Amazon Linux 2023 Security Advisory: ALAS2023-2026-1933
Advisory Released Date: 2026-07-07
Advisory Updated Date: 2026-07-07
FAQs regarding Amazon Linux ALAS/CVE Severity
The "tarfile" module would still apply normalization of AREGTYPE (\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations. (CVE-2025-13462)
When calling base64.b64decode() or related functions the decoding process would stop after encountering the first padded quad regardless of whether there was more information to be processed. This can lead to data being accepted which may be processed differently by other implementations. Use "validate=True" to enable stricter processing of base64 data. (CVE-2026-3446)
pkgutil.get_data() did not validate the resource argument as documented, allowing path traversals. (CVE-2026-3479)
`xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\\r\\n\\r\\nFully mitigating this vulnerability requires both updating libexpat to 2.8.0 or later and applying this patch. (CVE-2026-7210)
The ftpcp() function in Lib/ftplib.py was not updated when
CVE-2021-4189 was fixed. While makepasv() was patched to replace
server-supplied PASV host addresses with the actual peer address
(getpeername()[0]), ftpcp() still calls parse227() directly and passes
the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189. (CVE-2026-8328)
Affected Packages:
python3.9
Issue Correction:
Run dnf update python3.9 --releasever 2023.12.20260706 or dnf update --advisory ALAS2023-2026-1933 --releasever 2023.12.20260706 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation
aarch64:
python3-3.9.25-1.amzn2023.0.7.aarch64
python3-tkinter-3.9.25-1.amzn2023.0.7.aarch64
python3-devel-3.9.25-1.amzn2023.0.7.aarch64
python3.9-debugsource-3.9.25-1.amzn2023.0.7.aarch64
python3-idle-3.9.25-1.amzn2023.0.7.aarch64
python3-debug-3.9.25-1.amzn2023.0.7.aarch64
python3.9-debuginfo-3.9.25-1.amzn2023.0.7.aarch64
python3-libs-3.9.25-1.amzn2023.0.7.aarch64
python3-test-3.9.25-1.amzn2023.0.7.aarch64
noarch:
python-unversioned-command-3.9.25-1.amzn2023.0.7.noarch
src:
python3.9-3.9.25-1.amzn2023.0.7.src
x86_64:
python3-devel-3.9.25-1.amzn2023.0.7.x86_64
python3-tkinter-3.9.25-1.amzn2023.0.7.x86_64
python3-idle-3.9.25-1.amzn2023.0.7.x86_64
python3-3.9.25-1.amzn2023.0.7.x86_64
python3.9-debugsource-3.9.25-1.amzn2023.0.7.x86_64
python3-debug-3.9.25-1.amzn2023.0.7.x86_64
python3.9-debuginfo-3.9.25-1.amzn2023.0.7.x86_64
python3-libs-3.9.25-1.amzn2023.0.7.x86_64
python3-test-3.9.25-1.amzn2023.0.7.x86_64