python-pip - Debian Package Tracker

general

source: python-pip (main)
version: 26.1.2+dfsg-1
maintainer: Debian Python Team (DMD)
uploaders: Stefano Rivera [DMD] – Carl Chenet [DMD]
arch: all
std-ver: 4.7.3
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 20.3.4-4+deb11u1
o-o-sec: 20.3.4-4+deb11u2
oldstable: 23.0.1+dfsg-1
stable: 25.1.1+dfsg-1
testing: 26.1.2+dfsg-1
unstable: 26.1.2+dfsg-1

versioned links

20.3.4-4+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
20.3.4-4+deb11u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
23.0.1+dfsg-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
25.1.1+dfsg-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
26.1.2+dfsg-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

python3-pip (6 bugs: 0, 5, 1, 0)
python3-pip-whl (1 bugs: 0, 0, 1, 0)

action needed

debian/patches: 1 patch with invalid metadata, 1 patch to forward upstream high

Among the 7 debian patches available in version 26.1.2+dfsg-1 of the package, we noticed the following issues:

1 patch with invalid metadata that ought to be fixed.
1 patch where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2026-06-03 10:31

lintian reports 1 error and 41 warnings high

Lintian reports 1 error and 41 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2026-06-03 Last update: 2026-06-03 10:31

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 26.1.2+dfsg-2, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit 035b797d00a5c5e4ea1caed5045be5348786730d
Author: Stefano Rivera <stefanor@debian.org>
Date:   Tue Jun 2 19:40:08 2026 -0400

    Drop python3-pip.lintian-override, no longer needed.

Created: 2026-06-03 Last update: 2026-06-11 10:31

1 open merge request in Salsa normal

There is 1 open merge request for this package on Salsa. You should consider reviewing and/or merging these merge requests.

Created: 2025-12-04 Last update: 2025-12-04 19:32

5 low-priority security issues in trixie low

There are 5 open security issues in trixie.

5 issues left for the package maintainer to handle:

CVE-2025-8869: (needs triaging) When extracting a tar archive pip may not check symbolic links point into the extraction directory if the tarfile module doesn't implement PEP 706. Note that upgrading pip to a "fixed" version for this vulnerability doesn't fix all known vulnerabilities that are remediated by using a Python version that implements PEP 706. Note that this is a vulnerability in pip's fallback implementation of tar extraction for Python versions that don't implement PEP 706 and therefore are not secure to all vulnerabilities in the Python 'tarfile' module. If you're using a Python version that implements PEP 706 then pip doesn't use the "vulnerable" fallback code. Mitigations include upgrading to a version of pip that includes the fix, upgrading to a Python version that implements PEP 706 (Python >=3.9.17, >=3.10.12, >=3.11.4, or >=3.12), applying the linked patch, or inspecting source distributions (sdists) before installation as is already a best-practice.
CVE-2026-1703: (needs triaging) When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situations.
CVE-2026-3219: (needs triaging) pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing "incorrect" files according to the filename of the archive. New behavior only proceeds with installation if the file identifies uniquely as a ZIP or tar archive, not as both.
CVE-2026-6357: (needs triaging) pip prior to version 26.1 would run self-update check functionality after installing wheel files which required importing well-known Python modules names. These module imports were intentionally deferred to increase startup time of the pip CLI. The patch changes self-update functionality to run before wheels are installed to prevent newly-installed modules from being imported shortly after the installation of a wheel package. Users should still review package contents prior to installation.
CVE-2026-8643: (needs triaging) pip would treat console_scripts and gui_scripts as paths instead of file names without sanitizing the resolved absolute path to the installation directory, leading to entry points being installed outside the installation directory.

You can find information about how to handle these issues in the security team's documentation.

Created: 2025-09-24 Last update: 2026-06-10 22:00

6 low-priority security issues in bookworm low

There are 6 open security issues in bookworm.

6 issues left for the package maintainer to handle:

CVE-2023-5752: (needs triaging) When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.
CVE-2025-8869: (needs triaging) When extracting a tar archive pip may not check symbolic links point into the extraction directory if the tarfile module doesn't implement PEP 706. Note that upgrading pip to a "fixed" version for this vulnerability doesn't fix all known vulnerabilities that are remediated by using a Python version that implements PEP 706. Note that this is a vulnerability in pip's fallback implementation of tar extraction for Python versions that don't implement PEP 706 and therefore are not secure to all vulnerabilities in the Python 'tarfile' module. If you're using a Python version that implements PEP 706 then pip doesn't use the "vulnerable" fallback code. Mitigations include upgrading to a version of pip that includes the fix, upgrading to a Python version that implements PEP 706 (Python >=3.9.17, >=3.10.12, >=3.11.4, or >=3.12), applying the linked patch, or inspecting source distributions (sdists) before installation as is already a best-practice.
CVE-2026-1703: (needs triaging) When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situations.
CVE-2026-3219: (needs triaging) pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing "incorrect" files according to the filename of the archive. New behavior only proceeds with installation if the file identifies uniquely as a ZIP or tar archive, not as both.
CVE-2026-6357: (needs triaging) pip prior to version 26.1 would run self-update check functionality after installing wheel files which required importing well-known Python modules names. These module imports were intentionally deferred to increase startup time of the pip CLI. The patch changes self-update functionality to run before wheels are installed to prevent newly-installed modules from being imported shortly after the installation of a wheel package. Users should still review package contents prior to installation.
CVE-2026-8643: (needs triaging) pip would treat console_scripts and gui_scripts as paths instead of file names without sanitizing the resolved absolute path to the installation directory, leading to entry points being installed outside the installation directory.

You can find information about how to handle these issues in the security team's documentation.

Created: 2023-10-25 Last update: 2026-06-10 22:00

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.4 instead of 4.7.3).

Created: 2026-03-31 Last update: 2026-06-03 04:30

news

[rss feed]

[2026-06-11] python-pip 26.1.2+dfsg-1 MIGRATED to testing (Debian testing watch)
[2026-06-03] Accepted python-pip 26.1.2+dfsg-1 (source) into unstable (Stefano Rivera)
[2026-05-29] python-pip 26.1.1+dfsg-1 MIGRATED to testing (Debian testing watch)
[2026-05-23] Accepted python-pip 26.1.1+dfsg-1 (source) into unstable (Stefano Rivera)
[2026-02-08] python-pip 26.0.1+dfsg-1 MIGRATED to testing (Debian testing watch)
[2026-02-05] Accepted python-pip 26.0.1+dfsg-1 (source) into unstable (Stefano Rivera)
[2026-02-04] Accepted python-pip 26.0+dfsg-1 (source) into unstable (Stefano Rivera)
[2025-12-07] python-pip 25.3+dfsg-1 MIGRATED to testing (Debian testing watch)
[2025-10-26] Accepted python-pip 20.3.4-4+deb11u2 (source) into oldoldstable-security (Daniel Leidert)
[2025-10-25] Accepted python-pip 25.3+dfsg-1 (source) into unstable (Stefano Rivera)
[2025-08-15] python-pip 25.2+dfsg-1 MIGRATED to testing (Debian testing watch)
[2025-08-10] Accepted python-pip 25.2+dfsg-1 (source) into unstable (Stefano Rivera)
[2025-05-11] python-pip 25.1.1+dfsg-1 MIGRATED to testing (Debian testing watch)
[2025-05-02] Accepted python-pip 25.1.1+dfsg-1 (source) into unstable (Stefano Rivera)
[2025-04-26] Accepted python-pip 25.1+dfsg-1 (source) into unstable (Stefano Rivera)
[2025-03-28] python-pip 25.0.1+dfsg-1 MIGRATED to testing (Debian testing watch)
[2025-03-25] Accepted python-pip 25.0.1+dfsg-1 (source) into unstable (Colin Watson)
[2025-01-30] python-pip 25.0+dfsg-1 MIGRATED to testing (Debian testing watch)
[2025-01-26] Accepted python-pip 25.0+dfsg-1 (source) into unstable (Stefano Rivera)
[2024-11-04] python-pip 24.3.1+dfsg-1 MIGRATED to testing (Debian testing watch)
[2024-11-01] Accepted python-pip 24.3.1+dfsg-1 (source) into unstable (Stefano Rivera)
[2024-08-11] python-pip 24.2+dfsg-1 MIGRATED to testing (Debian testing watch)
[2024-08-08] Accepted python-pip 24.2+dfsg-1 (source) into unstable (Stefano Rivera)
[2024-07-02] python-pip 24.1.1+dfsg-1 MIGRATED to testing (Debian testing watch)
[2024-06-29] Accepted python-pip 24.1.1+dfsg-1 (source) into unstable (Stefano Rivera)
[2024-06-27] python-pip 24.1+dfsg-1 MIGRATED to testing (Debian testing watch)
[2024-06-25] Accepted python-pip 24.1+dfsg-1 (source) into unstable (Stefano Rivera)
[2024-03-16] python-pip 24.0+dfsg-2 MIGRATED to testing (Debian testing watch)
[2024-03-06] Accepted python-pip 24.0+dfsg-2 (source) into unstable (Stefano Rivera)
[2024-02-08] python-pip 24.0+dfsg-1 MIGRATED to testing (Debian testing watch)

bugs [bug history graph]

all: 7
RC: 0
I&N: 5
M&W: 2
F&P: 0
patch: 0

links

homepage
lintian (1, 41)
buildd: logs, reproducibility
popcon
browse source code
other distros
security tracker
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 25.1.1+dfsg-1ubuntu2