Release date:
2026-07-13 19:55:00 UTC
Description:
- CVE-2026-7210: seed Expat's hash-flooding protection with a full 16 bytes
(128 bits) of entropy via XML_SetHashSalt16Bytes() when the loaded libexpat
provides it (detected via a weak symbol), instead of the brute-forceable
8-byte XML_SetHashSalt(); the pyexpat CAPI gains a SetHashSalt16Bytes
pointer appended at the end of the struct (capsule magic unchanged) and
_Py_HashSecret_t gains a 16-byte hashsalt16 field. Both call sites fall back
to the legacy 8-byte API when the salt is all zeros (hash randomization off,
the default) so Expat keeps self-seeding. Paired with the libexpat
CVE-2026-41080 backport that exports the symbol; requires
expat >= 2.1.0-15.0.7.el7_9.tuxcare.els3, the release shipping it
Updated packages:
-
python-2.7.5-94.0.1.el7_9.tuxcare.els9.x86_64.rpm
sha:ec065f8a04895fde752785837e8add3a150e225878f9862eb05ac429973d4034
-
python-debug-2.7.5-94.0.1.el7_9.tuxcare.els9.x86_64.rpm
sha:6aa0e9740afbcd7bbd6f1fb150aeb49e83db7481f8975fdab5927e6a7e935d9e
-
python-devel-2.7.5-94.0.1.el7_9.tuxcare.els9.x86_64.rpm
sha:5383ddbc9042f0858cac69446cd886bd2a1cec38e278c6b512aa0797b42dcc23
-
python-libs-2.7.5-94.0.1.el7_9.tuxcare.els9.i686.rpm
sha:a219e68ab8d785d9f8aad9f16623e33bc10003fd9fd961b56319cdc812f74dea
-
python-libs-2.7.5-94.0.1.el7_9.tuxcare.els9.x86_64.rpm
sha:8e312766b0054d79c08cb1feb8c3cf2da7cc5c58cc0199786b15bb4dcef686cf
-
python-test-2.7.5-94.0.1.el7_9.tuxcare.els9.x86_64.rpm
sha:49951672454a6e5987c8410b186cfb36aa4643c6cab18e0adab4ee7b9175007a
-
python-tools-2.7.5-94.0.1.el7_9.tuxcare.els9.x86_64.rpm
sha:53cae7d02752338ee7d8ecf9c607be33466af4881640e6a00a2e9a566b95d84c
-
tkinter-2.7.5-94.0.1.el7_9.tuxcare.els9.x86_64.rpm
sha:88b17c11f9606dba2f38bea9e78643868b8be78635779e87abe6679691f19e27
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.