|
|
Log in / Subscribe / Register

AlmaLinux alert ALSA-2026:19064 (python3.12)



From:
              AlmaLinux Errata Notifications via Announce <announce@lists.almalinux.org>


To:
              announce@lists.almalinux.org


Subject:
              [Announce]  [Security Advisory] ALSA-2026:19064: python3.12 security update (Important)


Date:
              Tue, 26 May 2026 19:24:23 +0000


Message-ID:
              <0100019e65becd33-01a60009-5b59-44bc-907b-354e2d148f3d-000000@email.amazonses.com>


Archive-link:
              Article


Hi,

You are receiving an AlmaLinux Security update email because you subscribed to receive errata
notifications from AlmaLinux.

AlmaLinux: 10
Type: Security
Severity: Important
Release date: 2026-05-26

Summary:

Python is an interpreted, interactive, object-oriented programming language, which includes
modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python
supports interfaces to many system calls and libraries, as well as to various windowing systems.

Security Fix(es):  

  * expat: libexpat in Expat allows attackers to trigger large dynamic memory allocations via a
small document that is submitted for parsing (CVE-2025-59375)
  * python: Quadratic complexity in os.path.expandvars() with user-controlled template
(CVE-2025-6075)
  * cpython: Out-of-memory when loading Plist (CVE-2025-13837)
  * cpython: Header injection via newlines in data URL mediatype in Python (CVE-2025-15282)
  * cpython: Header injection in http.cookies.Morsel in Python (CVE-2026-0672)
  * cpython: CPython: Logging Bypass in Legacy .pyc File Handling (CVE-2026-2297)
  * cpython: Incomplete control character validation in http.cookies (CVE-2026-3644)
  * cpython: Stack overflow parsing XML with deeply nested DTD content models (CVE-2026-4224)
  * python: Python: Command-line option injection in webbrowser.open() via crafted URLs
(CVE-2026-4519)
  * python: Python: HTTP header injection via CR/LF in proxy tunnel headers (CVE-2026-1502)
  * python: Python: Arbitrary code execution or information disclosure via use-after-free in
decompression modules (CVE-2026-6100)
  * python: cpython: Python: Arbitrary code execution via command injection in webbrowser.open()
API (CVE-2026-4786)


For more details about the security issue(s), including the impact, a CVSS score, acknowledgments,
and other related information, refer to the CVE page(s) listed in the References section.


Full details, updated packages, references, and other related information:
https://errata.almalinux.org/10/ALSA-2026-19064.html

This message is automatically generated, please don’t reply. For further questions, please, contact
us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on
https://lists.almalinux.org.

Kind regards,
AlmaLinux Team
_______________________________________________
Announce mailing list -- announce@lists.almalinux.org
To unsubscribe send an email to announce-leave@lists.almalinux.org
to post comments


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds