[CLSA-2026:1783952046] python: Fix of CVE-2026-7210
Type:
security
Severity:
Important
Release date:
2026-07-13 19:55:00 UTC
Description:
- CVE-2026-7210: seed Expat's hash-flooding protection with a full 16 bytes (128 bits) of entropy via XML_SetHashSalt16Bytes() when the loaded libexpat provides it (detected via a weak symbol), instead of the brute-forceable 8-byte XML_SetHashSalt(); the pyexpat CAPI gains a SetHashSalt16Bytes pointer appended at the end of the struct (capsule magic unchanged) and _Py_HashSecret_t gains a 16-byte hashsalt16 field. Both call sites fall back to the legacy 8-byte API when the salt is all zeros (hash randomization off, the default) so Expat keeps self-seeding. Paired with the libexpat CVE-2026-41080 backport that exports the symbol; requires expat >= 2.1.0-15.0.7.el7_9.tuxcare.els3, the release shipping it
CVEs fixed:
Updated packages:
  • python-2.7.5-94.0.1.el7_9.tuxcare.els9.x86_64.rpm
    sha:ec065f8a04895fde752785837e8add3a150e225878f9862eb05ac429973d4034
  • python-debug-2.7.5-94.0.1.el7_9.tuxcare.els9.x86_64.rpm
    sha:6aa0e9740afbcd7bbd6f1fb150aeb49e83db7481f8975fdab5927e6a7e935d9e
  • python-devel-2.7.5-94.0.1.el7_9.tuxcare.els9.x86_64.rpm
    sha:5383ddbc9042f0858cac69446cd886bd2a1cec38e278c6b512aa0797b42dcc23
  • python-libs-2.7.5-94.0.1.el7_9.tuxcare.els9.i686.rpm
    sha:a219e68ab8d785d9f8aad9f16623e33bc10003fd9fd961b56319cdc812f74dea
  • python-libs-2.7.5-94.0.1.el7_9.tuxcare.els9.x86_64.rpm
    sha:8e312766b0054d79c08cb1feb8c3cf2da7cc5c58cc0199786b15bb4dcef686cf
  • python-test-2.7.5-94.0.1.el7_9.tuxcare.els9.x86_64.rpm
    sha:49951672454a6e5987c8410b186cfb36aa4643c6cab18e0adab4ee7b9175007a
  • python-tools-2.7.5-94.0.1.el7_9.tuxcare.els9.x86_64.rpm
    sha:53cae7d02752338ee7d8ecf9c607be33466af4881640e6a00a2e9a566b95d84c
  • tkinter-2.7.5-94.0.1.el7_9.tuxcare.els9.x86_64.rpm
    sha:88b17c11f9606dba2f38bea9e78643868b8be78635779e87abe6679691f19e27
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.