Opened 2 hours ago
#5972 new enhancement
Python security fixes: CVE-2026-4360 and 15308
| Reported by: | Joe Locash | Owned by: | lfs-book |
|---|---|---|---|
| Priority: | high | Milestone: | 13.1 |
| Component: | Book | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description
2 CVE's have been fixed in Python recently, the one reported today has a high severity.
From: Petr Viktorin via Security-announce <security-announce@python.org> Date: Tue, 30 Jun 2026 13:45:44 +0200 Subject: [Security-announce][CVE-2026-4360] Tarfile.extract doesn't fully respect filter parameter There is a LOW severity vulnerability affecting CPython. In the Tarfile.extract function, the filter parameter is not passed properly called when extracting hardlinks. An affected system that extracts content from untrusted tar files could end up writing files with an unexpected uid/gid despite the user passing filter='data' to the extract function. Please see the linked CVE ID for the latest information on affected versions: * https://www.cve.org/CVERecord?id=CVE-2026-4360 * https://github.com/python/cpython/pull/151988
Upstream PR for the 3.14 branch: https://github.com/python/cpython/pull/152609
From: Seth Larson <seth@python.org> Date: Thu, 9 Jul 2026 17:08:21 +0000 Subject: [Security-announce][CVE-2026-15308] Incremental HTMLParser allows CPU-exhaustion DoS via repeated unterminated markup declarations There is a HIGH severity vulnerability affecting CPython. The incremental HTML parser (html.parser.HTMLParser) allows for CPU denial-of-service through repeated unterminated markup declarations when processing uncontrolled data. Please see the linked CVE ID for the latest information on affected versions: * https://www.cve.org/CVERecord?id=CVE-2026-15308 * https://github.com/python/cpython/pull/153031
Upstream PR for the 3.14 branch: https://github.com/python/cpython/pull/153039
Patches attached for both.
Attachments (2)
Change History (2)
by , 2 hours ago
| Attachment: | python3-3.14-cve-2026-4360.patch added |
|---|
by , 2 hours ago
| Attachment: | python3-3.14-cve-2026-15308.patch added |
|---|
Note:
See TracTickets
for help on using tickets.
