[Buildroot] [PATCH v2] package/python-pip: security bump to v25.2
Julien Olivain
ju.o at free.fr
Thu Oct 2 20:25:59 UTC 2025
On 02/10/2025 17:06, Titouan Christophe via buildroot wrote:
> This fixes the following vulnerability:
> - CVE-2025-8869:
> When extracting a tar archive pip may not check symbolic links
> point
> into the extraction directory if the tarfile module doesn't
> implement
> PEP 706. Note that upgrading pip to a "fixed" version for this
> vulnerability doesn't fix all known vulnerabilities that are
> remediated by using a Python version that implements PEP 706. Note
> that this is a vulnerability in pip's fallback implementation of
> tar
> extraction for Python versions that don't implement PEP 706 and
> therefore are not secure to all vulnerabilities in the Python
> 'tarfile' module. If you're using a Python version that implements
> PEP
> 706 then pip doesn't use the "vulnerable" fallback code.
> Mitigations
> include upgrading to a version of pip that includes the fix,
> upgrading
> to a Python version that implements PEP 706 (Python >=3.9.17,
> >=3.10.12, >=3.11.4, or >=3.12), applying the linked patch, or
> inspecting source distributions (sdists) before installation as is
> already a best-practice.
> https://www.cve.org/CVERecord?id=CVE-2025-8869
>
> Signed-off-by: Titouan Christophe <titouan.christophe at mind.be>
Applied to master, thanks.
More information about the buildroot
mailing list