Release date:
2026-06-10 14:02:22 UTC
Description:
- CVE-2025-15366: imaplib.IMAP4._command() concatenated each argument
into the wire-level command without inspecting it, so user-controlled
text (e.g. a username passed to IMAP4.login()) containing CR/LF or
other control characters could inject a second IMAP command. A
module-level _control_chars regex and a guard in _command() now reject
any argument containing a byte in [\x00-\x1F\x7F] with ValueError
before concatenation.
- CVE-2025-15367: poplib.POP3._putcmd() sent its argument to the server
without inspecting it, so user-controlled text passed to
user()/pass_()/apop()/rpop()/top() could inject a second POP3 command.
_putcmd() now rejects any argument containing a byte in [\x00-\x1F\x7F]
with ValueError before sending.
Updated packages:
-
alt-python27-2.7.18-34.el8.x86_64.rpm
sha:c93971dfd1b1d47d540d730f1016eb433318a7a81c851778619b8912ee339e79
-
alt-python27-debug-2.7.18-34.el8.x86_64.rpm
sha:cbba139b2a30cd2994ea84d2d905bfdc070e0e63020fc75c565c15be06faca61
-
alt-python27-devel-2.7.18-34.el8.x86_64.rpm
sha:6b00d2c405f2c9e21d2bcb2722310e78cbef0b68329a750c1d55e61bc1ef2e9b
-
alt-python27-libs-2.7.18-34.el8.x86_64.rpm
sha:81379a9b75beb4a5953ff1888ffe8e19b853b68b63e3d5cc40823a0018cf51ff
-
alt-python27-test-2.7.18-34.el8.x86_64.rpm
sha:bf1b3883bd861dfce44bb182e7e8d60ba775562abe8a6f4e626dc8477b602960
-
alt-python27-tkinter-2.7.18-34.el8.x86_64.rpm
sha:d92522e245545d8619932685e5f3484f6d866a38359d4cb8274ef2b88649a7cc
-
alt-python27-tools-2.7.18-34.el8.x86_64.rpm
sha:dd0fe353bdfc4bc78f966a01b75df182d897e9455577840d7b75498ad6070c30
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.
