|
|
Subscribe / Log in / New account

Debian alert DLA-4348-1 (python-pip)



From:
              Daniel Leidert <dleidert@debian.org>


To:
              debian-lts-announce@lists.debian.org


Subject:
              [SECURITY] [DLA 4348-1] python-pip security update


Date:
              Sun, 26 Oct 2025 05:08:23 +0100


Message-ID:
              <585743be46dd70557465a2b60904ea3e5dad7b70.camel@debian.org>


-------------------------------------------------------------------------
Debian LTS Advisory DLA-4348-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                       Daniel Leidert
October 26, 2025                              https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package        : python-pip
Version        : 20.3.4-4+deb11u2
CVE ID         : CVE-2023-5752 CVE-2025-8869
Debian Bug     : 1116336

Multiple vulnerabilities have been found in python-pip, the Python
package installer.

CVE-2023-5752

   When installing a package from a Mercurial VCS URL, arbitrary
   configuration options could be injected to the "hg clone" call.

CVE-2025-8869

   Pip's tar extraction doesn't check that symbolic links point to the
   extraction directory.

For Debian 11 bullseye, these problems have been fixed in version
20.3.4-4+deb11u2.

We recommend that you upgrade your python-pip packages.

For the detailed security status of python-pip please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python-pip

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS




Attachment: signature.asc (type=application/pgp-signature)

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEvu1N7VVEpMA+KD3HS80FZ8KW0F0FAmj9nrcACgkQS80FZ8KW
0F1HrxAA2EyWgLjDB2XgHQTaypvJWpGVw1tU9CnDinyts5mYHdPEWamddCijJnht
IJbCSoIRrWw2PmV+tUyBJFh0h+Zc4lQxNpsHVUpYyAhOWHVVHMaomWr8yk7vwItd
TdT5dGyz1hNl9UdkHb81EtNkpsCd59cT2b4gAzCfQoMFAmu8VBKpPxM8Z4EYegLZ
nkdiDL906aknKWpK/UrcQYF6HxK6k4eSPIa3bv4MYRHgw0OkPQqiL9AUyUkocxUW
FL7DbETqR9TgGscCA+XvPU8C1VdbKE52tAPJPJoZqsV5rUlF0afe9IEd65BQ6c5/
+s4bbIwLIwUW15N0m/RrbnwPsnxHnTfdt+VWSDNtSk2cdjKAKHVdIP/YEAijuAC6
kWNEor/D4RQE9CfPeNojYa9HMhum/Cg4ESLxpQW5GKsV4I910sGu06+IQ23IR3Uw
yxD3pylEHVIF1MZErr2xWWRyv67VBok9NTxtIBpdjd/po5jWzfhkUkIQR24HHwoU
Cf49TeLcdXafChAxqSqYrbOmHuBtsQ7BN1mx8BtOU6CZJ0ARAn+XQ0EN8sSTqH2A
iiIRYZYJit8UlkJSyPM/hXMeqa3+pqHXnLT31shB+AJ81RsaWnooxEi1L0kuFzFJ
1A4WzCOe45TvFMy9Lskc6L3EKaLGPVDuL4cZ4nIx12S9+m23+Vc=
=GPuo
-----END PGP SIGNATURE-----
to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds