dd1e3183df
This fixes the following vulnerability:
- CVE-2025-8869:
When extracting a tar archive pip may not check symbolic links point
into the extraction directory if the tarfile module doesn't implement
PEP 706. Note that upgrading pip to a "fixed" version for this
vulnerability doesn't fix all known vulnerabilities that are
remediated by using a Python version that implements PEP 706. Note
that this is a vulnerability in pip's fallback implementation of tar
extraction for Python versions that don't implement PEP 706 and
therefore are not secure to all vulnerabilities in the Python
'tarfile' module. If you're using a Python version that implements PEP
706 then pip doesn't use the "vulnerable" fallback code. Mitigations
include upgrading to a version of pip that includes the fix, upgrading
to a Python version that implements PEP 706 (Python >=3.9.17,
>=3.10.12, >=3.11.4, or >=3.12), applying the linked patch, or
inspecting source distributions (sdists) before installation as is
already a best-practice.
https://www.cve.org/CVERecord?id=CVE-2025-8869
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 78d687d2d2)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
6 lines
317 B
Plaintext
6 lines
317 B
Plaintext
# md5, sha256 from https://pypi.org/pypi/pip/json
|
|
md5 6d109857fa69274dacfc1d6528471eb5 pip-25.2.tar.gz
|
|
sha256 578283f006390f85bb6282dffb876454593d637f5d1be494b5202ce4877e71f2 pip-25.2.tar.gz
|
|
# Locally computed sha256 checksums
|
|
sha256 634300a669d49aeae65b12c6c48c924c51a4cdf3d1ff086dc3456dc8bcaa2104 LICENSE.txt
|