Release date:
2026-06-12 08:28:29 UTC
Description:
- CVE-2026-7210: seed Expat's hash-flooding protection with a full 16 bytes
(128 bits) of entropy via XML_SetHashSalt16Bytes() when the loaded libexpat
provides it (detected via a weak symbol), instead of the brute-forceable
8-byte XML_SetHashSalt(); the pyexpat CAPI gains a SetHashSalt16Bytes
pointer appended at the end of the struct (capsule magic unchanged) and
_Py_HashSecret_t gains a 16-byte hashsalt16 field. Both call sites fall back
to the legacy 8-byte API when the salt is all zeros (hash randomization off,
the default) so Expat keeps self-seeding. Paired with the libexpat
CVE-2026-41080 backport that exports the symbol; requires
expat >= 2.1.0-15.0.7.el7_9.tuxcare.els3, the release shipping it
Updated packages:
-
python-2.7.5-94.0.1.el7_9.tuxcare.els9.x86_64.rpm
sha:51845675ea576ef3e1d561938b40827dc1507ccd6f85459dbff3d3d49ca811e6
-
python-debug-2.7.5-94.0.1.el7_9.tuxcare.els9.x86_64.rpm
sha:46ae6145aad905892f695d0fa226084718cab3957dbc21d451935192b32fd129
-
python-devel-2.7.5-94.0.1.el7_9.tuxcare.els9.x86_64.rpm
sha:0aca5bc01237778c655035b51086c6a476f4879d6e8809728b40a4db40a642e9
-
python-libs-2.7.5-94.0.1.el7_9.tuxcare.els9.i686.rpm
sha:4a5d00cf4d16d3054709fbb33aac28f2035c6589dc0660a278c8e1a3716cc187
-
python-libs-2.7.5-94.0.1.el7_9.tuxcare.els9.x86_64.rpm
sha:9facb28e6267d29b23e5641052435821881a87754b059eb4c0c8ceb52ea9ba55
-
python-test-2.7.5-94.0.1.el7_9.tuxcare.els9.x86_64.rpm
sha:5028427b30b7bb593a81ed12f9ced5fb784bf1c1558e64e1ce065b154319daf4
-
python-tools-2.7.5-94.0.1.el7_9.tuxcare.els9.x86_64.rpm
sha:5c1590c5176cb281abe4e0ab8e45db737d7996823efaa41cd70c660e188e8856
-
tkinter-2.7.5-94.0.1.el7_9.tuxcare.els9.x86_64.rpm
sha:6447a6cf6e5e2fdff3485b2d3ac3383fcc27b882d09003c702b3736d94dec1bc
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.
