ALAS2023-2026-1930


Amazon Linux 2023 Security Advisory: ALAS2023-2026-1930
Advisory Released Date: 2026-07-07
Advisory Updated Date: 2026-07-07
Severity: Important

Issue Overview:

The "tarfile" module would still apply normalization of AREGTYPE (\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations. (CVE-2025-13462)

tarfile.extractall() with the 'data' or 'tar'
filter could be bypassed by a crafted archive where a hardlink
references a symlink stored at a deeper name than the hardlink itself.
The extraction fallback validated the symlink at it's archived location
but recreated it at the hardlink's shallower
path, letting a relative
target the filter judged contained escape the destination directory.
This allowed a malicious tar archive to create a symlink pointing
outside the destination, enabling out-of-destination file reads or
writes. This was an incomplete fix of CVE-2025-4330. (CVE-2026-11940)

`xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\\r\\n\\r\\nFully mitigating this vulnerability requires both updating libexpat to 2.8.0 or later and applying this patch. (CVE-2026-7210)

The ftpcp() function in Lib/ftplib.py was not updated when
CVE-2021-4189 was fixed. While makepasv() was patched to replace
server-supplied PASV host addresses with the actual peer address
(getpeername()[0]), ftpcp() still calls parse227() directly and passes
the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189. (CVE-2026-8328)


Affected Packages:

python3.11


Issue Correction:
Run dnf update python3.11 --releasever 2023.12.20260706 or dnf update --advisory ALAS2023-2026-1930 --releasever 2023.12.20260706 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation

New Packages:
aarch64:
    python3.11-debugsource-3.11.15-1.amzn2023.0.3.aarch64
    python3.11-tkinter-3.11.15-1.amzn2023.0.3.aarch64
    python3.11-3.11.15-1.amzn2023.0.3.aarch64
    python3.11-devel-3.11.15-1.amzn2023.0.3.aarch64
    python3.11-idle-3.11.15-1.amzn2023.0.3.aarch64
    python3.11-debug-3.11.15-1.amzn2023.0.3.aarch64
    python3.11-debuginfo-3.11.15-1.amzn2023.0.3.aarch64
    python3.11-libs-3.11.15-1.amzn2023.0.3.aarch64
    python3.11-test-3.11.15-1.amzn2023.0.3.aarch64

src:
    python3.11-3.11.15-1.amzn2023.0.3.src

x86_64:
    python3.11-debugsource-3.11.15-1.amzn2023.0.3.x86_64
    python3.11-tkinter-3.11.15-1.amzn2023.0.3.x86_64
    python3.11-devel-3.11.15-1.amzn2023.0.3.x86_64
    python3.11-3.11.15-1.amzn2023.0.3.x86_64
    python3.11-debug-3.11.15-1.amzn2023.0.3.x86_64
    python3.11-idle-3.11.15-1.amzn2023.0.3.x86_64
    python3.11-debuginfo-3.11.15-1.amzn2023.0.3.x86_64
    python3.11-libs-3.11.15-1.amzn2023.0.3.x86_64
    python3.11-test-3.11.15-1.amzn2023.0.3.x86_64