Release date:
2026-06-24 10:51:03 UTC
Description:
* SECURITY UPDATE: a bz2.BZ2Decompressor could be reused after a libbz2
decompression error. Re-entering BZ2_bzDecompress() once libbz2 had
reported an error could write past the end of a stack buffer
(CWE-121, possible stack buffer overflow).
- debian/patches/CVE-2026-9669.patch: backport of cpython
5755d0f0 (gh-150599, Stan Ulbrych). Records the libbz2 error in a
new bzerror field, clears needs_input on the error path, and makes
decompress() raise ValueError ("Decompressor is unusable after a
previous error") on any subsequent call. Adapted to 3.6: plain
needs_input reset (no free-threading atomics) and the existing
ACQUIRE_LOCK/RELEASE_LOCK wrappers; NEWS.d fragment omitted as
3.6.15 ships a single Misc/NEWS.
- CVE-2026-9669
Updated packages:
-
alt-python36_3.6.15-39_amd64.deb
sha:d170b1acd027725eb2d07bba840ee079e1d1e0bf
-
alt-python36-debug_3.6.15-39_amd64.deb
sha:ef55104f9a074b1bcd47238ab2e5f1e6cdb965ad
-
alt-python36-devel_3.6.15-39_amd64.deb
sha:1a2ba32095bf43f603292c9c1d2a2a4aa5522e52
-
alt-python36-libs_3.6.15-39_amd64.deb
sha:f37e45127829748218869a3c508900dc44fcf23e
-
alt-python36-test_3.6.15-39_amd64.deb
sha:89f52b766e87c6c70880bcd7ceab14eaf0e78677
-
alt-python36-tkinter_3.6.15-39_amd64.deb
sha:c3ae773d9d883a3ee1c2dbefc769ddd0f8087e28
-
alt-python36-tools_3.6.15-39_amd64.deb
sha:82754a7e79479b89f1626cc7641bf36299a825a2
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.