OESA-2026-2919

Source
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2026-2919
Import Source
https://repo.openeuler.org/security/data/osv/OESA-2026-2919.json
JSON Data
https://api.osv.dev/v1/vulns/OESA-2026-2919
Upstream
Published
2026-07-09T12:51:18Z
Modified
2026-07-09T13:00:09.698244232Z
Summary
python3 security update
Details

Python combines remarkable power with very clear syntax. It has modules, classes, exceptions, very high level dynamic data types, and dynamic typing. There are interfaces to many system calls and libraries, as well as to various windowing systems. New built-in modules are easily written in C or C++ (or other languages, depending on the chosen implementation). Python is also usable as an extension language for applications written in other languages that need easy-to-use scripting or automation interfaces.

Security Fix(es):

tarfile.extractall() with the 'data' or 'tar' filter could be bypassed by a crafted archive where a hardlink references a symlink stored at a deeper name than the hardlink itself.  The extraction fallback validated the symlink at it's archived location but recreated it at the hardlink's shallower path, letting a relative target the filter judged contained escape the destination directory.  This allowed a malicious tar archive to create a symlink pointing outside the destination, enabling out-of-destination file reads or writes. This was an incomplete fix of CVE-2025-4330.(CVE-2026-11940)

When using the "tarfile" module with a file opened in "streaming mode" (mode="r|") the tarfile module did not properly handle EOF, making archive parsing take exponentially longer.(CVE-2026-11972)

The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.(CVE-2026-8328)

Database specific
{
    "severity": "High"
}
References

Affected packages

openEuler:24.03-LTS-SP1 / python3

Package

Name
python3
Purl
pkg:rpm/openEuler/python3&distro=openEuler-24.03-LTS-SP1

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.11.6-34.oe2403sp1

Ecosystem specific

{
    "aarch64": [
        "python3-3.11.6-34.oe2403sp1.aarch64.rpm",
        "python3-debug-3.11.6-34.oe2403sp1.aarch64.rpm",
        "python3-debuginfo-3.11.6-34.oe2403sp1.aarch64.rpm",
        "python3-debugsource-3.11.6-34.oe2403sp1.aarch64.rpm",
        "python3-devel-3.11.6-34.oe2403sp1.aarch64.rpm",
        "python3-tkinter-3.11.6-34.oe2403sp1.aarch64.rpm",
        "python3-unversioned-command-3.11.6-34.oe2403sp1.aarch64.rpm"
    ],
    "noarch": [
        "python3-help-3.11.6-34.oe2403sp1.noarch.rpm"
    ],
    "x86_64": [
        "python3-3.11.6-34.oe2403sp1.x86_64.rpm",
        "python3-debug-3.11.6-34.oe2403sp1.x86_64.rpm",
        "python3-debuginfo-3.11.6-34.oe2403sp1.x86_64.rpm",
        "python3-debugsource-3.11.6-34.oe2403sp1.x86_64.rpm",
        "python3-devel-3.11.6-34.oe2403sp1.x86_64.rpm",
        "python3-tkinter-3.11.6-34.oe2403sp1.x86_64.rpm",
        "python3-unversioned-command-3.11.6-34.oe2403sp1.x86_64.rpm"
    ],
    "src": [
        "python3-3.11.6-34.oe2403sp1.src.rpm"
    ]
}

Database specific

source
"https://repo.openeuler.org/security/data/osv/OESA-2026-2919.json"