Your message dated Sun, 26 Oct 2025 08:37:33 +0100
with message-id <[email protected]>
and subject line Re: Accepted python-pip 25.3+dfsg-1 (source) into unstable
has caused the Debian Bug report #1116336,
regarding python-pip: CVE-2025-8869
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1116336: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1116336
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python-pip
Version: 25.2+dfsg-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/pypa/pip/pull/13550
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for python-pip.
CVE-2025-8869[0]:
| When extracting a tar archive pip may not check symbolic links point
| into the extraction directory if the tarfile module doesn't
| implement PEP 706. Note that upgrading pip to a "fixed" version for
| this vulnerability doesn't fix all known vulnerabilities that are
| remediated by using a Python version that implements PEP 706. Note
| that this is a vulnerability in pip's fallback implementation of tar
| extraction for Python versions that don't implement PEP 706 and
| therefore are not secure to all vulnerabilities in the Python
| 'tarfile' module. If you're using a Python version that implements
| PEP 706 then pip doesn't use the "vulnerable" fallback code.
| Mitigations include upgrading to a version of pip that includes the
| fix, upgrading to a Python version that implements PEP 706 (Python
| >=3.9.17, >=3.10.12, >=3.11.4, or >=3.12), applying the linked
| patch, or inspecting source distributions (sdists) before
| installation as is already a best-practice.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-8869
https://www.cve.org/CVERecord?id=CVE-2025-8869
[1] https://github.com/pypa/pip/pull/13550
[2] https://github.com/pypa/pip/commit/f2b92314da012b9fffa36b3f3e67748a37ef464a
[3]
https://mail.python.org/archives/list/[email protected]/thread/IF5A3GCJY3VH7BVHJKOWOJFKTW7VFQEN/
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: python-pip
Source-Version: 25.3+dfsg-1
On Sat, Oct 25, 2025 at 09:40:55PM +0000, Debian FTP Masters wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Format: 1.8
> Date: Sat, 25 Oct 2025 19:01:31 +0200
> Source: python-pip
> Architecture: source
> Version: 25.3+dfsg-1
> Distribution: unstable
> Urgency: medium
> Maintainer: Debian Python Team <[email protected]>
> Changed-By: Stefano Rivera <[email protected]>
> Changes:
> python-pip (25.3+dfsg-1) unstable; urgency=medium
> .
> * New upstream release.
> * Refresh patches.
> * Now builds with flit.
> Checksums-Sha1:
> c33be091c348c8df5c8407ce9e9b0ed3eb3b9df8 1844 python-pip_25.3+dfsg-1.dsc
> eb897eef46bc4289572b89f09f5e40eb9245762f 1096320
> python-pip_25.3+dfsg.orig.tar.xz
> b06975d6a49ffbe14bcdae267b3ea05bd838f393 21876
> python-pip_25.3+dfsg-1.debian.tar.xz
> d08776113c9477ecdf50d4da2102ea355ff23b8d 8635
> python-pip_25.3+dfsg-1_source.buildinfo
> Checksums-Sha256:
> f85d9a0bac4d2604aea37ad7f5872632c6a03913ba860817e1774f888eee8782 1844
> python-pip_25.3+dfsg-1.dsc
> fb976e77e57f1d966a33cd3adb4194501e988b305c8172d6043376527eaeec05 1096320
> python-pip_25.3+dfsg.orig.tar.xz
> 66b6432293ee965f07e98e19f762d2d3bc38861d510cfa2963a1b3b329c7f810 21876
> python-pip_25.3+dfsg-1.debian.tar.xz
> d7bdeb939733766e02b79fb5c05bcae95bc5663439ec1477b2086e1200fbca84 8635
> python-pip_25.3+dfsg-1_source.buildinfo
> Files:
> d9a43a88309fff60d713954743705f8b 1844 python optional
> python-pip_25.3+dfsg-1.dsc
> c2aec19e43f233feea34ff8348108392 1096320 python optional
> python-pip_25.3+dfsg.orig.tar.xz
> f85760a3a98798c8e816ede9c2409fe8 21876 python optional
> python-pip_25.3+dfsg-1.debian.tar.xz
> 2a15d44c5e1c134e4d343bc388f03d7c 8635 python optional
> python-pip_25.3+dfsg-1_source.buildinfo
>
> -----BEGIN PGP SIGNATURE-----
>
> iIoEARYKADIWIQTumtb5BSD6EfafSCRHew2wJjpU2AUCaP093BQcc3RlZmFub3JA
> ZGViaWFuLm9yZwAKCRBHew2wJjpU2KTEAQCfdYpoH9j+FMhGmrymdY8kvxRuw0db
> d+ku0Zu4yNBFeQD9FxyDa03L2uJsQc9hp91MJ9D8Lt19LCeWcrJ9PYYWzwc=
> =vs70
> -----END PGP SIGNATURE-----
>
--- End Message ---
