ALAS2-2026-3185

Amazon Linux 2 Security Advisory: ALAS2-2026-3185
Advisory Released Date: 2026-03-06
Advisory Updated Date: 2026-03-06
Severity: Medium
Issue Overview:

When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized. (CVE-2025-11468)

User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype. (CVE-2025-15282)

If the value passed to os.path.expandvars() is user-controlled a
performance degradation is possible when expanding environment
variables. (CVE-2025-6075)

When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters. (CVE-2026-0672)

User-controlled header names and values containing newlines can allow injecting HTTP headers. (CVE-2026-0865)


Affected Packages:

python


Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.


Issue Correction:
Run yum update python or yum update --advisory ALAS2-2026-3185 to update your system.

New Packages:
aarch64:
    python-2.7.18-1.amzn2.0.16.aarch64
    python-libs-2.7.18-1.amzn2.0.16.aarch64
    python-devel-2.7.18-1.amzn2.0.16.aarch64
    python-tools-2.7.18-1.amzn2.0.16.aarch64
    tkinter-2.7.18-1.amzn2.0.16.aarch64
    python-test-2.7.18-1.amzn2.0.16.aarch64
    python-debug-2.7.18-1.amzn2.0.16.aarch64
    python-debuginfo-2.7.18-1.amzn2.0.16.aarch64

i686:
    python-2.7.18-1.amzn2.0.16.i686
    python-libs-2.7.18-1.amzn2.0.16.i686
    python-devel-2.7.18-1.amzn2.0.16.i686
    python-tools-2.7.18-1.amzn2.0.16.i686
    tkinter-2.7.18-1.amzn2.0.16.i686
    python-test-2.7.18-1.amzn2.0.16.i686
    python-debug-2.7.18-1.amzn2.0.16.i686
    python-debuginfo-2.7.18-1.amzn2.0.16.i686

src:
    python-2.7.18-1.amzn2.0.16.src

x86_64:
    python-2.7.18-1.amzn2.0.16.x86_64
    python-libs-2.7.18-1.amzn2.0.16.x86_64
    python-devel-2.7.18-1.amzn2.0.16.x86_64
    python-tools-2.7.18-1.amzn2.0.16.x86_64
    tkinter-2.7.18-1.amzn2.0.16.x86_64
    python-test-2.7.18-1.amzn2.0.16.x86_64
    python-debug-2.7.18-1.amzn2.0.16.x86_64
    python-debuginfo-2.7.18-1.amzn2.0.16.x86_64

Additional References

Release Notes:  Amazon Linux 2 Release Notes

Red Hat: CVE-2025-11468, CVE-2025-15282, CVE-2025-6075, CVE-2026-0672, CVE-2026-0865

Mitre: CVE-2025-11468, CVE-2025-15282, CVE-2025-6075, CVE-2026-0672, CVE-2026-0865