python3.11-3.11.13-9.el9

エラータID: AXSA:2026-1007:11

Release date: 
Thursday, June 25, 2026 - 15:58
Subject: 
python3.11-3.11.13-9.el9
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
High
Description: 

Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems.

Security Fix(es):

* python: Python: Command-line option injection in webbrowser.open() via crafted URLs (CVE-2026-4519)
* python: Python: Arbitrary code execution or information disclosure via use-after-free in decompression modules (CVE-2026-6100)
* python: cpython: Python: Arbitrary code execution via command injection in webbrowser.open() API (CVE-2026-4786)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2026-4519
The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().
CVE-2026-4786
Mitgation of CVE-2026-4519 was incomplete. If the URL contained "%action" the mitigation could be bypassed for certain browser types the "webbrowser.open()" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.
CVE-2026-6100
Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition. The vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.

Solution: 

Update packages.

Additional Info: 

N/A

Download: 

SRPMS
  1. python3.11-3.11.13-9.el9.src.rpm
    MD5: 6005e110368024010b7a30c2a0a4d173
    SHA-256: 6ea25b701ef2750e8035524dc19baa000604a0f86cda19e1bcf4e8a53688d877
    Size: 19.27 MB

Asianux Server 9 for x86_64
  1. python3.11-3.11.13-9.el9.i686.rpm
    MD5: 7561479a370e54000ae83d9347934c17
    SHA-256: b0e84f4c907a7ad8c679cf02bcaa87d71e7bd304ea81165765c60e85c9c2bff5
    Size: 25.07 kB
  2. python3.11-3.11.13-9.el9.x86_64.rpm
    MD5: 4a2152e6331e80091e0b95a9a402b11f
    SHA-256: 692392262b68618551dc23b5a6ce1d22af13ead09dcc41bee319bfeeabec1d5e
    Size: 25.07 kB
  3. python3.11-debug-3.11.13-9.el9.i686.rpm
    MD5: ff5fa5fd34b0f2f6c327cf7104715dd0
    SHA-256: acf2e7e96918c99123b534ee4564dfc374646a47490ba4647fd3bdef037babae
    Size: 3.24 MB
  4. python3.11-debug-3.11.13-9.el9.x86_64.rpm
    MD5: fe7d5dfeadb26b11ec2a43a2d4947500
    SHA-256: b13abc82d041a29f4fbfd36c7d56abf4cee0dc2a7dbaa2d74e064bbd5569e77b
    Size: 3.39 MB
  5. python3.11-devel-3.11.13-9.el9.i686.rpm
    MD5: 268db0694ddbd678f14dbc493ec6cece
    SHA-256: 1477d0f690fb16dcac17ca52715d47e13114c579da8008bc69bbe298f78e7596
    Size: 280.16 kB
  6. python3.11-devel-3.11.13-9.el9.x86_64.rpm
    MD5: bd62ab758ed7bdfcb71f6f1ba7efb84a
    SHA-256: 54de4a03c9ffe66f45f469c88f75896d4fc2c8486a7855e19e0193caefa84855
    Size: 280.12 kB
  7. python3.11-idle-3.11.13-9.el9.i686.rpm
    MD5: 3e096b5d12b43b63614664a37d085857
    SHA-256: f6b063ebf47be9ed3b2ae5964b6f96237d708775a58a68f9102f8dca3feb435a
    Size: 1.09 MB
  8. python3.11-idle-3.11.13-9.el9.x86_64.rpm
    MD5: 8ddff3330243c0370f84ec42482af24c
    SHA-256: efc2b63f6ea3175f43d7b0a994c31a283cfbe9dbcd93fe25bdac1070eb5d6d08
    Size: 1.09 MB
  9. python3.11-libs-3.11.13-9.el9.i686.rpm
    MD5: 17e8e743beff8ce525895c2e7678b97d
    SHA-256: cff7369ca0755e2e94eb27e0b4f59b3e9c41b0b017ff48ee52333bbff6455c6b
    Size: 10.22 MB
  10. python3.11-libs-3.11.13-9.el9.x86_64.rpm
    MD5: 4346b037e2bda5a7d5f53c1f2192e685
    SHA-256: fc1bc0a6c62950d4acf6c918b3834d4f50209525cdf2e7cb8864261b61621995
    Size: 10.17 MB
  11. python3.11-test-3.11.13-9.el9.i686.rpm
    MD5: 153fde3a860399f0cc2956d24343bfbb
    SHA-256: 716f952225e5d69b3132f629a3c95a99e7250804da35b78dcf1517dd32a9176e
    Size: 15.36 MB
  12. python3.11-test-3.11.13-9.el9.x86_64.rpm
    MD5: 46ca8cdb0f1e544726269dfee5f08e7c
    SHA-256: 22d8af61cebc7bbd634a1d0718a0fbff3a2ab93013506dcfd82d141c45b087c7
    Size: 15.36 MB
  13. python3.11-tkinter-3.11.13-9.el9.i686.rpm
    MD5: 25541baa0e3c68fdb9a55f87d3ec2a5f
    SHA-256: 04e7664d0d5f35b0b12df692b922b49eadecc787c01c39592bf8950290219c82
    Size: 427.44 kB
  14. python3.11-tkinter-3.11.13-9.el9.x86_64.rpm
    MD5: 8d8618864803c4a2e07756866ee7d404
    SHA-256: c105408da8ebf0eac80021f95a403283cab560c218e35f9dbeaa16d0b20e6cdd
    Size: 426.15 kB