[CLSA-2026:1781096259] Fix CVE(s): CVE-2025-15366, CVE-2025-15367
Type:
security
Severity:
Important
Release date:
2026-06-10 13:01:03 UTC
Description:
* SECURITY UPDATE: command injection via control characters in imaplib - debian/patches/CVE-2025-15366-CVE-2025-15367.patch: backport of cpython 6262704b (gh-143921, Seth Michael Larson). imaplib.IMAP4._command() concatenated each argument into the wire-level command without inspecting it, so user-controlled text (e.g. a username passed to IMAP4.login()) containing CR/LF or other control characters could inject a second IMAP command. Adds a module-level _control_chars regex to Lib/imaplib.py and a guard in _command() that rejects any argument containing a byte in [\x00-\x1F\x7F] with ValueError before concatenation. Adds a test_control_characters regression test to Lib/test/test_imaplib.py. - CVE-2025-15366 * SECURITY UPDATE: command injection via control characters in poplib - debian/patches/CVE-2025-15366-CVE-2025-15367.patch: backport of cpython b234a2b6 (gh-143923, Seth Michael Larson). poplib.POP3._putcmd() sent its argument to the server without inspecting it, so user-controlled text passed to user()/pass_()/apop()/rpop()/top() could inject a second POP3 command. Adds a guard in _putcmd() (Lib/poplib.py) that rejects any argument containing a byte in [\x00-\x1F\x7F] with ValueError before sending. Adds a test_control_characters regression test to Lib/test/test_poplib.py. - CVE-2025-15367
CVEs fixed:
Updated packages:
  • alt-python27_2.7.18-21_amd64.deb
    sha:85b4b2819f0590571125dffbf05fcdfd3e5fd5e3
  • alt-python27-debug_2.7.18-21_amd64.deb
    sha:5b7b9887a5ff177247f16167ac9e92f1f09e0749
  • alt-python27-devel_2.7.18-21_amd64.deb
    sha:c4d4280956535fb7b89724e25e841d3a2261d00c
  • alt-python27-idle_2.7.18-21_amd64.deb
    sha:6d67e729a427a2671716e06e4f18ebc374d4ab75
  • alt-python27-libs_2.7.18-21_amd64.deb
    sha:e9dade27ff1743a75c4484dff0b5b641c1d91e4f
  • alt-python27-test_2.7.18-21_amd64.deb
    sha:4a1fd450fc1b8ceeb4d561954be975fbdd446885
  • alt-python27-tkinter_2.7.18-21_amd64.deb
    sha:d15f79f0f8fbbb0664e1ab0e4652a025f14f420f
  • alt-python27-tools_2.7.18-21_amd64.deb
    sha:e132bfa3b3d42a95ec94a96358814fca984a004a
  • alt-python27_2.7.18-21_arm64.deb
    sha:7fcabf33cfada91948d8f2dc2a7b9015f869afd9
  • alt-python27-debug_2.7.18-21_arm64.deb
    sha:aa26ae65122fff7a898988035433d2d60256a32d
  • alt-python27-devel_2.7.18-21_arm64.deb
    sha:53b7c5229d66b28cd8993ef4bc96efa1c17cf564
  • alt-python27-idle_2.7.18-21_arm64.deb
    sha:f34de0c487df14862a03deee510767de8937147a
  • alt-python27-libs_2.7.18-21_arm64.deb
    sha:d28f988a5674986dc4321418d098737c08221acf
  • alt-python27-test_2.7.18-21_arm64.deb
    sha:e8f9a5f7bd234a02b34892d217693ab7ee85a8e9
  • alt-python27-tkinter_2.7.18-21_arm64.deb
    sha:b4eb09a9712e90ba7bcc6bf83d04a19657bb4e33
  • alt-python27-tools_2.7.18-21_arm64.deb
    sha:979d3836ac0603357f5f6f977cae5ad2d7957e2b
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.