Ubuntu alert USN-8344-2 (python-pip)
| From: | noreply+usn-bot--- via ubuntu-security-announce <ubuntu-security-announce@lists.ubuntu.com> | |
| To: | ubuntu-security-announce@lists.ubuntu.com | |
| Subject: | [USN-8344-2] pip regression | |
| Date: | Fri, 29 May 2026 22:07:10 +0000 | |
| Message-ID: | <E1wT5ME-0006KM-4W@lists.ubuntu.com> | |
| Cc: | noreply+usn-bot@canonical.com |
========================================================================== Ubuntu Security Notice USN-8344-2 May 29, 2026 python-pip regression ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 26.04 LTS - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS Summary: USN-8344-1 introduced a regression in pip. Software Description: - python-pip: Python package installer Details: USN-8344-1 fixed vulnerabilities in pip. On Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 26.04 LTS the patches for CVE-2025-66471 caused a regression when using pip. The patches for CVE-2025-66471 have been temporarily reverted pending investigation. We apologize for the inconvenience. Original advisory details: It was discovered that pip incorrectly handled TLS certificate verification in session connections. If a session was first used with certificate verification disabled, subsequent requests to the same host would also skip verification regardless of the session's current settings. A remote attacker could possibly use this issue to perform a machine-in-the-middle attack and expose sensitive information. (CVE-2024-35195) It was discovered that pip's bundled urllib3 library did not limit the number of decompression steps when processing HTTP responses. A remote attacker could possibly use this issue to cause pip to consume excessive resources, leading to a denial of service. (CVE-2025-66418) It was discovered that pip's bundled urllib3 library improperly handled streaming decompression of highly compressed data. A remote attacker could possibly use this issue to cause pip to consume excessive resources, leading to a denial of service. (CVE-2025-66471) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 26.04 LTS python3-pip 25.1.1+dfsg-1ubuntu2+esm2 Available with Ubuntu Pro python3-pip-whl 25.1.1+dfsg-1ubuntu2+esm2 Available with Ubuntu Pro Ubuntu 24.04 LTS python3-pip 24.0+dfsg-1ubuntu1.3+esm2 Available with Ubuntu Pro python3-pip-whl 24.0+dfsg-1ubuntu1.3+esm2 Available with Ubuntu Pro Ubuntu 22.04 LTS python3-pip 22.0.2+dfsg-1ubuntu0.7+esm2 Available with Ubuntu Pro python3-pip-whl 22.0.2+dfsg-1ubuntu0.7+esm2 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8344-2 https://ubuntu.com/security/notices/USN-8344-1 https://launchpad.net/bugs/2154576
Attachment: signature.asc (type=application/pgp-signature)
-----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEE+8neBLO2Hp/ppPlOcpJm3tlzhgEFAmoaCwgACgkQcpJm3tlz hgE0cA//dB5fr0uqCSf5BXTz2HXInenoOdqmQ+fBAn6nKIyTn26F0GoDvuSyUVH+ AkF90Rp1fKmUw/e/AOCCzxfdF2G/oFCi9MwC/OtV/ipa3wTaQ9Zh3yNH6QD/+vxF nwb5u9kLi0WLCUy/4waU4XYgq2UhIv6rFCRYjB7u20MeBNcnNa252OmG3wk5xzmD buJYnEyzRgWXMeQFM6PqVouoNIwiAft+LJrJfeo2nolbjTxjUfZOpMgptDhVv9Yz nifQEINe5wPuYxZ/nl6xg9HkZBYLhaJ/zE6gWlB1bbp3zdWoJ7AEt9nhRBIlfVXv bAetTzYR6KyZ/f0Euf3xsmaeIXqcENOAHFFrkgCA2NTJau4N+Xg53GZb2mNMB9KJ fO/iXFA8LqWcE3ZvhFMdPMRStTBWkrR8vCLjuQU3Bq6hkMLaNxvW2kkShNRqFldw b7i/BX8s+2juvdpcElTFRZKJfb9c8zwavgz36TXcylY9Yc0dCnm5SCtCFXPxqC9C pvYUu7Whd4MTxOOsXmBzM4T6r5/dMaECncPTouE9Jnjl4cxNEmHGR1/hnkVeDqQq kXZBqRFoo6TW3FFHh/GQEy/zvEbiCycSxGyXYGSpoP+VzwMP43BRjWCTZcvpsxnt 77w7SiCh+5GYNpDnywbDPy2lZdTKDWBS8F0g/4FzNPpN52RHyNE= =fLY4 -----END PGP SIGNATURE-----