[CLSA-2026:1781102094] Fix CVE(s): CVE-2025-15366, CVE-2025-15367
Type:
security
Severity:
Important
Release date:
2026-06-10 14:35:30 UTC
Description:
* SECURITY UPDATE: command injection via control characters in imaplib - debian/patches/CVE-2025-15366-CVE-2025-15367.patch: backport of cpython 6262704b (gh-143921, Seth Michael Larson). imaplib.IMAP4._command() concatenated each argument into the wire-level command without inspecting it, so user-controlled text (e.g. a username passed to IMAP4.login()) containing CR/LF or other control characters could inject a second IMAP command. Adds a module-level _control_chars regex to Lib/imaplib.py and a guard in _command() that rejects any argument containing a byte in [\x00-\x1F\x7F] with ValueError before concatenation. Adds a test_control_characters regression test to Lib/test/test_imaplib.py. - CVE-2025-15366 * SECURITY UPDATE: command injection via control characters in poplib - debian/patches/CVE-2025-15366-CVE-2025-15367.patch: backport of cpython b234a2b6 (gh-143923, Seth Michael Larson). poplib.POP3._putcmd() sent its argument to the server without inspecting it, so user-controlled text passed to user()/pass_()/apop()/rpop()/top() could inject a second POP3 command. Adds a guard in _putcmd() (Lib/poplib.py) that rejects any argument containing a byte in [\x00-\x1F\x7F] with ValueError before sending. Adds a test_control_characters regression test to Lib/test/test_poplib.py. - CVE-2025-15367
CVEs fixed:
Updated packages:
  • alt-python27_2.7.18-21_amd64.deb
    sha:d88b317bfd4564da3da9036cf25357c5937e5c14
  • alt-python27-debug_2.7.18-21_amd64.deb
    sha:cbeda932870d67dd1ec09f2556c93689056e1df5
  • alt-python27-devel_2.7.18-21_amd64.deb
    sha:fc2e99188da863fe79ca59215f41e85152ab37f4
  • alt-python27-idle_2.7.18-21_amd64.deb
    sha:6d67e729a427a2671716e06e4f18ebc374d4ab75
  • alt-python27-libs_2.7.18-21_amd64.deb
    sha:96d070f6180cba69e7c0a5a1f52a97272c167d2b
  • alt-python27-test_2.7.18-21_amd64.deb
    sha:a307d0a12607a68ec671ec38ca5aa1935964b647
  • alt-python27-tkinter_2.7.18-21_amd64.deb
    sha:0645da14a26d179045abc5375bd2039d11c23d12
  • alt-python27-tools_2.7.18-21_amd64.deb
    sha:e132bfa3b3d42a95ec94a96358814fca984a004a
  • alt-python27_2.7.18-21_arm64.deb
    sha:68202e61679ee8b34c296b47525a90a3f294c6a4
  • alt-python27-debug_2.7.18-21_arm64.deb
    sha:1e08da6e1db37d62067c07904276803e954e47f4
  • alt-python27-devel_2.7.18-21_arm64.deb
    sha:33b95f5c39a891b8f9a26cced04316ddd794c0de
  • alt-python27-idle_2.7.18-21_arm64.deb
    sha:f34de0c487df14862a03deee510767de8937147a
  • alt-python27-libs_2.7.18-21_arm64.deb
    sha:35aec6cef87325a99e6396b10e4dbbd3279c2005
  • alt-python27-test_2.7.18-21_arm64.deb
    sha:48e7d35d170ebe37709723251b96be60ba2f96e6
  • alt-python27-tkinter_2.7.18-21_arm64.deb
    sha:8ed9b10d796a9237f49cff7ba59e3ef1403a606c
  • alt-python27-tools_2.7.18-21_arm64.deb
    sha:979d3836ac0603357f5f6f977cae5ad2d7957e2b
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.