CVE-2026-6357:pip 自更新功能存在漏洞,导致新安装模块被意外导入
oss-secmailing list archivesFrom: Alan Coopersmith <alan.coopersmith () oracle c 2026-4-27 20:33:0 Author: seclists.org(查看原文) 阅读量:13 收藏
oss-secmailing list archivesFrom: Alan Coopersmith <alan.coopersmith () oracle c 2026-4-27 20:33:0 Author: seclists.org(查看原文) 阅读量:13 收藏
oss-sec mailing list archives
From: Alan Coopersmith <alan.coopersmith () oracle com>
Date: Mon, 27 Apr 2026 13:31:14 -0700
-------- Forwarded Message --------Subject: [Security-announce][CVE-2026-6357] pip self-update functionality can import newly installed modules after wheel installation
Date: Mon, 27 Apr 2026 14:20:59 +0000 From: Seth Larson <seth () python org> Reply-To: security-sig () python org To: security-announce () python org There is a MEDIUM severity vulnerability affecting the pip project.pip prior to version 26.1 would run self-update check functionality after installing wheel files which required importing well-known Python modules names. These module imports were intentionally deferred to increase startup time of the pip CLI. The patch changes self-update functionality to run before wheels are installed to prevent newly-installed modules from being imported shortly after the installation of a wheel package. Users should still review package contents prior to installation.
Please see the linked CVE ID for the latest information on affected versions: * https://www.cve.org/CVERecord?id=CVE-2026-6357 * https://github.com/pypa/pip/pull/13923 _______________________________________________ Security-announce mailing list -- security-announce () python org To unsubscribe send an email to security-announce-leave () python org https://mail.python.org/mailman3//lists/security-announce.python.org
Current thread:
- [oss-security][CVE-2026-6357] pip self-update functionality can import newly installed modules after wheel installation Alan Coopersmith (Apr 27)
文章来源: https://seclists.org/oss-sec/2026/q2/234
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh