{ "document": { "aggregate_severity": { "text": "Critical" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" }, { "category": "details", "text": "CVE-2024-0450: zipfile raises BadZipFile on quoted-overlap archive\n entries to prevent high-ratio zip bombs\n- CVE-2026-6100: use-after-free in lzma/bz2 decompressors when a\n MemoryError leaves a stale next_in pointer on a re-used decompressor", "title": "Details" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "https://cve.tuxcare.com/els-alt-python/releases/CLSA-2026:1777390475", "url": "https://cve.tuxcare.com/els-alt-python/releases/CLSA-2026:1777390475" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_alt_python/el9/advisories/2026/clsa-2026_1777390475.json" } ], "tracking": { "current_release_date": "2026-04-28T15:35:20Z", "generator": { "date": "2026-04-28T15:35:20Z", "engine": { "name": "pyCSAF" } }, "id": "CLSA-2026:1777390475", "initial_release_date": "2026-04-28T15:35:20Z", "revision_history": [ { "date": "2026-04-28T15:35:20Z", "number": "1", "summary": "Initial version" } ], "status": "final", "version": "1" }, "title": "alt-python36: Fix of 2 CVEs" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Community Enterprise Operating System 9", "product": { "name": "Community Enterprise Operating System 9", "product_id": "CentOS-9", "product_identification_helper": { "cpe": "cpe:2.3:o:centos:centos:9:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "Community Enterprise Operating System" } ], "category": "vendor", "name": "Cloud Linux Software, Inc." }, { "branches": [ { "branches": [ { "category": "product_version", "name": "alt-python36-debug-0:3.6.15-21.el9.x86_64", "product": { "name": "alt-python36-debug-0:3.6.15-21.el9.x86_64", "product_id": "alt-python36-debug-0:3.6.15-21.el9.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/alt-python36-debug@3.6.15-21.el9?arch=x86_64&os_name=centos&os_version=9" } } }, { "category": "product_version", "name": "alt-python36-0:3.6.15-21.el9.x86_64", "product": { "name": "alt-python36-0:3.6.15-21.el9.x86_64", "product_id": "alt-python36-0:3.6.15-21.el9.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/alt-python36@3.6.15-21.el9?arch=x86_64&os_name=centos&os_version=9" } } }, { "category": "product_version", "name": "alt-python36-libs-0:3.6.15-21.el9.x86_64", "product": { "name": "alt-python36-libs-0:3.6.15-21.el9.x86_64", "product_id": "alt-python36-libs-0:3.6.15-21.el9.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/alt-python36-libs@3.6.15-21.el9?arch=x86_64&os_name=centos&os_version=9" } } }, { "category": "product_version", "name": "alt-python36-test-0:3.6.15-21.el9.x86_64", "product": { "name": "alt-python36-test-0:3.6.15-21.el9.x86_64", "product_id": "alt-python36-test-0:3.6.15-21.el9.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/alt-python36-test@3.6.15-21.el9?arch=x86_64&os_name=centos&os_version=9" } } }, { "category": "product_version", "name": "alt-python36-devel-0:3.6.15-21.el9.x86_64", "product": { "name": "alt-python36-devel-0:3.6.15-21.el9.x86_64", "product_id": "alt-python36-devel-0:3.6.15-21.el9.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/alt-python36-devel@3.6.15-21.el9?arch=x86_64&os_name=centos&os_version=9" } } }, { "category": "product_version", "name": "alt-python36-tkinter-0:3.6.15-21.el9.x86_64", "product": { "name": "alt-python36-tkinter-0:3.6.15-21.el9.x86_64", "product_id": "alt-python36-tkinter-0:3.6.15-21.el9.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/alt-python36-tkinter@3.6.15-21.el9?arch=x86_64&os_name=centos&os_version=9" } } }, { "category": "product_version", "name": "alt-python36-tools-0:3.6.15-21.el9.x86_64", "product": { "name": "alt-python36-tools-0:3.6.15-21.el9.x86_64", "product_id": "alt-python36-tools-0:3.6.15-21.el9.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/alt-python36-tools@3.6.15-21.el9?arch=x86_64&os_name=centos&os_version=9" } } } ], "category": "architecture", "name": "x86_64" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "alt-python36-debug-0:3.6.15-21.el9.x86_64 as a component of Community Enterprise Operating System 9", "product_id": "CentOS-9:alt-python36-debug-0:3.6.15-21.el9.x86_64" }, "product_reference": "alt-python36-debug-0:3.6.15-21.el9.x86_64", "relates_to_product_reference": "CentOS-9" }, { "category": "default_component_of", "full_product_name": { "name": "alt-python36-0:3.6.15-21.el9.x86_64 as a component of Community Enterprise Operating System 9", "product_id": "CentOS-9:alt-python36-0:3.6.15-21.el9.x86_64" }, "product_reference": "alt-python36-0:3.6.15-21.el9.x86_64", "relates_to_product_reference": "CentOS-9" }, { "category": "default_component_of", "full_product_name": { "name": "alt-python36-libs-0:3.6.15-21.el9.x86_64 as a component of Community Enterprise Operating System 9", "product_id": "CentOS-9:alt-python36-libs-0:3.6.15-21.el9.x86_64" }, "product_reference": "alt-python36-libs-0:3.6.15-21.el9.x86_64", "relates_to_product_reference": "CentOS-9" }, { "category": "default_component_of", "full_product_name": { "name": "alt-python36-test-0:3.6.15-21.el9.x86_64 as a component of Community Enterprise Operating System 9", "product_id": "CentOS-9:alt-python36-test-0:3.6.15-21.el9.x86_64" }, "product_reference": "alt-python36-test-0:3.6.15-21.el9.x86_64", "relates_to_product_reference": "CentOS-9" }, { "category": "default_component_of", "full_product_name": { "name": "alt-python36-devel-0:3.6.15-21.el9.x86_64 as a component of Community Enterprise Operating System 9", "product_id": "CentOS-9:alt-python36-devel-0:3.6.15-21.el9.x86_64" }, "product_reference": "alt-python36-devel-0:3.6.15-21.el9.x86_64", "relates_to_product_reference": "CentOS-9" }, { "category": "default_component_of", "full_product_name": { "name": "alt-python36-tkinter-0:3.6.15-21.el9.x86_64 as a component of Community Enterprise Operating System 9", "product_id": "CentOS-9:alt-python36-tkinter-0:3.6.15-21.el9.x86_64" }, "product_reference": "alt-python36-tkinter-0:3.6.15-21.el9.x86_64", "relates_to_product_reference": "CentOS-9" }, { "category": "default_component_of", "full_product_name": { "name": "alt-python36-tools-0:3.6.15-21.el9.x86_64 as a component of Community Enterprise Operating System 9", "product_id": "CentOS-9:alt-python36-tools-0:3.6.15-21.el9.x86_64" }, "product_reference": "alt-python36-tools-0:3.6.15-21.el9.x86_64", "relates_to_product_reference": "CentOS-9" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-6100", "cwe": { "id": "CWE-825", "name": "Expired Pointer Dereference" }, "notes": [ { "category": "description", "text": "Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition.\nThe vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "CentOS-9:alt-python36-0:3.6.15-21.el9.x86_64", "CentOS-9:alt-python36-debug-0:3.6.15-21.el9.x86_64", "CentOS-9:alt-python36-devel-0:3.6.15-21.el9.x86_64", "CentOS-9:alt-python36-libs-0:3.6.15-21.el9.x86_64", "CentOS-9:alt-python36-test-0:3.6.15-21.el9.x86_64", "CentOS-9:alt-python36-tkinter-0:3.6.15-21.el9.x86_64", "CentOS-9:alt-python36-tools-0:3.6.15-21.el9.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els-alt-python/cve/CVE-2026-6100" } ], "release_date": "2026-04-13T17:15:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-04-28T15:34:39.587123Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els-alt-python/releases/CLSA-2026:1777390475", "product_ids": [ "CentOS-9:alt-python36-0:3.6.15-21.el9.x86_64", "CentOS-9:alt-python36-debug-0:3.6.15-21.el9.x86_64", "CentOS-9:alt-python36-devel-0:3.6.15-21.el9.x86_64", "CentOS-9:alt-python36-libs-0:3.6.15-21.el9.x86_64", "CentOS-9:alt-python36-test-0:3.6.15-21.el9.x86_64", "CentOS-9:alt-python36-tkinter-0:3.6.15-21.el9.x86_64", "CentOS-9:alt-python36-tools-0:3.6.15-21.el9.x86_64" ], "url": "https://cve.tuxcare.com/els-alt-python/releases/CLSA-2026:1777390475" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "CentOS-9:alt-python36-0:3.6.15-21.el9.x86_64", "CentOS-9:alt-python36-debug-0:3.6.15-21.el9.x86_64", "CentOS-9:alt-python36-devel-0:3.6.15-21.el9.x86_64", "CentOS-9:alt-python36-libs-0:3.6.15-21.el9.x86_64", "CentOS-9:alt-python36-test-0:3.6.15-21.el9.x86_64", "CentOS-9:alt-python36-tkinter-0:3.6.15-21.el9.x86_64", "CentOS-9:alt-python36-tools-0:3.6.15-21.el9.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] }, { "cve": "CVE-2024-0450", "cwe": { "id": "CWE-450", "name": "Multiple Interpretations of UI Input" }, "notes": [ { "category": "description", "text": "An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.\nThe zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "CentOS-9:alt-python36-0:3.6.15-21.el9.x86_64", "CentOS-9:alt-python36-debug-0:3.6.15-21.el9.x86_64", "CentOS-9:alt-python36-devel-0:3.6.15-21.el9.x86_64", "CentOS-9:alt-python36-libs-0:3.6.15-21.el9.x86_64", "CentOS-9:alt-python36-test-0:3.6.15-21.el9.x86_64", "CentOS-9:alt-python36-tkinter-0:3.6.15-21.el9.x86_64", "CentOS-9:alt-python36-tools-0:3.6.15-21.el9.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els-alt-python/cve/CVE-2024-0450" } ], "release_date": "2024-03-19T00:00:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-04-28T15:34:39.587123Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els-alt-python/releases/CLSA-2026:1777390475", "product_ids": [ "CentOS-9:alt-python36-0:3.6.15-21.el9.x86_64", "CentOS-9:alt-python36-debug-0:3.6.15-21.el9.x86_64", "CentOS-9:alt-python36-devel-0:3.6.15-21.el9.x86_64", "CentOS-9:alt-python36-libs-0:3.6.15-21.el9.x86_64", "CentOS-9:alt-python36-test-0:3.6.15-21.el9.x86_64", "CentOS-9:alt-python36-tkinter-0:3.6.15-21.el9.x86_64", "CentOS-9:alt-python36-tools-0:3.6.15-21.el9.x86_64" ], "url": "https://cve.tuxcare.com/els-alt-python/releases/CLSA-2026:1777390475" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "CentOS-9:alt-python36-0:3.6.15-21.el9.x86_64", "CentOS-9:alt-python36-debug-0:3.6.15-21.el9.x86_64", "CentOS-9:alt-python36-devel-0:3.6.15-21.el9.x86_64", "CentOS-9:alt-python36-libs-0:3.6.15-21.el9.x86_64", "CentOS-9:alt-python36-test-0:3.6.15-21.el9.x86_64", "CentOS-9:alt-python36-tkinter-0:3.6.15-21.el9.x86_64", "CentOS-9:alt-python36-tools-0:3.6.15-21.el9.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] } ] }