Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <dispatch@tracker.debian.org> , <debian-lts-changes@lists.debian.org>
Subject: Accepted python-pip 20.3.4-4+deb11u2 (source) into oldoldstable-security
Date: Sun, 26 Oct 2025 02:50:23 +0000
Signed by: Daniel Leidert <dleidert@debian.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 26 Oct 2025 03:26:06 +0100
Source: python-pip
Architecture: source
Version: 20.3.4-4+deb11u2
Distribution: bullseye-security
Urgency: medium
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Daniel Leidert <dleidert@debian.org>
Closes: 1116336
Changes:
 python-pip (20.3.4-4+deb11u2) bullseye-security; urgency=medium
 .
   * Non-maintainer upload by the Debian LTS team.
   * d/patches/CVE-2025-8869.patch: Add patch to fix CVE-2025-8869.
     - Pip's tar extraction doesn't check symbolic links point to extraction
       directory (closes: #1116336).
   * d/patches/CVE-2023-5752.patch: Add patch to fix CVE-2023-5752.
     - When installing a package from a Mercurial VCS URL, arbitrary
       configuration options could be injected to the "hg clone" call.
Checksums-Sha1:
 ba4a1a635cc8f55996f20faf25ce8c284250b7c7 3015 python-pip_20.3.4-4+deb11u2.dsc
 6b9b6f5e507773c592606f304ff8727c86cc7290 1530646 python-pip_20.3.4.orig.tar.gz
 0dd16adc39838a5b1093b4f7aecb5ae81ee41e02 23836 python-pip_20.3.4-4+deb11u2.debian.tar.xz
 542bff235d06f7cd7432ace53c4da9140b5fa0b3 9077 python-pip_20.3.4-4+deb11u2_amd64.buildinfo
Checksums-Sha256:
 19244a84763720fa5edfe5709e3a830a82e627e55c2d0df0decdb70d8c6bea88 3015 python-pip_20.3.4-4+deb11u2.dsc
 6773934e5f5fc3eaa8c5a44949b5b924fc122daa0a8aa9f80c835b4ca2a543fc 1530646 python-pip_20.3.4.orig.tar.gz
 2387d07a20b362d9cd2a2b5ea676f5a2abfac43ce05e7ef777a6f5dc051693cc 23836 python-pip_20.3.4-4+deb11u2.debian.tar.xz
 c5cc5e18ce812e35979dbfce4991099499f9d0e57981315ef765a62296ca4e12 9077 python-pip_20.3.4-4+deb11u2_amd64.buildinfo
Files:
 43139a7e541ffdc5c5eabb9fd06f5d78 3015 python optional python-pip_20.3.4-4+deb11u2.dsc
 577a375b66ec109e0ac6a4c4aa99bbd0 1530646 python optional python-pip_20.3.4.orig.tar.gz
 cd959be8eda56652a6ac0f3c9646c2b7 23836 python optional python-pip_20.3.4-4+deb11u2.debian.tar.xz
 b93fe138b0e40c38ade1a89bb90a650f 9077 python optional python-pip_20.3.4-4+deb11u2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEvu1N7VVEpMA+KD3HS80FZ8KW0F0FAmj9h5sACgkQS80FZ8KW
0F1EbRAA0LXtxo6Enf7kr4639HFaYP/jEg/ifOCegnr2sVr+73j8L2Mn6u+Qkn86
MUhV1rEy97DisEzoRcL4Uk3VfFqxsEaenD7cghVlA71kk7df+z5uD/dVoC4nAmIL
HZm7JUQjCohPJjbK7HSfj0vl2T3WxsMI8ppieCMcBCe4v8EscwYSluKtOOhnjUfj
OsPA+1EqrcyceOVscwi4dm+v96YYJb12OGYBBkDhZ9/V90CMgUxQS2HcLGGLEcNG
ZDrGyHpzNwr5OoIoJS97C8ocnM4qPfGpryryrsL6ADazzh8GNbcIOwQbuH+I4A8i
IHDsien3cKo5HSSUFCIumY7vA7cCwkShgIj6rXq9NRMBdqV/ifnI2eT3LK8LpYL+
JHlpn8R2KJEmQsOQVcAZaUPNvkoJjA6QXPmC2urn9EwpIPNBbjW027RviC1oVpvb
HY1o0LvM2vvFNDLv1egz3PxOkpwxYGUifq37mDoh1511aZWpj7wL88xPIYAqffih
iiYAI6DU6v+FjZuG3y04Cd8wf5hiFdeRlVNbPJObkjE2NaSqbsLbVxAG2ro+ts0f
QIFrcuRPaU5bb41ubESXuk7VSGsEBBwOOY/kzccsloTGBDQw9HueRLu5dB7/8qlz
I5Ixmmta8ni2ECCI8MUJUGvO0yvdZzJvhDsJnkr3xcDb6hI2Dyg=
=HpAL
-----END PGP SIGNATURE-----

News for package python-pip