pip regression
Published: Fri, 29 May 2026 19:53
Summary
USN-8344-1 introduced a regression in pip.
Details
USN-8344-1 fixed vulnerabilities in pip. On Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 26.04 LTS the patches for CVE-2025-66471 caused a regression when using pip. The patches for CVE-2025-66471 have been temporarily reverted pending investigation. We apologize for the inconvenience. Original advisory details: It was discovered that pip incorrectly handled TLS certificate verification in session connections. If a session was first used with certificate verification disabled, subsequent requests to the same host would also skip verification regardless of the session's current settings. A remote attacker could possibly use this issue to perform a machine-in-the-middle attack and expose sensitive information. (CVE-2024-35195) It was discovered that pip's bundled urllib3 library did not limit the number of decompression steps when processing HTTP responses. A remote attacker could possibly use this issue to cause pip to consume excessive resources, leading to a denial of service. (CVE-2025-66418) It was discovered that pip's bundled urllib3 library improperly handled streaming decompression of highly compressed data. A remote attacker could possibly use this issue to cause pip to consume excessive resources, leading to a denial of service. (CVE-2025-66471)
Recommended actions per Ubuntu release
StackPatch playbook auto-generated per release codename and per affected package.
Ubuntu jammy
python-pip→22.0.2+dfsg-1ubuntu0.7+esm2apt_upgradeStandard apt upgrade. Install 22.0.2+dfsg-1ubuntu0.7+esm2 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y python-pip
Most apt upgrades restart their service automatically. needrestart lists anything else.
python3-pip→22.0.2+dfsg-1ubuntu0.7+esm2apt_upgradeStandard apt upgrade. Install 22.0.2+dfsg-1ubuntu0.7+esm2 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y python3-pip
Most apt upgrades restart their service automatically. needrestart lists anything else.
python3-pip-whl→22.0.2+dfsg-1ubuntu0.7+esm2apt_upgradeStandard apt upgrade. Install 22.0.2+dfsg-1ubuntu0.7+esm2 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y python3-pip-whl
Most apt upgrades restart their service automatically. needrestart lists anything else.
Ubuntu noble
python-pip→24.0+dfsg-1ubuntu1.3+esm2apt_upgradeStandard apt upgrade. Install 24.0+dfsg-1ubuntu1.3+esm2 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y python-pip
Most apt upgrades restart their service automatically. needrestart lists anything else.
python3-pip→24.0+dfsg-1ubuntu1.3+esm2apt_upgradeStandard apt upgrade. Install 24.0+dfsg-1ubuntu1.3+esm2 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y python3-pip
Most apt upgrades restart their service automatically. needrestart lists anything else.
python3-pip-whl→24.0+dfsg-1ubuntu1.3+esm2apt_upgradeStandard apt upgrade. Install 24.0+dfsg-1ubuntu1.3+esm2 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y python3-pip-whl
Most apt upgrades restart their service automatically. needrestart lists anything else.
Ubuntu resolute
python-pip→25.1.1+dfsg-1ubuntu2+esm2apt_upgradeStandard apt upgrade. Install 25.1.1+dfsg-1ubuntu2+esm2 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y python-pip
Most apt upgrades restart their service automatically. needrestart lists anything else.
python3-pip→25.1.1+dfsg-1ubuntu2+esm2apt_upgradeStandard apt upgrade. Install 25.1.1+dfsg-1ubuntu2+esm2 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y python3-pip
Most apt upgrades restart their service automatically. needrestart lists anything else.
python3-pip-whl→25.1.1+dfsg-1ubuntu2+esm2apt_upgradeStandard apt upgrade. Install 25.1.1+dfsg-1ubuntu2+esm2 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y python3-pip-whl
Most apt upgrades restart their service automatically. needrestart lists anything else.
Are YOU affected by USN-8344-2?
5-second check on your actual server. Reads /etc/os-release, uname -r, and dpkg-query; matches against the live USN + Debian Security Tracker feeds; tells you whether USN-8344-2 (and any other live CVE) applies. Anonymous, no signup.
curl https://mindsparkstack.com/scan.sh | bash
References
StackPatch runs this match against YOUR installed packages every hour
Free 1-server / $99 lifetime founder seat (50 only) / $19+/mo monthly. Indie pricing.