[CLSA-2026:1781532248] Fix CVE(s): CVE-2025-15366, CVE-2025-15367
Type:
security
Severity:
Important
Release date:
2026-06-15 14:07:11 UTC
Description:
* SECURITY UPDATE: imaplib.IMAP4._command() concatenated each command argument into the wire-level command without inspecting it, so a caller passing user-controlled text could inject additional IMAP commands using CR/LF or other control characters. - debian/patches/CVE-2025-15366.patch: backport of cpython 6262704b (gh-143921, Seth Larson). Adds a module-level _control_chars regex and rejects any byte in [\x00-\x1F\x7F] with ValueError before concatenating each argument. Upstream-main-only fix; mirrors Red Hat's python3-3.6.8-21.el7_9.4 (RHSA-2026:6464). - CVE-2025-15366 * SECURITY UPDATE: poplib.POP3._putcmd() encoded its argument and sent it to the server without inspecting it, allowing the same command injection via user() / pass_() / apop() / rpop() / top(). - debian/patches/CVE-2025-15367.patch: backport of cpython b234a2b6 (gh-143923, Seth Larson). Rejects any byte in [\x00-\x1F\x7F] with ValueError before sending. Upstream-main-only fix; mirrors Red Hat's python3-3.6.8-21.el7_9.4 (RHSA-2026:6464). - CVE-2025-15367
CVEs fixed:
Updated packages:
  • alt-python36_3.6.15-38_amd64.deb
    sha:37b0237634e6da318e240396860a4d08e3dc8404
  • alt-python36-debug_3.6.15-38_amd64.deb
    sha:d21af5633c42200a364cd5938903374dae1d82d8
  • alt-python36-devel_3.6.15-38_amd64.deb
    sha:bb7226a11655801ea680ad68d36e455241e4b450
  • alt-python36-libs_3.6.15-38_amd64.deb
    sha:27344456dc1971661019fc866b9deb2614dd1c2f
  • alt-python36-test_3.6.15-38_amd64.deb
    sha:df3854dace0daf4b4554f5f62c2264f161fe03aa
  • alt-python36-tkinter_3.6.15-38_amd64.deb
    sha:4c7ba65d24a11c2e600019269f1f5545c1459975
  • alt-python36-tools_3.6.15-38_amd64.deb
    sha:2baeadfa570831ba6f5cc1553a48b6346fca2a17
  • alt-python36_3.6.15-38_arm64.deb
    sha:e3bd16c881ede2680da3efe505a8227e671eb447
  • alt-python36-debug_3.6.15-38_arm64.deb
    sha:5f9aa90d9f0553c3cac6f0eb75fd81532ac2e034
  • alt-python36-devel_3.6.15-38_arm64.deb
    sha:ff3f155b6fb74e47544f01723de1239b48d82bd9
  • alt-python36-libs_3.6.15-38_arm64.deb
    sha:27f299fb7a9744117b2292d2ba18e81d09b3f0cd
  • alt-python36-test_3.6.15-38_arm64.deb
    sha:8322fc31ed463579b206e7bec93d190908527666
  • alt-python36-tkinter_3.6.15-38_arm64.deb
    sha:ad46ba002d193b2727af9193e5cfc84ccb38594a
  • alt-python36-tools_3.6.15-38_arm64.deb
    sha:0bade341c6b89b3968df19698894cc52030bcf87
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.