Tuxcare Errata System 0.0.1 5.10 2026-06-10T12:31:32 Community Enterprise Operating System 10 - CVE-2021-3737: stop reading a header if it's too long - CVE-2019-20907: avoid infinite loop in the tarfile module - Build and testing fixes in spec Important TuxCare License Agreement CVE-2021-3737 CVE-2019-20907 cpe:/o:centos:centos:10 Community Enterprise Operating System 10 - CVE-2020-26116: prevent http header injection in httplib Important TuxCare License Agreement CVE-2020-26116 CVE-2020-8492 cpe:/o:centos:centos:10 Community Enterprise Operating System 10 - Fix CVE-2024-12718, CVE-2025-4138, CVE-2025-4330, CVE-2025-4435, CVE-2025-4517: fix multiple tarfile extraction filter bypasses (filter="tar"/filter="data") - fix test_tarfile.py Important TuxCare License Agreement CVE-2025-4435 CVE-2025-4330 CVE-2024-12718 CVE-2025-4517 CVE-2025-4138 cpe:/o:centos:centos:10 Community Enterprise Operating System 10 - CVE-2025-13837: fix memory denial of service in plistlib Moderate TuxCare License Agreement CVE-2025-13837 cpe:/o:centos:centos:10 Community Enterprise Operating System 10 - CVE-2015-20107: mailcap: sanitize the second argument which allowing shell commands injection Important TuxCare License Agreement CVE-2015-20107 cpe:/o:centos:centos:10 Community Enterprise Operating System 10 - CVE-2015-20107: sanitize the second argument, which allows shell command injection in the mailcap module Important TuxCare License Agreement CVE-2015-20107 cpe:/o:centos:centos:10 Community Enterprise Operating System 10 - CVE-2025-12084: remove quadratic behavior in xml.minidom node ID cache clearing Moderate TuxCare License Agreement CVE-2025-12084 cpe:/o:centos:centos:10 Community Enterprise Operating System 10 - CVE-2025-6075: fix quadratic complexity in os.path.expandvars() Moderate TuxCare License Agreement CVE-2025-6075 cpe:/o:centos:centos:10 Community Enterprise Operating System 10 - CVE-2025-8194: tarfile: validate archives to ensure member offsets are non-negative Important TuxCare License Agreement CVE-2025-8194 cpe:/o:centos:centos:10 Community Enterprise Operating System 10 - CVE-2025-8194: tarfile: validate archives to ensure member offsets are non-negative Important TuxCare License Agreement CVE-2025-8194 cpe:/o:centos:centos:10 Community Enterprise Operating System 10 - CVE-2025-6075: fix quadratic complexity in os.path.expandvars() Moderate TuxCare License Agreement CVE-2025-6075 cpe:/o:centos:centos:10 Community Enterprise Operating System 10 - CVE-2026-4519: reject leading dashes in webbrowser.open() URLs to prevent command-line option injection in browser subprocesses Low TuxCare License Agreement CVE-2026-4519 cpe:/o:centos:centos:10 Community Enterprise Operating System 10 - CVE-2026-4519: reject leading dashes in webbrowser.open() URLs to prevent command-line option injection in browser subprocesses Important TuxCare License Agreement CVE-2026-4519 cpe:/o:centos:centos:10 Community Enterprise Operating System 10 - CVE-2024-0450: zipfile raises BadZipFile on quoted-overlap archive entries to prevent high-ratio zip bombs - CVE-2026-6100: use-after-free in lzma/bz2 decompressors when a MemoryError leaves a stale next_in pointer on a re-used decompressor Critical TuxCare License Agreement CVE-2026-6100 CVE-2024-0450 cpe:/o:centos:centos:10 Community Enterprise Operating System 10 - CVE-2026-6100: NULL bzs->next_in in error paths in BZ2Decomp_decompress. Critical TuxCare License Agreement CVE-2026-6100 CVE-2020-27619 CVE-2024-0450 CVE-2021-3177 CVE-2021-4189 cpe:/o:centos:centos:10 Community Enterprise Operating System 10 - CVE-2026-1299: email.Generator now rejects header *values* containing CR/LF that are not followed by folding whitespace by raising HeaderWriteError. In Python 2.7 (which lacks BytesGenerator) this single Generator-class hardening covers both upstream CVE-2026-1299 and CVE-2024-6923. - CVE-2024-6923: email.Generator now rejects header *names* containing CR/LF that are not followed by folding whitespace by raising HeaderWriteError, preventing header injection through the header name. - CVE-2024-0397: ssl.SSLContext.cert_store_stats and get_ca_certs now deep-copy the X509_STORE under X509_STORE_lock (via a backport of OpenSSL 3.3's X509_STORE_get1_objects), fixing a memory race when an SSLContext is shared across threads. - CVE-2021-28861: BaseHTTPServer now collapses any leading run of '/' in the request path to a single '/' to prevent an open-redirect via //evil.example/... URIs in 301 Location headers. Important TuxCare License Agreement CVE-2024-6923 CVE-2021-28861 CVE-2024-0397 CVE-2026-1299 cpe:/o:centos:centos:10 Community Enterprise Operating System 10 - CVE-2026-1299: email.BytesGenerator now refuses to serialize headers that are unsafely folded or contain unfolded newlines, closing a header-injection bypass of CVE-2024-6923 (also includes the CVE-2024-6923 prerequisite hardening of the string Generator) - CVE-2024-0397: ssl.SSLContext.cert_store_stats() and get_ca_certs() now correctly lock the certificate store via a backported X509_STORE_get1_objects shim, fixing a memory race when an SSLContext is shared across threads - CVE-2024-4032: ipaddress is_private/is_global now classify addresses per the IANA special-purpose registries (192.0.0.0/24 with 192.0.0.9 and 192.0.0.10 exceptions, 64:ff9b:1::/48, 2002::/16, and the 2001::/23 sub-range exceptions) Important TuxCare License Agreement CVE-2024-4032 CVE-2024-0397 CVE-2026-1299 cpe:/o:centos:centos:10 Community Enterprise Operating System 10 - CVE-2026-3446: binascii.a2b_base64 / base64.b64decode no longer abort the decoder loop on the first padded quad. The pad character is treated as non-alphabet data per RFC 4648 section 3.3, so excess data after the padding is decoded instead of being silently dropped. Moderate TuxCare License Agreement CVE-2026-3446 cpe:/o:centos:centos:10 Community Enterprise Operating System 10 - CVE-2026-3446: binascii.a2b_base64 / base64.b64decode no longer abort the decoder loop on the first padded quad. The pad character is treated as non-alphabet data per RFC 4648 section 3.3, so excess data after the padding is decoded instead of being silently dropped. Moderate TuxCare License Agreement CVE-2026-3446 cpe:/o:centos:centos:10 Community Enterprise Operating System 10 - CVE-2025-15282: urllib.request.DataHandler accepted data: URLs whose mediatype contained C0 control characters, allowing newline-based HTTP header injection downstream. Reject control characters in data_open(). - CVE-2026-0672: http.cookies.Morsel did not reject control characters in keys, values, or coded_value, allowing cookie injection via __setitem__, setdefault, set, and BaseCookie.output. Add a _has_control_character helper and validate in those entry points and BaseCookie.OutputString. - CVE-2026-3644: the CVE-2026-0672 fix was incomplete; control characters could still bypass via Morsel.update(), |=, __setstate__, and BaseCookie.js_output(). Validate those entry points too and re-validate the assembled output string in js_output(). - CVE-2026-4224: Modules/pyexpat.c conv_content_model could overflow the C stack when an Expat parser with a registered ElementDeclHandler parsed a deeply nested DTD content model, causing a denial-of-service. Wrap conv_content_model with Py_EnterRecursiveCall so deep nesting raises RecursionError instead of crashing. Moderate TuxCare License Agreement CVE-2025-15282 CVE-2026-3644 CVE-2026-4224 CVE-2026-0672 cpe:/o:centos:centos:10 Community Enterprise Operating System 10 - CVE-2026-4224: Modules/pyexpat.c conv_content_model could overflow the C stack when an Expat parser with a registered ElementDeclHandler parsed a deeply nested DTD content model, causing a denial-of-service. Wrap conv_content_model with Py_EnterRecursiveCall so deep nesting raises RuntimeError instead of crashing. - CVE-2026-0672 + CVE-2026-3644: Lib/Cookie.py Morsel accepted control characters in reserved-attribute values, in key/value/coded_value via .set(), and via the inherited dict.update() / pickle restoration paths, allowing newline-based HTTP header injection via Set-Cookie. Add a _has_control_character helper and validate at Morsel.__setitem__, .setdefault, .set, an explicit .update, an explicit .__setstate__, plus re-validate the assembled output in Morsel.js_output and BaseCookie.output (defence-in-depth against direct attribute mutation). The py3 __ior__ hunk is not ported (py2 dict has no `|=` operator). Moderate TuxCare License Agreement CVE-2026-3644 CVE-2026-4224 CVE-2026-0672 cpe:/o:centos:centos:10 Community Enterprise Operating System 10 - CVE-2026-7210 + CVE-2026-41080 (paired): backport libexpat 16-byte salt API (XML_SetHashSalt16Bytes) into bundled expat 2.4.1 and wire pyexpat/_elementtree to use it. Together these restore proper hash-flood mitigation for xml.parsers.expat and xml.etree.ElementTree. CVE-2026-7210 (cpython 24b8f12): xml.parsers.expat and xml.etree.ElementTree used insufficient entropy (a single Py_hash_t) for Expat hash-flooding protection. The cpython half of the fix seeds the parser with the full 16-byte _Py_HashSecret.expat.hashsalt16 via XML_SetHashSalt16Bytes when the libexpat being linked exposes that API. CVE-2026-41080 (libexpat PR #1183): libexpat's hash-flood protection itself only used 4-8 bytes of entropy for the SipHash salt. The libexpat half adds the new XML_SetHashSalt16Bytes API (and widens the parser's internal salt storage to a full struct sipkey) so the 16-byte path is available. Backported into the bundled libexpat 2.4.1 tree in Modules/expat/; the bundled expat.h now also defines XML_HAS_HASHSALT16BYTES_BACKPORT so the cpython 20800 gate activates against the patched bundle without bumping the advertised libexpat version. Alpine builds use --with-system-expat and are unaffected by the libexpat backport. Critical TuxCare License Agreement CVE-2026-7210 cpe:/o:centos:centos:10 Community Enterprise Operating System 10 - CVE-2026-7210 + CVE-2026-41080 (paired): backport libexpat 16-byte salt API (XML_SetHashSalt16Bytes) into bundled expat 2.2.8 and wire pyexpat/_elementtree to use it. Together these restore proper hash-flood mitigation. * CVE-2026-7210 (cpython side, gh-149018 / 24b8f12): xml.parsers.expat and xml.etree.ElementTree used the legacy 8-byte XML_SetHashSalt API, which can be brute-forced to trigger hash collisions. Adds a hashsalt16[16] field to _Py_HashSecret_t in Include/object.h (seeded by _PyRandom_Init), exposes a NULL-able SetHashSalt16Bytes function pointer in the pyexpat CAPI struct, and prefers the new 16-byte API whenever XML_COMBINED_VERSION >= 20800. * CVE-2026-41080 (libexpat side, PR #1183): widens m_hash_secret_salt in the bundled libexpat 2.2.8 source tree (Modules/expat/) from `unsigned long` to a `struct sipkey` (128 bits) and adds the new public XML_SetHashSalt16Bytes() entry point. The bundled pyexpat.so / _elementtree.so are statically linked against this tree, so the cpython half can now consume full 16-byte entropy in every build configuration (no external libexpat >= 2.8.0 requirement). Critical TuxCare License Agreement CVE-2026-7210 cpe:/o:centos:centos:10 Community Enterprise Operating System 10 - CVE-2025-13462: tarfile applied AREGTYPE -> DIRTYPE normalization even during multi-block GNU long members (LONGNAME / LONGLINK), enabling a parsing differential. Thread a dircheck flag through frombuf / fromtarfile so normalization is skipped on follow-up headers. - CVE-2026-0865: wsgiref.headers.Headers did not reject control characters in header names / values, allowing HTTP header injection from WSGI applications. Combined backport: gh-143917 adds the control-char regex check, gh-143916 HTAB follow-up splits the check so HTAB is allowed in header values (RFC 9110 Section 5.5) but still rejected in header names; LF / CR / DEL remain rejected in both. gh-144370 also disallows control characters in status in wsgiref.handlers. - CVE-2026-1502: http.client did not reject CR/LF in HTTPConnection CONNECT tunnel host / headers, enabling request injection. Validate the tunnel host and per-header name / value in _tunnel(). - CVE-2026-6019: http.cookies.Morsel.js_output() emitted an inline <script> snippet that only escaped " and left </script> intact, enabling HTML injection. Base64-encode the cookie value in the emitted JavaScript (gh-90309). Moderate TuxCare License Agreement CVE-2025-4516 CVE-2025-13462 CVE-2026-1502 CVE-2024-50602 CVE-2024-11168 CVE-2026-0865 CVE-2025-8291 CVE-2025-6069 CVE-2025-1795 CVE-2025-0938 CVE-2026-6019 CVE-2025-11468 cpe:/o:centos:centos:10 Community Enterprise Operating System 10 - CVE-2025-15366: imaplib.IMAP4._command() concatenated each argument into the wire-level command without inspecting it, so user-controlled text (e.g. a username passed to IMAP4.login()) containing CR/LF or other control characters could inject a second IMAP command. A module-level _control_chars regex and a guard in _command() now reject any argument containing a byte in [\x00-\x1F\x7F] with ValueError before concatenation. - CVE-2025-15367: poplib.POP3._putcmd() sent its argument to the server without inspecting it, so user-controlled text passed to user()/pass_()/apop()/rpop()/top() could inject a second POP3 command. _putcmd() now rejects any argument containing a byte in [\x00-\x1F\x7F] with ValueError before sending. Important TuxCare License Agreement CVE-2025-15366 CVE-2025-15367 cpe:/o:centos:centos:10 alt-python27 alt-python27-debug alt-python27-devel alt-python27-libs alt-python27-test alt-python27-tkinter alt-python27-tools alt-python36 alt-python36-debug alt-python36-devel alt-python36-libs alt-python36-test alt-python36-tkinter alt-python36-tools x86_64 0:2.7.18-20.el10 d07bf2a08d50eb66 x86_64 0:2.7.18-21.el10 x86_64 0:3.6.15-13.el10 x86_64 0:3.6.15-16.el10 x86_64 0:2.7.18-22.el10 x86_64 0:3.6.15-17.el10 x86_64 0:2.7.18-23.el10 x86_64 0:3.6.15-18.el10 x86_64 0:3.6.15-19.el10 x86_64 0:2.7.18-24.el10 x86_64 0:2.7.18-25.el10 x86_64 0:3.6.15-20.el10 x86_64 0:2.7.18-27.el10 x86_64 0:3.6.15-21.el10 x86_64 0:2.7.18-29.el10 x86_64 0:2.7.18-30.el10 x86_64 0:3.6.15-22.el10 x86_64 0:3.6.15-23.el10 x86_64 0:2.7.18-31.el10 x86_64 0:3.6.15-24.el10 x86_64 0:2.7.18-32.el10 x86_64 0:3.6.15-25.el10 x86_64 0:2.7.18-33.el10 x86_64 0:3.6.15-28.el10 x86_64 0:2.7.18-34.el10