3.6.15-30.amd64", "Debian-11:alt-python36-test-0:3.6.15-30.amd64", "Debian-11:alt-python36-tkinter-0:3.6.15-30.amd64", "Debian-11:alt-python36-tools-0:3.6.15-30.amd64" ], "url": "https://cve.tuxcare.com/els-alt-python/releases/CLSA-2026:1777384579" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Debian-11:alt-python36-0:3.6.15-30.amd64", "Debian-11:alt-python36-debug-0:3.6.15-30.amd64", "Debian-11:alt-python36-devel-0:3.6.15-30.amd64", "Debian-11:alt-python36-libs-0:3.6.15-30.amd64", "Debian-11:alt-python36-test-0:3.6.15-30.amd64", "Debian-11:alt-python36-tkinter-0:3.6.15-30.amd64", "Debian-11:alt-python36-tools-0:3.6.15-30.amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] } ] }