USN-8344-2 python-pip regression

USN-8344-1 fixed vulnerabilities in pip. On Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 26.04 LTS the patches for CVE-2025-66471 caused a regression when using pip. The patches for CVE-2025-66471 have been temporarily reverted pending investigation. We apologize for the inconvenience. Original...

USN-8344-1 python-pip vulnerabilities

It was discovered that pip incorrectly handled TLS certificate verification in session connections. If a session was first used with certificate verification disabled, subsequent requests to the same host would also skip verification regardless of the session's current settings. A remote attacker...

CVE-2026-44432

CVE-2026-44432 affects urllib3 before 2.7.0, where the library could decompress the entire response during HTTPResponse.read or drain_conn, leading to high CPU and memory usage when handling highly compressed data. Affected versions: 2.6.0 up to (but not including) 2.7.0. Impact described as pote...

CLSA-2026-1775723090 python-pip: Fix of 2 CVEs

CVE-2025-66471: add decompression size limit to bundled urllib3 - CVE-2026-21441: skip decompression when draining redirect responses in bundled urllib3...

Security Bulletin: Location Service for ESRI Component uses werkzeug-3.1.4 and urllib3-2.6.2 library which were vulnerable to CVE-2026-21860 and CVE-2026-21441 respectively

Summary Location Service for ESRI Component uses werkzeug-3.1.4 and urllib3-2.6.2 library which were vulnerable to CVE-2026-21860 and CVE-2026-21441 respectively. Vulnerability Details CVEID:CVE-2026-21441 DESCRIPTION: urllib3 is an HTTP client library for Python. urllib3's streaming API is...

Security Bulletin: IBM Maximo Application Suite uses pyasn1-0.6.1, protobuf-6.33.4-cp39-abi3-manylinux2014_x86_64, urllib3-2.5.0-py3-none-any, database/sql 1.24.4 and weasyprint-67.0-py3-none-any.

Summary Security Bulletin: IBM Maximo Application Suite uses pyasn1-0.6.1, protobuf-6.33.4-cp39-abi3-manylinux2014x8664, urllib3-2.5.0-py3-none-any, database/sql 1.24.4 and weasyprint-67.0-py3-none-any which is vulnerable to CVE-2026-23490, CVE-2026-0994, CVE-2025-66418, CVE-2025-66471,...

urllib3: urllib3: Unbounded decompression chain leads to resource exhaustion

A flaw was found in urllib3 Python library that could lead to a Denial of Service condition. A remote, malicious server can exploit this flaw by responding to a client request with an HTTP message that uses an excessive number of chained compression algorithms. This unlimited decompression chain...

RHSA-2026:1712 Red Hat Security Advisory: python3.11-urllib3 security update

Bulletin has no description...

RHSA-2026:1704 Red Hat Security Advisory: python3.11-urllib3 security update

Bulletin has no description...

RHSA-2026:1546 Red Hat Security Advisory: python3.11-urllib3 security update

Bulletin has no description...

OESA-2026-1286 python-urllib3 security update

HTTP library with thread-safe connection pooling, file post support, sanity friendly, and more. Security Fixes: urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly compressed data. urllib3's streaming A...

CLSA-2026-1770035896 python3.11-urllib3: Fix of CVE-2025-66471

CVE-2025-66471: fix improper handling of highly compressed data in the Streaming API...

urllib3: urllib3 vulnerable to decompression-bomb safeguard bypass when following HTTP redirects (streaming API)

urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression based on the HTTP...

Exploit for CVE-2025-40554

CVE-2025-40554 Exploitation Suite A comprehensive security te...

Debian dla-4446 : python3-urllib3 - security update

The remote Debian 11 host has a package installed that is affected by a vulnerability as referenced in the dla-4446 advisory. ------------------------------------------------------------------------- Debian LTS Advisory DLA-4446-1 [email protected] https://www.debian.org/lts/security/...

Medium: python3.12-pip

Issue Overview: urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage an...

DEBIAN-CVE-2026-21441

urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression based on the HTTP...

Improper Handling of Highly Compressed Data (Data Amplification)

Overview urllib3 is a HTTP library with thread-safe connection pooling, file post, and more. Affected versions of this package are vulnerable to Improper Handling of Highly Compressed Data Data Amplification in the Streaming API. The ContentDecoder class can be forced to allocate disproportionate...

CVE-2025-66471 urllib3 Streaming API improperly handles highly compressed data

urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly compressed data. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than...

CLSA-2025-1763032859 python3.11-urllib3: Fix of CVE-2023-43804

CVE-2023-43804: fix issue to properly handle Cookie header to prevent information leakage via HTTP redirects...