Amazon Linux 2023 Security Advisory: ALAS2023-2026-1929
Advisory Released Date: 2026-07-07
Advisory Updated Date: 2026-07-07
FAQs regarding Amazon Linux ALAS/CVE Severity
tarfile.extractall() with the 'data' or 'tar'
filter could be bypassed by a crafted archive where a hardlink
references a symlink stored at a deeper name than the hardlink itself.
The extraction fallback validated the symlink at it's archived location
but recreated it at the hardlink's shallower
path, letting a relative
target the filter judged contained escape the destination directory.
This allowed a malicious tar archive to create a symlink pointing
outside the destination, enabling out-of-destination file reads or
writes. This was an incomplete fix of CVE-2025-4330. (CVE-2026-11940)
unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms. (CVE-2026-3276)
tarfile.data_filter could be bypassed using crafted link entries, including symlinks with empty or directory-like names, to redirect later archive members outside the intended extraction directory. This allowed a malicious tar archive to cause tarfile.extractall() to write files outside the destination directory, subject to the permissions of the extracting process. (CVE-2026-7774)
The ftpcp() function in Lib/ftplib.py was not updated when
CVE-2021-4189 was fixed. While makepasv() was patched to replace
server-supplied PASV host addresses with the actual peer address
(getpeername()[0]), ftpcp() still calls parse227() directly and passes
the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189. (CVE-2026-8328)
Affected Packages:
python3.14
Issue Correction:
Run dnf update python3.14 --releasever 2023.12.20260706 or dnf update --advisory ALAS2023-2026-1929 --releasever 2023.12.20260706 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation
aarch64:
python3.14-freethreading-tkinter-3.14.6-1.amzn2023.0.1.aarch64
python3.14-freethreading-devel-3.14.6-1.amzn2023.0.1.aarch64
python3.14-3.14.6-1.amzn2023.0.1.aarch64
python3.14-devel-3.14.6-1.amzn2023.0.1.aarch64
python3.14-debugsource-3.14.6-1.amzn2023.0.1.aarch64
python3.14-freethreading-3.14.6-1.amzn2023.0.1.aarch64
python3.14-idle-3.14.6-1.amzn2023.0.1.aarch64
python3.14-tkinter-3.14.6-1.amzn2023.0.1.aarch64
python3.14-freethreading-idle-3.14.6-1.amzn2023.0.1.aarch64
python3.14-debug-3.14.6-1.amzn2023.0.1.aarch64
python3.14-freethreading-debug-3.14.6-1.amzn2023.0.1.aarch64
python3.14-libs-3.14.6-1.amzn2023.0.1.aarch64
python3.14-debuginfo-3.14.6-1.amzn2023.0.1.aarch64
python3.14-freethreading-libs-3.14.6-1.amzn2023.0.1.aarch64
python3.14-test-3.14.6-1.amzn2023.0.1.aarch64
python3.14-freethreading-test-3.14.6-1.amzn2023.0.1.aarch64
src:
python3.14-3.14.6-1.amzn2023.0.1.src
x86_64:
python3.14-freethreading-tkinter-3.14.6-1.amzn2023.0.1.x86_64
python3.14-freethreading-idle-3.14.6-1.amzn2023.0.1.x86_64
python3.14-freethreading-devel-3.14.6-1.amzn2023.0.1.x86_64
python3.14-devel-3.14.6-1.amzn2023.0.1.x86_64
python3.14-3.14.6-1.amzn2023.0.1.x86_64
python3.14-freethreading-debug-3.14.6-1.amzn2023.0.1.x86_64
python3.14-freethreading-3.14.6-1.amzn2023.0.1.x86_64
python3.14-tkinter-3.14.6-1.amzn2023.0.1.x86_64
python3.14-idle-3.14.6-1.amzn2023.0.1.x86_64
python3.14-debugsource-3.14.6-1.amzn2023.0.1.x86_64
python3.14-debug-3.14.6-1.amzn2023.0.1.x86_64
python3.14-debuginfo-3.14.6-1.amzn2023.0.1.x86_64
python3.14-libs-3.14.6-1.amzn2023.0.1.x86_64
python3.14-freethreading-libs-3.14.6-1.amzn2023.0.1.x86_64
python3.14-freethreading-test-3.14.6-1.amzn2023.0.1.x86_64
python3.14-test-3.14.6-1.amzn2023.0.1.x86_64