[CLSA-2026:1779096552] Fix CVE(s): CVE-2025-13836, CVE-2026-4519
Type:
security
Severity:
Important
Release date:
2026-05-18 09:29:16 UTC
Description:
* SECURITY UPDATE: memory denial of service via attacker-controlled Content-Length in http.client - debian/patches/CVE-2025-13836.patch: rewrite Lib/http/client.py _safe_read to read large responses in geometrically-growing chunks bounded by _MIN_READ_BUF_SIZE (1 MiB), preventing OOM when a malicious server advertises a large Content-Length without sending matching data. Adapted from cpython 3.10 backport 5dc101675fd - CVE-2025-13836 * SECURITY UPDATE: command injection in webbrowser.open() via leading dash in URL - debian/patches/CVE-2026-4519.patch: add BaseBrowser._check_url static method that rejects URLs whose lstripped form starts with a dash, and call it at the start of every open() method in GenericBrowser, BackgroundBrowser, UnixBrowser, Konqueror, Grail, WindowsDefault, MacOSX, and MacOSXOSAScript. Adapted from cpython 3.10 backports ad4d5ba32af and 591ed890270; sys.audit() context lines absent in 3.7 (added in 3.8) so the check is inserted as the first statement of each open() - CVE-2026-4519
Updated packages:
  • idle-python3.7_3.7.3-2+deb10u7+tuxcare.els3_all.deb
    sha:41f2d148e0613aa50c617ca86f0d2cc61221a604
  • libpython3.7_3.7.3-2+deb10u7+tuxcare.els3_amd64.deb
    sha:7a7f8db21d8409227ff91b49521b9d626cceceec
  • libpython3.7-dev_3.7.3-2+deb10u7+tuxcare.els3_amd64.deb
    sha:cba8b88ab4744864b05b467bf567f0e2a903c20d
  • libpython3.7-minimal_3.7.3-2+deb10u7+tuxcare.els3_amd64.deb
    sha:2e3598cba303afeb6bfabaa9608fc8b1a27b68e2
  • libpython3.7-stdlib_3.7.3-2+deb10u7+tuxcare.els3_amd64.deb
    sha:788b1afab579e2cebfeeb5a33545c0505d895561
  • libpython3.7-testsuite_3.7.3-2+deb10u7+tuxcare.els3_all.deb
    sha:9997603a9d3fc9f710457e214bf310329607ebf5
  • python3.7_3.7.3-2+deb10u7+tuxcare.els3_amd64.deb
    sha:caae2e2c47aed0938a24e181f8cd5a0a45f4b49f
  • python3.7-dev_3.7.3-2+deb10u7+tuxcare.els3_amd64.deb
    sha:cd30e1fd9f8960c28fe7c15d7e319c6328e7e75c
  • python3.7-doc_3.7.3-2+deb10u7+tuxcare.els3_all.deb
    sha:3da6182a83b1d2708d30caa537370160a5cb93ce
  • python3.7-examples_3.7.3-2+deb10u7+tuxcare.els3_all.deb
    sha:9aa191335655200d1a477bf263dba6e74fde06d2
  • python3.7-minimal_3.7.3-2+deb10u7+tuxcare.els3_amd64.deb
    sha:1238717c39d2ed22d2e31b680bb461242aedae2d
  • python3.7-venv_3.7.3-2+deb10u7+tuxcare.els3_amd64.deb
    sha:5a80b92a9b0333fed5b09cfbca8bca16aa7bca29
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.