Your message dated Sat, 23 May 2026 23:50:32 +0000
with message-id <[email protected]>
and subject line Bug#1135110: fixed in python-pip 26.1.1+dfsg-1
has caused the Debian Bug report #1135110,
regarding python-pip: CVE-2026-6357
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1135110: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135110
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: python-pip
Version: 26.0.1+dfsg-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/pypa/pip/pull/13923
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for python-pip.
CVE-2026-6357[0]:
| pip prior to version 26.1 would run self-update check functionality
| after installing wheel files which required importing well-known
| Python modules names. These module imports were intentionally
| deferred to increase startup time of the pip CLI. The patch changes
| self-update functionality to run before wheels are installed to
| prevent newly-installed modules from being imported shortly after
| the installation of a wheel package. Users should still review
| package contents prior to installation.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-6357
https://www.cve.org/CVERecord?id=CVE-2026-6357
[1] https://github.com/pypa/pip/pull/13923
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: python-pip
Source-Version: 26.1.1+dfsg-1
Done: Stefano Rivera <[email protected]>
We believe that the bug you reported is fixed in the latest version of
python-pip, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Stefano Rivera <[email protected]> (supplier of updated python-pip package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 23 May 2026 17:14:10 -0400
Source: python-pip
Architecture: source
Version: 26.1.1+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <[email protected]>
Changed-By: Stefano Rivera <[email protected]>
Closes: 1134492 1135110
Changes:
python-pip (26.1.1+dfsg-1) unstable; urgency=medium
.
* New upstream release.
* Fixes CVE-2026-3219, potential archive type confusion.
(Closes: #1134492)
* Fixes CVE-2026-6357, potentially importing modules after installing them
(Closes: #1135110)
* Refresh patches.
* Update copyright.
Checksums-Sha1:
4d249d3fc849ad8f728cf7285ca0695d482deb85 1857 python-pip_26.1.1+dfsg-1.dsc
fdcb77f2fb3b7c72a8d61200f0539ec7c31261a3 1120360
python-pip_26.1.1+dfsg.orig.tar.xz
203197a49ba429aa1cef94f4226734fe9d184848 22012
python-pip_26.1.1+dfsg-1.debian.tar.xz
0500632928d14ca0437b8a91979b6b05ea111aa4 6726
python-pip_26.1.1+dfsg-1_source.buildinfo
Checksums-Sha256:
fc0ac4c515ee22c9273fc703b18c227e613feced6eea6b56f46b2cc2053970af 1857
python-pip_26.1.1+dfsg-1.dsc
d31499a6cfaddf63e81b871acbb5791244fe59905f5458c02e2efa437ebfeecc 1120360
python-pip_26.1.1+dfsg.orig.tar.xz
d4fbdbdfa0928156c58eebfab08f457c9626e8005e965581b696e42399a0a900 22012
python-pip_26.1.1+dfsg-1.debian.tar.xz
491a0d84fec7e8b0df44e8a7893ab5b4dffe1f1eb6db09397360462c8a6a1492 6726
python-pip_26.1.1+dfsg-1_source.buildinfo
Files:
216a5c09a6dbf33c5de24158bb17fd6b 1857 python optional
python-pip_26.1.1+dfsg-1.dsc
0f360e64c29bbb54c65677bf55fe8fe8 1120360 python optional
python-pip_26.1.1+dfsg.orig.tar.xz
bea86ba153917b1e2fb75de03db308f6 22012 python optional
python-pip_26.1.1+dfsg-1.debian.tar.xz
452e3d7fe07542e9523630350f7e2468 6726 python optional
python-pip_26.1.1+dfsg-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iIoEARYKADIWIQTumtb5BSD6EfafSCRHew2wJjpU2AUCahI44RQcc3RlZmFub3JA
ZGViaWFuLm9yZwAKCRBHew2wJjpU2GGEAP41V0aicYpQ9qZkq0yi0Ep634oMgW/7
JwSxCuJzmiLYdQEAo38cuOlPEjdfqzLlPx/3OkauQ5pwqKA3l+7o86aHlA0=
=ukBP
-----END PGP SIGNATURE-----
pgpjd61a5XeE2.pgp
Description: PGP signature
--- End Message ---
