USN-7084-2: pip vulnerability

Releases

• Ubuntu 24.10
• Ubuntu 24.04 LTS
• Ubuntu 22.04 LTS
• Ubuntu 20.04 LTS
• Ubuntu 18.04 ESM
• Ubuntu 16.04 ESM

Packages

• python-pip - Python package installer

Details

USN-7084-1 fixed vulnerability in urllib3. This update provides the
corresponding update for the urllib3 module bundled into pip.

Original advisory details:

It was discovered that urllib3 didn't strip HTTP Proxy-Authorization
header on cross-origin redirects. A remote attacker could possibly use
this issue to obtain sensitive information.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 24.10

• python3-pip - 24.2+dfsg-1ubuntu0.1
• python3-pip-whl - 24.2+dfsg-1ubuntu0.1

Ubuntu 24.04

• python3-pip - 24.0+dfsg-1ubuntu1.1
• python3-pip-whl - 24.0+dfsg-1ubuntu1.1

Ubuntu 22.04

• python3-pip - 22.0.2+dfsg-1ubuntu0.5
• python3-pip-whl - 22.0.2+dfsg-1ubuntu0.5

Ubuntu 20.04

• python-pip-whl - 20.0.2-5ubuntu1.11
• python3-pip - 20.0.2-5ubuntu1.11

Ubuntu 18.04

• python-pip - 9.0.1-2.3~ubuntu1.18.04.8+esm6
  Available with Ubuntu Pro
• python-pip-whl - 9.0.1-2.3~ubuntu1.18.04.8+esm6
  Available with Ubuntu Pro
• python3-pip - 9.0.1-2.3~ubuntu1.18.04.8+esm6
  Available with Ubuntu Pro

Ubuntu 16.04

• python-pip - 8.1.1-2ubuntu0.6+esm10
  Available with Ubuntu Pro
• python-pip-whl - 8.1.1-2ubuntu0.6+esm10
  Available with Ubuntu Pro
• python3-pip - 8.1.1-2ubuntu0.6+esm10
  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References

• CVE-2024-37891

Related notices

• USN-7084-1: python3-urllib3, python-urllib3