EULEROS-SA-2026-1226

Summary:

An update for python-pip is now available for EulerOS V2.0SP13

EulerOS Security has rated this update as having a security impact of Moderate.A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.General:

pip is a package management system used to install and manage software packages written in Python. Many packages can be found in the Python Package Index (PyPI). pip is a recursive acronym that can stand for either "Pip Installs Packages" or "Pip Installs Python".

Security Fix(es):

When extracting a tar archive pip may not check symbolic links point into the extraction directory if the tarfile module doesn't implement PEP 706.

Note that upgrading pip to a "fixed" version for this vulnerability doesn't fix all known vulnerabilities that are remediated by using a Python version that implements PEP 706.

Note that this is a vulnerability in pip's fallback implementation of tar extraction for Python versions that don't implement PEP 706

and therefore are not secure to all vulnerabilities in the Python 'tarfile' module. If you're using a Python version that implements PEP 706

then pip doesn't use the "vulnerable" fallback code.

Mitigations include upgrading to a version of pip that includes the fix, upgrading to a Python version that implements PEP 706 (Python ＞=3.9.17, ＞=3.10.12, ＞=3.11.4, or ＞=3.12),

applying the linked patch, or inspecting source distributions (sdists) before installation as is already a best-practice.(CVE-2025-8869)Legal Disclaimer:

This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, either express or implied, including the warranties of merchantability or fitness for a particular purpose. In no event shall Huawei or any of its directly or indirectly controlled subsidiaries or its suppliers be liable for any damages whatsoever including...