Amazon Linux 2023 Security Advisory: ALAS2023-2026-1832
Advisory Released Date: 2026-06-22
Advisory Updated Date: 2026-06-22
Severity:
Medium
Issue Overview:
The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire. (CVE-2026-2297)
http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes " for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value. (CVE-2026-6019)
Affected Packages:
python3.11
Issue Correction:
Run dnf update python3.11 --releasever 2023.12.20260622 or dnf update --advisory ALAS2023-2026-1832 --releasever 2023.12.20260622 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation
New Packages:
aarch64:
python3.11-3.11.15-1.amzn2023.0.2.aarch64
python3.11-tkinter-3.11.15-1.amzn2023.0.2.aarch64
python3.11-devel-3.11.15-1.amzn2023.0.2.aarch64
python3.11-idle-3.11.15-1.amzn2023.0.2.aarch64
python3.11-debugsource-3.11.15-1.amzn2023.0.2.aarch64
python3.11-debug-3.11.15-1.amzn2023.0.2.aarch64
python3.11-debuginfo-3.11.15-1.amzn2023.0.2.aarch64
python3.11-libs-3.11.15-1.amzn2023.0.2.aarch64
python3.11-test-3.11.15-1.amzn2023.0.2.aarch64
src:
python3.11-3.11.15-1.amzn2023.0.2.src
x86_64:
python3.11-debugsource-3.11.15-1.amzn2023.0.2.x86_64
python3.11-3.11.15-1.amzn2023.0.2.x86_64
python3.11-tkinter-3.11.15-1.amzn2023.0.2.x86_64
python3.11-devel-3.11.15-1.amzn2023.0.2.x86_64
python3.11-idle-3.11.15-1.amzn2023.0.2.x86_64
python3.11-debug-3.11.15-1.amzn2023.0.2.x86_64
python3.11-debuginfo-3.11.15-1.amzn2023.0.2.x86_64
python3.11-libs-3.11.15-1.amzn2023.0.2.x86_64
python3.11-test-3.11.15-1.amzn2023.0.2.x86_64