Release date:
2026-06-15 14:54:20 UTC
Description:
* SECURITY UPDATE: imaplib.IMAP4._command() concatenated each command
argument into the wire-level command without inspecting it, so a
caller passing user-controlled text could inject additional IMAP
commands using CR/LF or other control characters.
- debian/patches/CVE-2025-15366.patch: backport of cpython
6262704b (gh-143921, Seth Larson). Adds a module-level
_control_chars regex and rejects any byte in [\x00-\x1F\x7F] with
ValueError before concatenating each argument. Upstream-main-only
fix; mirrors Red Hat's python3-3.6.8-21.el7_9.4 (RHSA-2026:6464).
- CVE-2025-15366
* SECURITY UPDATE: poplib.POP3._putcmd() encoded its argument and sent
it to the server without inspecting it, allowing the same command
injection via user() / pass_() / apop() / rpop() / top().
- debian/patches/CVE-2025-15367.patch: backport of cpython
b234a2b6 (gh-143923, Seth Larson). Rejects any byte in
[\x00-\x1F\x7F] with ValueError before sending. Upstream-main-only
fix; mirrors Red Hat's python3-3.6.8-21.el7_9.4 (RHSA-2026:6464).
- CVE-2025-15367
Updated packages:
-
alt-python36_3.6.15-38_amd64.deb
sha:b51745ce801e9febc37c36f2f9985f9d150adc50
-
alt-python36-debug_3.6.15-38_amd64.deb
sha:8e15ad072487659e0e21c0241f91b3cfd94300c7
-
alt-python36-devel_3.6.15-38_amd64.deb
sha:c8dc95c686a749adc4eeae50c0ecde9a113b025a
-
alt-python36-libs_3.6.15-38_amd64.deb
sha:3414ebb2a75c57c9e5fbb6158f7a9d29e9f8f015
-
alt-python36-test_3.6.15-38_amd64.deb
sha:b7406351ffda8a0caa7da02f1969827b950462dc
-
alt-python36-tkinter_3.6.15-38_amd64.deb
sha:5e359f1330771d9f6644a203dc303ee52fc719d9
-
alt-python36-tools_3.6.15-38_amd64.deb
sha:8f0c73128e3f3b422cb0d4d0f01852e3fd893d05
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.