{"schema_version":"1.7.2","id":"OESA-2026-1909","modified":"2026-04-17T12:59:29Z","published":"2026-04-17T12:59:29Z","upstream":["CVE-2026-25645"],"summary":"python-pip security update","details":"%changelog * Fri Feb 13 2026 Linux_zhang <244695981@qq.com> - 23.3.1-9 - Fix CVE-2026-21441\r\n\r\nSecurity Fix(es):\n\nRequests is a HTTP library. Prior to version 2.33.0, the `requests.utils.extract_zipped_paths()` utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one. Standard usage of the Requests library is not affected by this vulnerability. Only applications that call `extract_zipped_paths()` directly are impacted. Starting in version 2.33.0, the library extracts files to a non-deterministic location. If developers are unable to upgrade, they can set `TMPDIR` in their environment to a directory with restricted write access.(CVE-2026-25645)","affected":[{"package":{"ecosystem":"openEuler:22.03-LTS-SP4","name":"python-pip","purl":"pkg:rpm/openEuler/python-pip&distro=openEuler-22.03-LTS-SP4"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"21.3.1-15.oe2203sp4"}]}],"ecosystem_specific":{"noarch":["python-pip-help-21.3.1-15.oe2203sp4.noarch.rpm","python-pip-wheel-21.3.1-15.oe2203sp4.noarch.rpm","python3-pip-21.3.1-15.oe2203sp4.noarch.rpm"],"src":["python-pip-21.3.1-15.oe2203sp4.src.rpm"]}},{"package":{"ecosystem":"openEuler:24.03-LTS","name":"python-pip","purl":"pkg:rpm/openEuler/python-pip&distro=openEuler-24.03-LTS"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"23.3.1-10.oe2403sp3"}]}],"ecosystem_specific":{"noarch":["python-pip-help-23.3.1-10.oe2403.noarch.rpm","python-pip-wheel-23.3.1-10.oe2403.noarch.rpm","python3-pip-23.3.1-10.oe2403.noarch.rpm","python-pip-help-23.3.1-10.oe2403sp1.noarch.rpm","python-pip-wheel-23.3.1-10.oe2403sp1.noarch.rpm","python3-pip-23.3.1-10.oe2403sp1.noarch.rpm","python-pip-help-23.3.1-10.oe2403sp2.noarch.rpm","python-pip-wheel-23.3.1-10.oe2403sp2.noarch.rpm","python3-pip-23.3.1-10.oe2403sp2.noarch.rpm","python-pip-help-23.3.1-10.oe2403sp3.noarch.rpm","python-pip-wheel-23.3.1-10.oe2403sp3.noarch.rpm","python3-pip-23.3.1-10.oe2403sp3.noarch.rpm"],"src":["python-pip-23.3.1-10.oe2403.src.rpm","python-pip-23.3.1-10.oe2403sp1.src.rpm","python-pip-23.3.1-10.oe2403sp2.src.rpm","python-pip-23.3.1-10.oe2403sp3.src.rpm"]}},{"package":{"ecosystem":"openEuler:24.03-LTS-SP1","name":"python-pip","purl":"pkg:rpm/openEuler/python-pip&distro=openEuler-24.03-LTS-SP1"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"23.3.1-10.oe2403sp1"}]}],"ecosystem_specific":{"noarch":["python-pip-help-23.3.1-10.oe2403sp1.noarch.rpm","python-pip-wheel-23.3.1-10.oe2403sp1.noarch.rpm","python3-pip-23.3.1-10.oe2403sp1.noarch.rpm"],"src":["python-pip-23.3.1-10.oe2403sp1.src.rpm"]}},{"package":{"ecosystem":"openEuler:24.03-LTS-SP2","name":"python-pip","purl":"pkg:rpm/openEuler/python-pip&distro=openEuler-24.03-LTS-SP2"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"23.3.1-10.oe2403sp2"}]}],"ecosystem_specific":{"noarch":["python-pip-help-23.3.1-10.oe2403sp2.noarch.rpm","python-pip-wheel-23.3.1-10.oe2403sp2.noarch.rpm","python3-pip-23.3.1-10.oe2403sp2.noarch.rpm"],"src":["python-pip-23.3.1-10.oe2403sp2.src.rpm"]}},{"package":{"ecosystem":"openEuler:24.03-LTS-SP3","name":"python-pip","purl":"pkg:rpm/openEuler/python-pip&distro=openEuler-24.03-LTS-SP3"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"23.3.1-10.oe2403sp3"}]}],"ecosystem_specific":{"noarch":["python-pip-help-23.3.1-10.oe2403sp3.noarch.rpm","python-pip-wheel-23.3.1-10.oe2403sp3.noarch.rpm","python3-pip-23.3.1-10.oe2403sp3.noarch.rpm"],"src":["python-pip-23.3.1-10.oe2403sp3.src.rpm"]}},{"package":{"ecosystem":"openEuler:20.03-LTS-SP4","name":"python-pip","purl":"pkg:rpm/openEuler/python-pip&distro=openEuler-20.03-LTS-SP4"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"20.2.2-16.oe2003sp4"}]}],"ecosystem_specific":{"noarch":["python-pip-help-20.2.2-16.oe2003sp4.noarch.rpm","python-pip-wheel-20.2.2-16.oe2003sp4.noarch.rpm","python2-pip-20.2.2-16.oe2003sp4.noarch.rpm","python3-pip-20.2.2-16.oe2003sp4.noarch.rpm"],"src":["python-pip-20.2.2-16.oe2003sp4.src.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1909"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25645"}],"database_specific":{"severity":"Medium"}}