-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 26 Oct 2025 03:26:06 +0100 Source: python-pip Architecture: source Version: 20.3.4-4+deb11u2 Distribution: bullseye-security Urgency: medium Maintainer: Debian Python Team <[email protected]> Changed-By: Daniel Leidert <[email protected]> Closes: 1116336 Changes: python-pip (20.3.4-4+deb11u2) bullseye-security; urgency=medium . * Non-maintainer upload by the Debian LTS team. * d/patches/CVE-2025-8869.patch: Add patch to fix CVE-2025-8869. - Pip's tar extraction doesn't check symbolic links point to extraction directory (closes: #1116336). * d/patches/CVE-2023-5752.patch: Add patch to fix CVE-2023-5752. - When installing a package from a Mercurial VCS URL, arbitrary configuration options could be injected to the "hg clone" call. Checksums-Sha1: ba4a1a635cc8f55996f20faf25ce8c284250b7c7 3015 python-pip_20.3.4-4+deb11u2.dsc 6b9b6f5e507773c592606f304ff8727c86cc7290 1530646 python-pip_20.3.4.orig.tar.gz 0dd16adc39838a5b1093b4f7aecb5ae81ee41e02 23836 python-pip_20.3.4-4+deb11u2.debian.tar.xz 542bff235d06f7cd7432ace53c4da9140b5fa0b3 9077 python-pip_20.3.4-4+deb11u2_amd64.buildinfo Checksums-Sha256: 19244a84763720fa5edfe5709e3a830a82e627e55c2d0df0decdb70d8c6bea88 3015 python-pip_20.3.4-4+deb11u2.dsc 6773934e5f5fc3eaa8c5a44949b5b924fc122daa0a8aa9f80c835b4ca2a543fc 1530646 python-pip_20.3.4.orig.tar.gz 2387d07a20b362d9cd2a2b5ea676f5a2abfac43ce05e7ef777a6f5dc051693cc 23836 python-pip_20.3.4-4+deb11u2.debian.tar.xz c5cc5e18ce812e35979dbfce4991099499f9d0e57981315ef765a62296ca4e12 9077 python-pip_20.3.4-4+deb11u2_amd64.buildinfo Files: 43139a7e541ffdc5c5eabb9fd06f5d78 3015 python optional python-pip_20.3.4-4+deb11u2.dsc 577a375b66ec109e0ac6a4c4aa99bbd0 1530646 python optional python-pip_20.3.4.orig.tar.gz cd959be8eda56652a6ac0f3c9646c2b7 23836 python optional python-pip_20.3.4-4+deb11u2.debian.tar.xz b93fe138b0e40c38ade1a89bb90a650f 9077 python optional python-pip_20.3.4-4+deb11u2_amd64.buildinfo
-----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEvu1N7VVEpMA+KD3HS80FZ8KW0F0FAmj9h5sACgkQS80FZ8KW 0F1EbRAA0LXtxo6Enf7kr4639HFaYP/jEg/ifOCegnr2sVr+73j8L2Mn6u+Qkn86 MUhV1rEy97DisEzoRcL4Uk3VfFqxsEaenD7cghVlA71kk7df+z5uD/dVoC4nAmIL HZm7JUQjCohPJjbK7HSfj0vl2T3WxsMI8ppieCMcBCe4v8EscwYSluKtOOhnjUfj OsPA+1EqrcyceOVscwi4dm+v96YYJb12OGYBBkDhZ9/V90CMgUxQS2HcLGGLEcNG ZDrGyHpzNwr5OoIoJS97C8ocnM4qPfGpryryrsL6ADazzh8GNbcIOwQbuH+I4A8i IHDsien3cKo5HSSUFCIumY7vA7cCwkShgIj6rXq9NRMBdqV/ifnI2eT3LK8LpYL+ JHlpn8R2KJEmQsOQVcAZaUPNvkoJjA6QXPmC2urn9EwpIPNBbjW027RviC1oVpvb HY1o0LvM2vvFNDLv1egz3PxOkpwxYGUifq37mDoh1511aZWpj7wL88xPIYAqffih iiYAI6DU6v+FjZuG3y04Cd8wf5hiFdeRlVNbPJObkjE2NaSqbsLbVxAG2ro+ts0f QIFrcuRPaU5bb41ubESXuk7VSGsEBBwOOY/kzccsloTGBDQw9HueRLu5dB7/8qlz I5Ixmmta8ni2ECCI8MUJUGvO0yvdZzJvhDsJnkr3xcDb6hI2Dyg= =HpAL -----END PGP SIGNATURE-----
pgprGLlf0l5_T.pgp
Description: PGP signature
