Release date:
2026-06-10 14:23:34 UTC
Description:
- CVE-2025-15366: imaplib.IMAP4._command() concatenated each argument
into the wire-level command without inspecting it, so user-controlled
text (e.g. a username passed to IMAP4.login()) containing CR/LF or
other control characters could inject a second IMAP command. A
module-level _control_chars regex and a guard in _command() now reject
any argument containing a byte in [\x00-\x1F\x7F] with ValueError
before concatenation.
- CVE-2025-15367: poplib.POP3._putcmd() sent its argument to the server
without inspecting it, so user-controlled text passed to
user()/pass_()/apop()/rpop()/top() could inject a second POP3 command.
_putcmd() now rejects any argument containing a byte in [\x00-\x1F\x7F]
with ValueError before sending.
Updated packages:
-
alt-python27-2.7.18-34.el7.x86_64.rpm
sha:77a5e331b93255f67bb56b1a0ccc3a66a983240678fe5cb989b114f07b8df3ff
-
alt-python27-debug-2.7.18-34.el7.x86_64.rpm
sha:702b2bb6c9e3f3f58c53b1f1a5c2f8c90ff396b81ae43c0657796b18748488d6
-
alt-python27-devel-2.7.18-34.el7.x86_64.rpm
sha:73678416a45f62fe00b5c49a7cd89c4aafc7767c7d64c9d1bd3c91dd5d3f84d0
-
alt-python27-libs-2.7.18-34.el7.x86_64.rpm
sha:ddc523a88dcfa1a3e3840b9914bbf77ed0920dec164735746f7b79f2a535e4c8
-
alt-python27-test-2.7.18-34.el7.x86_64.rpm
sha:eb221bdba0f834a5d2e2832c41f2e18433eeb1d6818e63d49634baeb2a8bf6cd
-
alt-python27-tkinter-2.7.18-34.el7.x86_64.rpm
sha:f6015fba4f0737c9699cf103e4e9f3ac3501b4817730430361415af7f93b4657
-
alt-python27-tools-2.7.18-34.el7.x86_64.rpm
sha:6219e08dc97b2238efdef17f6e162daf1bfe162cb02a5c409f6cef40fa0a154c
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.
