Release date:
2025-09-30 17:11:54 UTC
Description:
* SECURITY UPDATE: DOS, buffer overflow in SHA3, Possible Bypass Blocklisting
Redirection vulnerability in http.server, regex DOS, Quadratic complexity,
pathname quoting for venv
- debian/patches/CVE-2022-37454.patch: fix a buffer overflow in
Modules/_sha3/kcp/KeccakSponge.inc, Lib/test/test_hashlib.py
(LP: #1995197).
- debian/patches/CVE-2022-45061.patch: fix quadratic time idna decoding
in Lib/encodings/idna.py, Lib/test/test_codecs.py.
- debian/patches/CVE-2023-24329.patch: enforce
that a scheme must begin with an alphabetical ASCII character
in Lib/urllib/parse.py, Lib/test/test_urlparse.py.
start stripping C0 control and space chars in `urlsplit`
- debian/patches/CVE-2021-28861.patch: Fix an open
redirection vulnerability in the `http.server` module
when an URI path starts with `//`
- debian/patches/CVE-2024-6232.patch: Fix header parsing vulnerability that
could lead to ReDoS
- debian/patches/CVE-2024-7592.patch: fix quadratic complexity in parsing
"-quoted cookie values with backslashes
- debian/patches/CVE-2024-9287.patch: Quote template strings in `venv` activation
- CVE-2022-37454
- CVE-2022-45061
- CVE-2023-24329
- CVE-2021-28861
- CVE-2024-6232
- CVE-2024-7592
- CVE-2024-9287
Updated packages:
-
alt-python36_3.6.15-14_amd64.deb
sha:63a1b920cc61988763d44548d2f7f4279935dbf8
-
alt-python36-debug_3.6.15-14_amd64.deb
sha:0a687eb22a872308425010e63be5fb78fbdab487
-
alt-python36-devel_3.6.15-14_amd64.deb
sha:a8b3e201811bc21b360394efb5e4c9e3c4336c2a
-
alt-python36-libs_3.6.15-14_amd64.deb
sha:1a435dd5ff02fb842d5d57919c13c5f04a92414a
-
alt-python36-test_3.6.15-14_amd64.deb
sha:e11d24345046810fac731e5fb9e19d755cc8e05c
-
alt-python36-tkinter_3.6.15-14_amd64.deb
sha:94b208d016e906a0f6d6e4402f04e4e3b975304b
-
alt-python36-tools_3.6.15-14_amd64.deb
sha:9e74a2bf3c6e4b716e8a5721ab3f13e373c9ffa1
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.
