Release date:
2026-06-12 08:25:13 UTC
Description:
- CVE-2026-7210: seed Expat's hash-flooding protection with a full 16 bytes
(128 bits) of entropy via XML_SetHashSalt16Bytes() when the loaded libexpat
provides it (detected via a weak symbol), instead of the brute-forceable
8-byte XML_SetHashSalt(); the pyexpat CAPI gains a SetHashSalt16Bytes
pointer appended at the end of the struct (capsule magic unchanged) and
_Py_HashSecret_t gains a 16-byte hashsalt16 field. Both call sites fall back
to the legacy 8-byte API when the salt is all zeros (hash randomization off,
the default) so Expat keeps self-seeding. Paired with the libexpat
CVE-2026-41080 backport that exports the symbol; requires
expat >= 2.1.0-15.0.7.el7_9.tuxcare.els3, the release shipping it
Updated packages:
-
python-2.7.5-94.0.1.el7_9.tuxcare.els9.x86_64.rpm
sha:3e069353b808ab50a1c5c3679bd9a48f75971d764f51704eb747161422870893
-
python-debug-2.7.5-94.0.1.el7_9.tuxcare.els9.x86_64.rpm
sha:2d9f79968d7173e26538bef77ca0375e4941a827cd7d34b0714c881e57ec39bf
-
python-devel-2.7.5-94.0.1.el7_9.tuxcare.els9.x86_64.rpm
sha:8774df532a6484d0c64fb7de9073f3f2321a3fb056a5502c0ecfd47ef3fff3d7
-
python-libs-2.7.5-94.0.1.el7_9.tuxcare.els9.i686.rpm
sha:1ef6e0a70c9d957e78098ff3c927fdd088eaf8f802ee5e24fb213786c74794af
-
python-libs-2.7.5-94.0.1.el7_9.tuxcare.els9.x86_64.rpm
sha:a094eeed4f26950807aad89b50a02dc2b98a7e0b17f05c88c0f44808ee70744a
-
python-test-2.7.5-94.0.1.el7_9.tuxcare.els9.x86_64.rpm
sha:9bdd3c4b0fedf7c71e27a1859175faa253f11818969ef6b4a5a21f1f215a8cc2
-
python-tools-2.7.5-94.0.1.el7_9.tuxcare.els9.x86_64.rpm
sha:1eb69aa5d4af487f823782acfdd7a51b3c6d6386e9b7d195ad7a45116367ef44
-
tkinter-2.7.5-94.0.1.el7_9.tuxcare.els9.x86_64.rpm
sha:030c0bcfb31ce46515b0d4165952208ee7fa7f51916779685b2e3bb8e4aac0b2
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.
