Release date:
2026-06-10 14:59:27 UTC
Description:
- CVE-2025-15366: imaplib.IMAP4._command() concatenated each argument
into the wire-level command without inspecting it, so user-controlled
text (e.g. a username passed to IMAP4.login()) containing CR/LF or
other control characters could inject a second IMAP command. A
module-level _control_chars regex and a guard in _command() now reject
any argument containing a byte in [\x00-\x1F\x7F] with ValueError
before concatenation.
- CVE-2025-15367: poplib.POP3._putcmd() sent its argument to the server
without inspecting it, so user-controlled text passed to
user()/pass_()/apop()/rpop()/top() could inject a second POP3 command.
_putcmd() now rejects any argument containing a byte in [\x00-\x1F\x7F]
with ValueError before sending.
Updated packages:
-
alt-python27-2.7.18-34.el9.x86_64.rpm
sha:7ff81ed7a853acbf55bfc9fe47c703e7a7db30dcd8099c42cfcfc133de50de09
-
alt-python27-debug-2.7.18-34.el9.x86_64.rpm
sha:53ff0b9bbfe8a74039d8b03cec58a253f3d3b0ef236aad5f45238a2aaa39f364
-
alt-python27-devel-2.7.18-34.el9.x86_64.rpm
sha:bcfc00f1282ccb19e5c185c328f7b7f373859a5ea3b15a8b1c5e271892d7461f
-
alt-python27-libs-2.7.18-34.el9.x86_64.rpm
sha:b47fd9354d7c36a4e3b911a901f7fa6a6fc423f043193415d4904c464506a8f9
-
alt-python27-test-2.7.18-34.el9.x86_64.rpm
sha:6d43d693266d77e70d564b9f76486d98c517bc7bb847c1d5fb595d72f354a577
-
alt-python27-tkinter-2.7.18-34.el9.x86_64.rpm
sha:9a29d69af34cf2f7c66bdbd4efb70cc08b7752e7c1593574acabad5345782c73
-
alt-python27-tools-2.7.18-34.el9.x86_64.rpm
sha:6202f9b3c9e11d2c0a7f4a63c82bab783e6e3dc4bbe1324a50c08ba6443d0a73
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.
