UbuntuUpdates.org

Package "python3-pip-whl"

Name: python3-pip-whl

Description:

Python package installer (pip wheel)
Latest version: 22.0.2+dfsg-1ubuntu0.7
Release: jammy (22.04)
Level: security
Repository: universe
Head package: python-pip
Homepage: https://pip.pypa.io/en/stable/

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "python3-pip-whl"

All arch deb package
APT INSTALL

Other versions of "python3-pip-whl" in Jammy

Repository Area Version
updates universe 22.0.2+dfsg-1ubuntu0.7

Changelog

Version: 22.0.2+dfsg-1ubuntu0.7 2025-09-23 15:07:20 UTC

  python-pip (22.0.2+dfsg-1ubuntu0.7) jammy-security; urgency=medium

  * SECURITY UPDATE: Unintended leak of Proxy-Authorization header
    (LP: #2031880)
    - debian/patches/CVE-2023-32681.patch: don't attach header to redirects
      with an HTTPS destination in requests/sessions.py,
      tests/test_requests.py.
    - CVE-2023-32681
  * SECURITY UPDATE: resource exhaustion
    - debian/patches/CVE-2024-3651.patch: checks input before processing
    - CVE-2024-3651
  * SECURITY UPDATE: Information Leak
    - debian/patches/CVE-2024-47081.patch: Only use hostname to do netrc
      lookup instead of netloc
    - CVE-2024-47081

 -- Hlib Korzhynskyy <email address hidden> Mon, 22 Sep 2025 17:14:33 -0230
Source diff to previous version
2031880 CVE-2023-32681 - python-pip fix is improper
CVE-2023-32681 Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an
CVE-2024-3651 potential DoS via resource consumption via specially crafted inputs to idna.encode()
CVE-2024-47081 Requests is a HTTP library. Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific m

Version: 22.0.2+dfsg-1ubuntu0.6 2025-06-26 19:07:18 UTC

  python-pip (22.0.2+dfsg-1ubuntu0.6) jammy-security; urgency=medium

  * SECURITY UPDATE: Information disclosure through improperly disabled
    redirects.
    - debian/patches/CVE-2025-50181.patch: Add "retries" check and set retries
      to Retry.from_int(retries, redirect=False) as well as set
      raise_on_redirect in ./src/pip/_vendor/urllib3/poolmanager.py.
    - CVE-2025-50181

 -- Hlib Korzhynskyy <email address hidden> Thu, 26 Jun 2025 09:37:21 -0230
Source diff to previous version
CVE-2025-50181 urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, it is possible to disable redirects for all requests by instantiating a Po

Version: 22.0.2+dfsg-1ubuntu0.5 2024-10-30 14:06:55 UTC

  python-pip (22.0.2+dfsg-1ubuntu0.5) jammy-security; urgency=medium

  * SECURITY UPDATE: The Proxy-Authorization header is not correctly stripped
    when redirecting to a different host in urllib3.
    - debian/patches/CVE-2024-37891.patch: Add "Proxy-Authorization" to
      DEFAULT_REMOVE_HEADERS_ON_REDIRECT in
      src/pip/vendor/urllib3/util/retry.py.
    - CVE-2024-37891

 -- Hlib Korzhynskyy <email address hidden> Fri, 18 Oct 2024 14:45:13 -0230
Source diff to previous version
CVE-2024-37891 urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header i

Version: 22.0.2+dfsg-1ubuntu0.4 2023-11-15 16:10:11 UTC

  python-pip (22.0.2+dfsg-1ubuntu0.4) jammy-security; urgency=medium

  * SECURITY UPDATE: http cookie leakage via http redirect
    - debian/patches/CVE-2023-43804.patch: removes the cookie from the
      http request when it is redirected to a different origin.
    - CVE-2023-43804
  * SECURITY UPDATE: http body leakage via http redirect
    - debian/patches/CVE-2023-45803.patch: removes the body from the
      http request when it is redirected to a different origin and the
      http verb is changed to GET.
    - CVE-2023-45803

 -- Jorge Sancho Larraz <email address hidden> Fri, 10 Nov 2023 13:42:40 +0100
Source diff to previous version
CVE-2023-43804 urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers for managing

Version: 22.0.2+dfsg-1ubuntu0.3 2023-06-12 13:07:11 UTC

  python-pip (22.0.2+dfsg-1ubuntu0.3) jammy-security; urgency=medium

  * No-change rebuild for requests update.

 -- Marc Deslauriers <email address hidden> Mon, 05 Jun 2023 14:20:05 -0400


About   -   Send Feedback to @ubuntu_updates