Skip to content

Security fixes for CVE-2026-1502, CVE-2026-4786, CVE-2026-6100, CVE-2026-2297, CVE 2026-3644, CVE-2026-4224#142

Open
stratakis wants to merge 6 commits intofedora-python:fedora-3.12from
stratakis:3.12-yawwww-cveeeees
Open

Security fixes for CVE-2026-1502, CVE-2026-4786, CVE-2026-6100, CVE-2026-2297, CVE 2026-3644, CVE-2026-4224#142
stratakis wants to merge 6 commits intofedora-python:fedora-3.12from
stratakis:3.12-yawwww-cveeeees

Conversation

@stratakis
Copy link
Copy Markdown
Member

@stratakis stratakis commented Apr 16, 2026

No description provided.

@frenzymadness
Copy link
Copy Markdown
Member

frenzymadness commented Apr 16, 2026

There is a dash missing in CVE 2026-3644. Some of them are medium we're not going to be fixing proactively in RHEL and Fedora can wait for rebase. What is your plan with them?

@hroncok hroncok removed request for encukou and ncoghlan April 16, 2026 12:58
sethmlarson and others added 4 commits April 16, 2026 14:58
@sethmlarson @illia-v @stratakis
00479: CVE-2026-1502
7bc9eeb 
Reject CR/LF in HTTP tunnel request headers

Co-authored-by: Illia Volochii <illia.volochii@gmail.com>
@StanFromIreland @stratakis
00480: CVE-2026-4786
fef773a 
Fix webbrowser `%action` substitution bypass of dash-prefix check
@StanFromIreland @stratakis
00482: CVE-2026-6100
13fef9b 
Fix a possible UAF in {LZMA,BZ2,_Zlib}Decompressor
@zooba @stratakis
00483: CVE-2026-2297
573c345 
Logging Bypass in Legacy .pyc File Handling
@stratakis stratakis force-pushed the 3.12-yawwww-cveeeees branch from 3a96280 to 3bf0233 Compare April 16, 2026 12:59
StanFromIreland and others added 2 commits April 16, 2026 14:59
@StanFromIreland @vstinner @stratakis
00484: CVE-2026-3644
fbb9f26 
Incomplete control character validation in http.cookies

Co-authored-by: Victor Stinner <victor.stinner@gmail.com>
@StanFromIreland @picnixz @stratakis
00485: CVE-2026-4224
8345fc3 
Stack overflow parsing XML with deeply nested DTD content models

Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
@stratakis stratakis force-pushed the 3.12-yawwww-cveeeees branch from 3bf0233 to 8345fc3 Compare April 16, 2026 12:59
@stratakis
Copy link
Copy Markdown
Member Author

stratakis commented Apr 16, 2026

There is a dash missing in CVE 2026-3644. Some of them are medium we're not going to be fixing proactively in RHEL and Fedora can wait for rebase. What is your plan with them?

Dash fixed. My plan is basically to have them all fixed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@stratakis @frenzymadness @sethmlarson @StanFromIreland @zooba