diff --git a/backport-CVE-2023-32681.patch b/backport-CVE-2023-32681.patch new file mode 100644 index 0000000000000000000000000000000000000000..3016e548f3071177a3f6fa94cbd32cf27f648832 --- /dev/null +++ b/backport-CVE-2023-32681.patch @@ -0,0 +1,27 @@ +From 74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5 Mon Sep 17 00:00:00 2001 +From: Nate Prewitt +Date: Mon, 22 May 2023 08:08:57 -0700 +Subject: [PATCH] Merge pull request from GHSA-j8r2-6x86-q33q + +--- + pip-21.3.1/src/pip/_vendor/requests/sessions.py | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/pip/_vendor/requests/sessions.py b/src/pip/_vendor/requests/sessions.py +index ae4bcc8..fe0370d 100644 +--- a/src/pip/_vendor/requests/sessions.py ++++ b/src/pip/_vendor/requests/sessions.py +@@ -306,7 +306,9 @@ class SessionRedirectMixin(object): + except KeyError: + username, password = None, None + +- if username and password: ++ # urllib3 handles proxy authorization for us in the standard adapter. ++ # Avoid appending this to TLS tunneled requests where it may be leaked. ++ if not scheme.startswith('https') and username and password: + headers['Proxy-Authorization'] = _basic_auth_str(username, password) + + return new_proxies +-- +2.49.0 + diff --git a/python-pip.spec b/python-pip.spec index c327a9f60b3a382e84ab64cf83f90bf58f850840..4c0c0569a99d7edafc85c09f29cced05d673e0a6 100644 --- a/python-pip.spec +++ b/python-pip.spec @@ -6,7 +6,7 @@ pip is the package installer for Python. You can use pip to install packages fro %global bashcompdir %(b=$(pkg-config --variable=completionsdir bash-completion 2>/dev/null); echo ${b:-%{_sysconfdir}/bash_completion.d}) Name: python-%{srcname} Version: 21.3.1 -Release: 10 +Release: 11 Summary: A tool for installing and managing Python packages License: MIT and Python and ASL 2.0 and BSD and ISC and LGPLv2 and MPLv2.0 and (ASL 2.0 or BSD) URL: http://www.pip-installer.org @@ -28,6 +28,7 @@ Patch6008: backport-CVE-2023-45803-Made-body-stripped-from-HTTP-requests.pa Patch6009: backport-CVE-2024-37891-Strip-Proxy-Authorization-header-on-redirects.patch Patch6010: backport-CVE-2024-47081.patch Patch6011: backport-CVE-2025-50181.patch +Patch6012: backport-CVE-2023-32681.patch Source10: pip-allow-older-versions.patch @@ -137,6 +138,9 @@ install -D -m0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/pip.conf %{python_wheeldir}/%{python_wheelname} %changelog +* Thu Sep 18 2025 xieyanlong - 21.3.1-11 +- Fix CVE-2023-32681 + * Thu Sep 11 2025 xiangyuning - 21.3.1-10 - Fix CVE-2025-50181