[CLSA-2026:1781170474] Fix CVE(s): CVE-2025-15366, CVE-2025-15367
Type:
security
Severity:
Important
Release date:
2026-06-11 09:36:25 UTC
Description:
* SECURITY UPDATE: imaplib.IMAP4._command() concatenated each argument into the wire command without validation, so an argument embedding CR/LF (or any other C0 control / DEL byte) could inject a second IMAP command. - debian/patches/CVE-2025-15366.patch: backport of cpython 6262704b13 (gh-143921). Adds the _control_chars [\x00-\x1F\x7F] regex and raises ValueError in _command() before appending an offending argument. - CVE-2025-15366 * SECURITY UPDATE: poplib.POP3._putcmd() wrote its argument to the POP3 socket without validation, allowing the same CR/LF command-injection via the POP3 command API. - debian/patches/CVE-2025-15367.patch: backport of cpython b234a2b675 (gh-143923). Rejects lines matching [\x00-\x1F\x7F] with ValueError in _putcmd() before they are written. - CVE-2025-15367
CVEs fixed:
Updated packages:
  • alt-python38_3.8.20-20_amd64.deb
    sha:273b43aa2ec84ef4ad7d0acdcd6cfd120c01810f
  • alt-python38-debug_3.8.20-20_amd64.deb
    sha:b9e72db9159b1a1b38280d5676d822304385edf3
  • alt-python38-devel_3.8.20-20_amd64.deb
    sha:8ccae8a3203913af77e84b2fbd9e62403ba1807b
  • alt-python38-idle_3.8.20-20_amd64.deb
    sha:17dc1479eda3ba87af5ab5d23b4403121188c710
  • alt-python38-libs_3.8.20-20_amd64.deb
    sha:b6dd85e9f61d9213670cede2e8bc6021c635ee42
  • alt-python38-test_3.8.20-20_amd64.deb
    sha:46aaffb32623734893eb21d0c67d8c12d9827a1c
  • alt-python38-tkinter_3.8.20-20_amd64.deb
    sha:6a7a5c203f06751e508839e1e63324a7feff43ae
  • alt-python38_3.8.20-20_arm64.deb
    sha:51d56b2c2319f8c2940a0a5a70715768b629dde2
  • alt-python38-debug_3.8.20-20_arm64.deb
    sha:175de31c81dd13cfef87b05522a2ed5100473a6f
  • alt-python38-devel_3.8.20-20_arm64.deb
    sha:ce93ddc874824573a8cd5f41a112e0fba17b6390
  • alt-python38-idle_3.8.20-20_arm64.deb
    sha:eb3240453c749737bd895c92f432fcea3190891a
  • alt-python38-libs_3.8.20-20_arm64.deb
    sha:034d2e6f5eef2f6c31c0dc9a538641672f6cd5d0
  • alt-python38-test_3.8.20-20_arm64.deb
    sha:8b7e44b54b3c4acefdab6641daa71591b47904df
  • alt-python38-tkinter_3.8.20-20_arm64.deb
    sha:f30781f1aa746c3c0889a79864fbad5ce6dd4a3c
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.