All errata/sisyphus/ALT-PU-2026-6424-3
ALT-PU-2026-6424-3

Package update python3.14 in branch sisyphus

Version3.14.4-alt1
Task#415436
Published2026-04-25
Max severityHIGH
Severity:

Closed issues (7)

BDU:2026-04596
MEDIUM5.5

Уязвимость класса FileLoader интерпретатора языка программирования Python (CPython), позволяющая нарушителю оказать воздействие на целостность защищаемой информации

Published: 2026-04-03
CVSS 3.xMEDIUM 5.5
CVSS:3.x/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
CVSS 2.0MEDIUM 4.6
CVSS:2.0/AV:L/AC:L/Au:S/C:N/I:C/A:N
References
BDU:2026-04601
HIGH7.1

Уязвимость библиотеки http.cookies интерпретатора языка программирования Python (CPython), позволяющая нарушителю оказать влияние на конфиденциальность и целостность защищаемой информации

Published: 2026-04-03
CVSS 3.xHIGH 7.1
CVSS:3.x/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
CVSS 2.0HIGH 7.5
CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:C/A:N
References
BDU:2026-04602
MEDIUM6.5

Уязвимость компонента ElementDeclHandler интерпретатора языка программирования Python (CPython), позволяющая нарушителю вызвать отказ в обслуживании

Published: 2026-04-03
CVSS 3.xMEDIUM 6.5
CVSS:3.x/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVSS 2.0MEDIUM 6.8
CVSS:2.0/AV:N/AC:L/Au:S/C:N/I:N/A:C
References
CVE-2026-2297
MEDIUM5.7

The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.

Published: 2026-03-04Modified: 2026-05-01
CVSS 4.0MEDIUM 5.7
CVSS:4.0/CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
References
CVE-2026-3644
MEDIUM6.0

The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().

Published: 2026-03-16Modified: 2026-03-17
CVSS 4.0MEDIUM 6.0
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
References
CVE-2026-4224
MEDIUM6.0

When an Expat parser with a registered ElementDeclHandler parses an inline document type definition containing a deeply nested content model a C stack overflow occurs.

Published: 2026-03-16Modified: 2026-04-08
CVSS 4.0MEDIUM 6.0
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
References
CVE-2026-4519
HIGH7.0

The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().

Published: 2026-03-20Modified: 2026-04-16
CVSS 3.xLOW 3.3
CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CVSS 4.0HIGH 7.0
CVSS:4.0/CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
References