Bug#1126875: marked as done (python-pip: CVE-2026-1703)

Tue, 03 Feb 2026 17:21:18 -0800 

Your message dated Wed, 04 Feb 2026 01:19:20 +0000
with message-id <[email protected]>
and subject line Bug#1126875: fixed in python-pip 26.0+dfsg-1
has caused the Debian Bug report #1126875,
regarding python-pip: CVE-2026-1703
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1126875: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126875
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Source: python-pip
Version: 25.3+dfsg-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/pypa/pip/pull/13777
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for python-pip.

CVE-2026-1703[0]:
| When pip is installing and extracting a maliciously crafted wheel
| archive, files may be extracted outside the installation directory.
| The path traversal is limited to prefixes of the installation
| directory, thus isn't able to inject or overwrite executable files
| in typical situations.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-1703
    https://www.cve.org/CVERecord?id=CVE-2026-1703
[1] https://github.com/pypa/pip/pull/13777
[2] https://github.com/pypa/pip/commit/4c651b70d60ed91b13663bcda9b3ed41748d0124
[3] 
https://mail.python.org/archives/list/[email protected]/thread/WIEA34D4TABF2UNQJAOMXKCICSPBE2DJ/

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---
--- Begin Message --- 
Source: python-pip
Source-Version: 26.0+dfsg-1
Done: Stefano Rivera <[email protected]>

We believe that the bug you reported is fixed in the latest version of
python-pip, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stefano Rivera <[email protected]> (supplier of updated python-pip package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 03 Feb 2026 18:32:37 -0400
Source: python-pip
Architecture: source
Version: 26.0+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <[email protected]>
Changed-By: Stefano Rivera <[email protected]>
Closes: 1126875
Changes:
 python-pip (26.0+dfsg-1) unstable; urgency=medium
 .
   * New upstream release.
     - Fixes CVE-2026-1703, a path-traversal attack when extracting malicious
       wheels. (Closes: #1126875)
   * Refresh patches.
   * Bump copyright years.
   * Bump Standards-Version to 4.7.3, drop Priority: optional.
Checksums-Sha1:
 870535b293e24bc325726b8e425721902e254af9 1843 python-pip_26.0+dfsg-1.dsc
 8293752e897b556b56c819042c172d33313df670 1100392 
python-pip_26.0+dfsg.orig.tar.xz
 df1cb3dc7d5bc47c8be433b38e785922b5077110 21956 
python-pip_26.0+dfsg-1.debian.tar.xz
 5631d65a13be26f50a777245143c6caa47be6ca1 6091 
python-pip_26.0+dfsg-1_source.buildinfo
Checksums-Sha256:
 d3fcf036a12260552e4a8016e4119091cf8bf9af19dd80c37c68964f5786f9c5 1843 
python-pip_26.0+dfsg-1.dsc
 2425cd0591c47ce0dac1c0a05eed38150771daab9d8a8408a0168df679b4ff57 1100392 
python-pip_26.0+dfsg.orig.tar.xz
 a78d85ade41ff65de962a1ed6ffd325b62ce84db38806c593b14cb27aeb1c7b5 21956 
python-pip_26.0+dfsg-1.debian.tar.xz
 84aba00e9ef9ffc0d121962fba0884c5b31cd835c7f9c9694daa1a034e36626b 6091 
python-pip_26.0+dfsg-1_source.buildinfo
Files:
 56a76c6b048e1c8850025e8cc94c2142 1843 python optional 
python-pip_26.0+dfsg-1.dsc
 b04525b1d1527907c66943e7939b4ee4 1100392 python optional 
python-pip_26.0+dfsg.orig.tar.xz
 42495a5c68bcc86a354b6c4dece925de 21956 python optional 
python-pip_26.0+dfsg-1.debian.tar.xz
 e9c182a1907ddc1f6930a5724f002662 6091 python optional 
python-pip_26.0+dfsg-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iIoEARYKADIWIQTumtb5BSD6EfafSCRHew2wJjpU2AUCaYKV0xQcc3RlZmFub3JA
ZGViaWFuLm9yZwAKCRBHew2wJjpU2BQNAP4x3jVtRqIyK+7oubRAJRKDlzZKj7p8
mHPuIFh1/j1L0QEAuLwGKg+rYBnAdHU7KeTT8SF3dB60r3auKM1UHZL0vgc=
=oOl2
-----END PGP SIGNATURE-----

Attachment: pgp46iobLeAlR.pgp
Description: PGP signature


--- End Message ---

Reply via email to