------------------------------------------------------------------------- Debian LTS Advisory DLA-4348-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Daniel Leidert October 26, 2025 https://wiki.debian.org/LTS ------------------------------------------------------------------------- Package : python-pip Version : 20.3.4-4+deb11u2 CVE ID : CVE-2023-5752 CVE-2025-8869 Debian Bug : 1116336 Multiple vulnerabilities have been found in python-pip, the Python package installer. CVE-2023-5752 When installing a package from a Mercurial VCS URL, arbitrary configuration options could be injected to the "hg clone" call. CVE-2025-8869 Pip's tar extraction doesn't check that symbolic links point to the extraction directory. For Debian 11 bullseye, these problems have been fixed in version 20.3.4-4+deb11u2. We recommend that you upgrade your python-pip packages. For the detailed security status of python-pip please refer to its security tracker page at: https://security-tracker.debian.org/tracker/python-pip Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
Attachment:
signature.asc
Description: This is a digitally signed message part