Information on source package python-pip

Available versions

ReleaseVersion
bullseye20.3.4-4+deb11u1
bullseye (security)20.3.4-4+deb11u2
bookworm23.0.1+dfsg-1
trixie25.1.1+dfsg-1
forky26.1.1+dfsg-1
sid26.1.1+dfsg-1

Open issues

BugbullseyebookwormtrixieforkysidDescription
CVE-2026-8643vulnerablevulnerablevulnerablevulnerablevulnerable
CVE-2026-6357vulnerable (no DSA, postponed)vulnerable (no DSA)vulnerable (no DSA)fixedfixedpip prior to version 26.1 would run self-update check functionality af ...
CVE-2026-3219vulnerable (no DSA, postponed)vulnerable (no DSA)vulnerable (no DSA)fixedfixedpip handles concatenated tar and ZIP files as ZIP files regardless of ...
CVE-2026-1703vulnerable (no DSA, postponed)vulnerable (no DSA)vulnerable (no DSA)fixedfixedWhen pip is installing and extracting a maliciously crafted wheel arch ...
CVE-2025-8869fixedvulnerable (no DSA)vulnerable (no DSA)fixedfixedWhen extracting a tar archive pip may not check symbolic links point i ...
CVE-2023-5752fixedvulnerable (no DSA)fixedfixedfixedWhen installing a package from a Mercurial VCS URL (ie "pip install ...

Resolved issues

BugDescription
CVE-2021-3572A flaw was found in python-pip in the way it handled Unicode separator ...
CVE-2019-20916The pip package before 19.2 for Python allows Directory Traversal when ...
CVE-2014-8991pip 1.3 through 1.5.6 allows local users to cause a denial of service ...
CVE-2013-5123The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 use ...
CVE-2013-1888pip before 1.3 allows local users to overwrite arbitrary files via a s ...
CVE-2013-1629pip before 1.3 uses HTTP to retrieve packages from the PyPI repository ...

Security announcements

DSA / DLADescription
DLA-4348-1python-pip - security update
DLA-2370-1python-pip - security update
Search for package or bug name: Reporting problems