Skip to content

[3.6] Security fixes for CVE-2026-6100 and CVE-2026-4786 #145

Merged
stratakis merged 2 commits intofedora-python:fedora-3.6from
stratakis:3.6-cves-for-ever
Apr 23, 2026
Merged

[3.6] Security fixes for CVE-2026-6100 and CVE-2026-4786 #145
stratakis merged 2 commits intofedora-python:fedora-3.6from
stratakis:3.6-cves-for-ever

Conversation

@stratakis
Copy link
Copy Markdown
Member

@stratakis stratakis commented Apr 17, 2026

No description provided.

@StanFromIreland @stratakis
00480: CVE-2026-4786
96f1cb3 
Fix webbrowser `%action` substitution bypass of dash-prefix check

Backported from Python 3.10
@StanFromIreland @stratakis
00482: CVE-2026-6100
4aa3813 
Fix a possible UAF in {LZMA,BZ2,_Zlib}Decompressor

Backported from Python 3.10
@hroncok
Copy link
Copy Markdown
Member

hroncok commented Apr 21, 2026

For CVE-2026-6100, is there no change required for Modules/zlibmodule.c ?

@stratakis
Copy link
Copy Markdown
Member Author

stratakis commented Apr 22, 2026

For CVE-2026-6100, is there no change required for Modules/zlibmodule.c ?

Nope, the vulnerable class in zlibmodule was introduced with Python 3.12, hence why also the 3.9, 3.10, 3.11 backports also don't have a fix there.

@stratakis stratakis merged commit 4aa3813 into fedora-python:fedora-3.6 Apr 23, 2026
@stratakis stratakis deleted the 3.6-cves-for-ever branch April 23, 2026 01:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hroncok hroncok hroncok approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@stratakis @hroncok @StanFromIreland