{"schema_version":"1.7.2","id":"OESA-2026-2542","modified":"2026-06-05T15:48:12Z","published":"2026-06-05T15:48:12Z","upstream":["CVE-2023-5752","CVE-2026-44431"],"summary":"python-pip security update","details":"pip is the package installer for Python. You can use pip to install packages from the Python Package Index and other indexes. %global bashcompdir %(b=$(pkg-config --variable=completionsdir bash-completion 2>/dev/null); echo ${b:-/bash_completion.d}) Name:           python-pip Version:        20.2.2 Release:        4 Summary:        A tool for installing and managing Python packages License:        MIT and Python and ASL 2.0 and BSD and ISC and LGPLv2 and MPLv2.0 and (ASL 2.0 or BSD) URL:            http://www.pip-installer.org Source0:        https://files.pythonhosted.org/packages/source/p/pip/pip-.tar.gz BuildArch:      noarch Patch1:         allow-stripping-given-prefix-from-wheel-RECORD-files. Patch2:         emit-a-warning-when-running-with-root-privileges.patch Patch3:         remove-existing-dist-only-if-path-conflicts.patch Patch6000:      dummy-certifi.patch Patch6001:      backport-CVE-2021-3572.patch\r\n\r\nSecurity Fix(es):\n\nWhen installing a package from a Mercurial VCS URL  (ie "pip install \nhg+...") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the "hg clone" \ncall (ie "--config"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n(CVE-2023-5752)\n\nWhen following cross-origin redirects for requests made using urllib3's high-level APIs, such as urllib3.request(), PoolManager.request(), and ProxyManager.request(), sensitive headers — Authorization, Cookie, and Proxy-Authorization (defined in Retry.DEFAULT_REMOVE_HEADERS_ON_REDIRECT) — are stripped by default, as expected. However, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward these sensitive headers.(CVE-2026-44431)","affected":[{"package":{"ecosystem":"openEuler:22.03-LTS-SP4","name":"python-pip","purl":"pkg:rpm/openEuler/python-pip&distro=openEuler-22.03-LTS-SP4"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"21.3.1-18.oe2203sp4"}]}],"ecosystem_specific":{"noarch":["python-pip-help-21.3.1-18.oe2203sp4.noarch.rpm","python-pip-wheel-21.3.1-18.oe2203sp4.noarch.rpm","python3-pip-21.3.1-18.oe2203sp4.noarch.rpm"],"src":["python-pip-21.3.1-18.oe2203sp4.src.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2542"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-5752"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44431"}],"database_specific":{"severity":"High"}}