python-pip (22.0.2+dfsg-1ubuntu0.6) jammy-security; urgency=medium
* SECURITY UPDATE: Information disclosure through improperly disabled
redirects.
- debian/patches/CVE-2025-50181.patch: Add "retries" check and set retries
to Retry.from_int(retries, redirect=False) as well as set
raise_on_redirect in ./src/pip/_vendor/urllib3/poolmanager.py.
- CVE-2025-50181
-- Hlib Korzhynskyy <hlib.korzhynskyy@canonical.com> Thu, 26 Jun 2025 09:37:21 -0230
python-pip (22.0.2+dfsg-1ubuntu0.5) jammy-security; urgency=medium
* SECURITY UPDATE: The Proxy-Authorization header is not correctly stripped
when redirecting to a different host in urllib3.
- debian/patches/CVE-2024-37891.patch: Add "Proxy-Authorization" to
DEFAULT_REMOVE_HEADERS_ON_REDIRECT in
src/pip/vendor/urllib3/util/retry.py.
- CVE-2024-37891
-- Hlib Korzhynskyy <hlib.korzhynskyy@canonical.com> Fri, 18 Oct 2024 14:45:13 -0230
python-pip (22.0.2+dfsg-1ubuntu0.4) jammy-security; urgency=medium
* SECURITY UPDATE: http cookie leakage via http redirect
- debian/patches/CVE-2023-43804.patch: removes the cookie from the
http request when it is redirected to a different origin.
- CVE-2023-43804
* SECURITY UPDATE: http body leakage via http redirect
- debian/patches/CVE-2023-45803.patch: removes the body from the
http request when it is redirected to a different origin and the
http verb is changed to GET.
- CVE-2023-45803
-- Jorge Sancho Larraz <jorge.sancho.larraz@canonical.com> Fri, 10 Nov 2023 13:42:40 +0100
python-pip (22.0.2+dfsg-1ubuntu0.3) jammy-security; urgency=medium
* No-change rebuild for requests update.
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 05 Jun 2023 14:20:05 -0400
python-pip (22.0.2+dfsg-1ubuntu0.2) jammy-security; urgency=medium
* SECURITY UPDATE: ReDOS in wheel.py
- debian/patches/CVE-2022-40898.patch: Fix potential DoS attack
via wheel_file_re by restricting matching dash and dot characters
in src/pip/_internal/models/wheel.py.
- CVE-2022-40898
-- David Fernandez Gonzalez <david.fernandezgonzalez@canonical.com> Tue, 28 Feb 2023 10:39:46 +0100
python-pip (22.0.2+dfsg-1ubuntu0.1) jammy-security; urgency=medium
* No-change rebuild due to wheel and setuptools update.
-- David Fernandez Gonzalez <david.fernandezgonzalez@canonical.com> Tue, 24 Jan 2023 10:23:13 +0100
python-pip (22.0.2+dfsg-1) unstable; urgency=medium
* New upstream release.
* Refresh patches.
* Update copyright.
* Unset PIP_NO_VENDOR_FOR_DOWNSTREAM, no longer needed.
-- Stefano Rivera <stefanor@debian.org> Wed, 02 Feb 2022 12:00:40 -0400
python-pip (21.3.1+dfsg-3) unstable; urgency=medium
* Source-only upload.
-- Stefano Rivera <stefanor@debian.org> Wed, 12 Jan 2022 19:38:23 -0400
python-pip (21.3.1+dfsg-2) unstable; urgency=medium
* Migrate from a single python-pip-whl package to: python3-pip-whl,
python3-setuptools-whl, python3-wheel-whl, built from their respective
source packages. (Closes: #1003573)
-- Stefano Rivera <stefanor@debian.org> Wed, 12 Jan 2022 13:29:13 -0400
python-pip (21.3.1+dfsg-1) unstable; urgency=medium
[ Stefano Rivera ]
* New upstream release.
- Drops Python 2.7 support.
* Refresh patches.
* Drop patch debian-python2.7-sysconfig-workaround.patch, no longer needed.
* Drop patches git-split-ascii, set_user_default, str-version, superseded
upstream. (Closes: #995959)
* Add myself to the copyright file.
* Bump watch file version to 4.
* Bump Standards-Version to 3.6.0, no changes needed.
* Stop de-vendoring dependencies, on balance this has caused more trouble
than it has saved.
- Drop patches debundle, handle-unbundled-requests,
wheel-and-pip-not-pip-wheels, debug-command-for-unbundled, no longer
needed.
- Patch: certifi-debian-ca-certificates, copied over from certifi source.
- Document vendored modules copyright.
* Re-enable "pip list --outdated" in autopkgtest.
* Allow stderr in pip3-editable.sh autopkgtest, for pip's new warning about
running as root.
* Exclude distlib Windows .exe locators from the source package.
- Drop lintian override for these.
* Bump debhelper compat level to 13.
* Build with pybuild's pyproject plugin.
* Drop Python 2 wheels, these may be provided by a separate source package.
(Closes: #938027, #999501, 1000826)
-- Stefano Rivera <stefanor@debian.org> Thu, 06 Jan 2022 22:06:12 -0400
# For older changelog entries, run 'apt-get changelog python3-pip'
Generated by dwww version 1.14 on Tue Aug 26 12:25:24 CEST 2025.