[CLSA-2026:1774960070] Fix CVE(s): CVE-2022-40897, CVE-2024-6345, CVE-2025-47273

Type:

security

Severity:

Important

Release date:

2026-03-31 12:27:55 UTC

Description:

   * SECURITY UPDATE: regex denial of service via crafted HTML
     - debian/patches/CVE-2022-40897.patch: limit whitespace matching in REL regex
     - CVE-2022-40897
   * SECURITY UPDATE: remote code execution via command injection in VCS downloads
     - debian/patches/CVE-2024-6345.patch: replace os.system with subprocess.check_call
     - CVE-2024-6345
   * SECURITY UPDATE: path traversal in download filename resolution
     - debian/patches/CVE-2025-47273.patch: validate download filename stays within tmpdir
     - CVE-2025-47273

Updated packages:

alt-python39-setuptools_58.3.0-2_all.deb
sha:aec086797a2b1870603dec7afdc873b2f61f5e2b
alt-python39-setuptools-wheel_58.3.0-2_all.deb
sha:a0c8239fcf4aeb24034ee0c4a02b1d00ee61b78a
alt-python39-setuptools_58.3.0-2_all.deb
sha:8fb3bbf1f6f7cc16e7ab57bd2a769bf2406b27a6
alt-python39-setuptools-wheel_58.3.0-2_all.deb
sha:a0c8239fcf4aeb24034ee0c4a02b1d00ee61b78a

Notes:

This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.