python3.9-3.9.25-7.el9

エラータID: AXSA:2026-1096:05

Release date: 
Tuesday, June 30, 2026 - 14:44
Subject: 
python3.9-3.9.25-7.el9
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
High
Description: 

Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems.

Security Fix(es):

* python: Python: Command-line option injection in webbrowser.open() via crafted URLs (CVE-2026-4519)
* python: Python: Arbitrary code execution or information disclosure via use-after-free in decompression modules (CVE-2026-6100)
* python: cpython: Python: Arbitrary code execution via command injection in webbrowser.open() API (CVE-2026-4786)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2026-4519
The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().
CVE-2026-4786
Mitgation of CVE-2026-4519 was incomplete. If the URL contained "%action" the mitigation could be bypassed for certain browser types the "webbrowser.open()" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.
CVE-2026-6100
Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition. The vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.

Solution: 

Update packages.

Additional Info: 

N/A

Download: 

SRPMS
  1. python3.9-3.9.25-7.el9.src.rpm
    MD5: 60f338cf96a555e935da804e7771afec
    SHA-256: 5d44fa1732e55281e1e2f2e2c32effb6c7ac85da825e88a142f68183d0fb8c5d
    Size: 19.86 MB

Asianux Server 9 for x86_64
  1. python3-3.9.25-7.el9.i686.rpm
    MD5: ccd0e36262e6e3d09524ccf810d1935f
    SHA-256: d08f462d023a79f7d7fb44added675be53adf92fa101701d47459f3115b72131
    Size: 26.13 kB
  2. python3-3.9.25-7.el9.x86_64.rpm
    MD5: ba6a44f828d3b5f3413d06c4304e29fd
    SHA-256: f557ca189d94450d54a156a2c65381a7ba36287544ec14300f8a9484ab25e9b8
    Size: 26.14 kB
  3. python3-debug-3.9.25-7.el9.i686.rpm
    MD5: 41f439cbe4ec9c254867beeb814cb899
    SHA-256: ff7a101866024410ac8254b57676e3b409461e9e305ef2bf336f0cf27dfdd98d
    Size: 2.88 MB
  4. python3-debug-3.9.25-7.el9.x86_64.rpm
    MD5: ecb8dd44737bdc7363c03958ee06d4d5
    SHA-256: f1133a59b84f8264c6a9995d92314198f15514e8d5c1e2e6fbc7e057fff8aaf1
    Size: 3.04 MB
  5. python3-devel-3.9.25-7.el9.i686.rpm
    MD5: f2c3a44e3fc88a4b60bf11cb9914b5cb
    SHA-256: f25dcce6a050db4d7a147e2b60a2e1e93814df61ca6173a4630e29a56d2cfae3
    Size: 245.73 kB
  6. python3-devel-3.9.25-7.el9.x86_64.rpm
    MD5: 49450b4fd8100b68a8efbbf010293e3b
    SHA-256: 550cb4c53956e217137c4320671a1873aa810d4fd38289b803395eb08c36be88
    Size: 245.63 kB
  7. python3-idle-3.9.25-7.el9.i686.rpm
    MD5: b18ecdcb7dd34c37ed8c0d2fda8054af
    SHA-256: 33aa08110fed6982d7a948d3f53eabef3e813e01f3e91123ef7d5c469f9c19dd
    Size: 889.27 kB
  8. python3-idle-3.9.25-7.el9.x86_64.rpm
    MD5: 6b649353283ea4c6e26e10f4ca63f6b5
    SHA-256: ced75951fc7f6e760409fd821a8754f3452ec8c84b428f72edbcdc09eef0c93d
    Size: 889.29 kB
  9. python3-libs-3.9.25-7.el9.i686.rpm
    MD5: ac427258597a1db0aa295429a9eea938
    SHA-256: 5870b5d5702c249b826ef0be2a1dd3fd81c869a20b0304fb0e9f05a34fa9eca2
    Size: 8.10 MB
  10. python3-libs-3.9.25-7.el9.x86_64.rpm
    MD5: a9987ba3342c7c87561335ca7ed715e0
    SHA-256: 32f5774cae8497c2d0fb401abf2d559783751a6ed1291b93acb0664dc3e52e50
    Size: 8.04 MB
  11. python3-test-3.9.25-7.el9.i686.rpm
    MD5: 1b6796e20894dbe6ba4210bc877e6ae6
    SHA-256: eae31f1ea5c33860c098b69d75a777b4b531670041ddafdaad852faf50b73669
    Size: 10.21 MB
  12. python3-test-3.9.25-7.el9.x86_64.rpm
    MD5: 18fbfb799df4cd8a55be38d2da770726
    SHA-256: e72a6789f0acd3a604e9f75f4e545f8d592c2c2530c0d5589828754147774673
    Size: 10.21 MB
  13. python3-tkinter-3.9.25-7.el9.i686.rpm
    MD5: fa390f98cc06d6184b5cb7a8831b055a
    SHA-256: b83a4cccee633a6c7125eb595cd4cead242742bbea7896b41e3043342bdcf090
    Size: 343.63 kB
  14. python3-tkinter-3.9.25-7.el9.x86_64.rpm
    MD5: f3029c333519d8dd191bbcb1f6fc8261
    SHA-256: bfcde4549930f77d95965f09e0030ee5e07aaf488d3d41a93cf0b6d970d0a0f0
    Size: 342.29 kB
  15. python-unversioned-command-3.9.25-7.el9.noarch.rpm
    MD5: 11772e1b04007d0303abcb52754e265a
    SHA-256: 859012828fcf80bbfba90fbd96a4ab2b3b742d497ece84f7a07dd70efd626311
    Size: 9.52 kB