There is a MEDIUM severity vulnerability affecting pip. pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing "incorrect" files according to the filename of the archive. New behavior only proceeds with installation if the file identifies uniquely as a ZIP or tar archive, not as both.
Please see the linked CVE ID for the latest information on affected versions: * https://www.cve.org/CVERecord?id=CVE-2026-3219 * https://github.com/pypa/pip/pull/13870
_______________________________________________ Security-announce mailing list -- [email protected] To unsubscribe send an email to [email protected] https://mail.python.org/mailman3//lists/security-announce.python.org Member address: [email protected]
