{"schema_version":"1.7.2","id":"OESA-2026-2919","modified":"2026-07-09T12:51:18Z","published":"2026-07-09T12:51:18Z","upstream":["CVE-2026-11940","CVE-2026-11972","CVE-2026-8328"],"summary":"python3 security update","details":"Python combines remarkable power with very clear syntax. It has modules, classes, exceptions, very high level dynamic data types, and dynamic typing. There are interfaces to many system calls and libraries, as well as to various windowing systems. New built-in modules are easily written in C or C++ (or other languages, depending on the chosen implementation). Python is also usable as an extension language for applications written in other languages that need easy-to-use scripting or automation interfaces.\r\n\r\nSecurity Fix(es):\n\ntarfile.extractall() with the &apos;data&apos; or &apos;tar&apos;\n filter could be bypassed by a crafted archive where a hardlink \nreferences a symlink stored at a deeper name than the hardlink itself.  \nThe extraction fallback validated the symlink at it&apos;s archived location \nbut recreated it at the hardlink&apos;s shallower\npath, letting a relative\n target the filter judged contained escape the destination directory.  \nThis allowed a malicious tar archive to create a symlink pointing \noutside the destination, enabling out-of-destination file reads or \nwrites. This was an incomplete fix of CVE-2025-4330.(CVE-2026-11940)\n\nWhen using the &quot;tarfile&quot; module with a file opened in &quot;streaming mode&quot; (mode=&quot;r|&quot;) the tarfile module did not properly handle EOF, making archive parsing take exponentially longer.(CVE-2026-11972)\n\nThe ftpcp() function in Lib/ftplib.py was not updated when \nCVE-2021-4189 was fixed. While makepasv() was patched to replace \nserver-supplied PASV host addresses with the actual peer address \n(getpeername()[0]), ftpcp() still calls parse227() directly and passes \nthe raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.(CVE-2026-8328)","affected":[{"package":{"ecosystem":"openEuler:24.03-LTS-SP1","name":"python3","purl":"pkg:rpm/openEuler/python3&distro=openEuler-24.03-LTS-SP1"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.11.6-34.oe2403sp1"}]}],"ecosystem_specific":{"aarch64":["python3-3.11.6-34.oe2403sp1.aarch64.rpm","python3-debug-3.11.6-34.oe2403sp1.aarch64.rpm","python3-debuginfo-3.11.6-34.oe2403sp1.aarch64.rpm","python3-debugsource-3.11.6-34.oe2403sp1.aarch64.rpm","python3-devel-3.11.6-34.oe2403sp1.aarch64.rpm","python3-tkinter-3.11.6-34.oe2403sp1.aarch64.rpm","python3-unversioned-command-3.11.6-34.oe2403sp1.aarch64.rpm"],"noarch":["python3-help-3.11.6-34.oe2403sp1.noarch.rpm"],"src":["python3-3.11.6-34.oe2403sp1.src.rpm"],"x86_64":["python3-3.11.6-34.oe2403sp1.x86_64.rpm","python3-debug-3.11.6-34.oe2403sp1.x86_64.rpm","python3-debuginfo-3.11.6-34.oe2403sp1.x86_64.rpm","python3-debugsource-3.11.6-34.oe2403sp1.x86_64.rpm","python3-devel-3.11.6-34.oe2403sp1.x86_64.rpm","python3-tkinter-3.11.6-34.oe2403sp1.x86_64.rpm","python3-unversioned-command-3.11.6-34.oe2403sp1.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2919"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-11940"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-11972"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-8328"}],"database_specific":{"severity":"High"}}
