ALAS2023-2026-1910


Amazon Linux 2023 Security Advisory: ALAS2023-2026-1910
Advisory Released Date: 2026-07-07
Advisory Updated Date: 2026-07-07
Severity: Important

Issue Overview:

tarfile.extractall() with the 'data' or 'tar'
filter could be bypassed by a crafted archive where a hardlink
references a symlink stored at a deeper name than the hardlink itself.
The extraction fallback validated the symlink at it's archived location
but recreated it at the hardlink's shallower
path, letting a relative
target the filter judged contained escape the destination directory.
This allowed a malicious tar archive to create a symlink pointing
outside the destination, enabling out-of-destination file reads or
writes. This was an incomplete fix of CVE-2025-4330. (CVE-2026-11940)

CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host. (CVE-2026-1502)

unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms. (CVE-2026-3276)

`xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\\r\\n\\r\\nFully mitigating this vulnerability requires both updating libexpat to 2.8.0 or later and applying this patch. (CVE-2026-7210)

tarfile.data_filter could be bypassed using crafted link entries, including symlinks with empty or directory-like names, to redirect later archive members outside the intended extraction directory. This allowed a malicious tar archive to cause tarfile.extractall() to write files outside the destination directory, subject to the permissions of the extracting process. (CVE-2026-7774)

The ftpcp() function in Lib/ftplib.py was not updated when
CVE-2021-4189 was fixed. While makepasv() was patched to replace
server-supplied PASV host addresses with the actual peer address
(getpeername()[0]), ftpcp() still calls parse227() directly and passes
the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189. (CVE-2026-8328)

bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data. (CVE-2026-9669)


Affected Packages:

python3.13


Issue Correction:
Run dnf update python3.13 --releasever 2023.12.20260706 or dnf update --advisory ALAS2023-2026-1910 --releasever 2023.12.20260706 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation

New Packages:
aarch64:
    python3.13-devel-3.13.14-1.amzn2023.0.1.aarch64
    python3.13-idle-3.13.14-1.amzn2023.0.1.aarch64
    python3.13-debugsource-3.13.14-1.amzn2023.0.1.aarch64
    python3.13-3.13.14-1.amzn2023.0.1.aarch64
    python3.13-tkinter-3.13.14-1.amzn2023.0.1.aarch64
    python3.13-debug-3.13.14-1.amzn2023.0.1.aarch64
    python3.13-freethreading-debug-3.13.14-1.amzn2023.0.1.aarch64
    python3.13-debuginfo-3.13.14-1.amzn2023.0.1.aarch64
    python3.13-libs-3.13.14-1.amzn2023.0.1.aarch64
    python3.13-test-3.13.14-1.amzn2023.0.1.aarch64
    python3.13-freethreading-3.13.14-1.amzn2023.0.1.aarch64

src:
    python3.13-3.13.14-1.amzn2023.0.1.src

x86_64:
    python3.13-idle-3.13.14-1.amzn2023.0.1.x86_64
    python3.13-debugsource-3.13.14-1.amzn2023.0.1.x86_64
    python3.13-3.13.14-1.amzn2023.0.1.x86_64
    python3.13-tkinter-3.13.14-1.amzn2023.0.1.x86_64
    python3.13-devel-3.13.14-1.amzn2023.0.1.x86_64
    python3.13-freethreading-debug-3.13.14-1.amzn2023.0.1.x86_64
    python3.13-debug-3.13.14-1.amzn2023.0.1.x86_64
    python3.13-debuginfo-3.13.14-1.amzn2023.0.1.x86_64
    python3.13-libs-3.13.14-1.amzn2023.0.1.x86_64
    python3.13-test-3.13.14-1.amzn2023.0.1.x86_64
    python3.13-freethreading-3.13.14-1.amzn2023.0.1.x86_64