Alerts This Week
Warning Icon 1 975
Alerts This Week
Warning Icon 1 975

Ubuntu 26.04 LTS python-pip High TLS Denial of Service USN-8344-2

ubuntu
Calendar Grey May 29, 2026
Dist Ubuntu Esm H88
Discover the critical regression in python-pip affecting Ubuntu LTS versions. Essential update instructions available.
USN-8344-1 introduced a regression in pip.

Summary

USN-8344-1 introduced a regression in pip.

Software Description:

- python-pip: Python package installer

Details:

USN-8344-1 fixed vulnerabilities in pip. On Ubuntu 22.04 LTS, Ubuntu 24.04 LTS,

and Ubuntu 26.04 LTS the patches for CVE-2025-66471 caused a regression when

using pip. The patches for CVE-2025-66471 have been temporarily reverted

pending investigation.

We apologize for the inconvenience.

Original advisory details:

It was discovered that pip incorrectly handled TLS certificate

verification in session connections. If a session was first used with

certificate verification disabled, subsequent requests to the same host

would also skip verification regardless of the session's current settings.

A remote attacker could possibly use this issue to perform a machine-in-the-middle

attack and expose sensitive information. (CVE-2024-35195)

It was discovered that pip's bundled urllib3 library did not limit the

number of decompression steps when processing HTTP responses...

Read the Full Advisory

Topics%20covered

Topics Covered

security advisory denial of service critical Ubuntu TLS python-pip

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 26.04 LTS
  python3-pip                     25.1.1+dfsg-1ubuntu2+esm2
                                  Available with Ubuntu Pro
  python3-pip-whl                 25.1.1+dfsg-1ubuntu2+esm2
                                  Available with Ubuntu Pro

Ubuntu 24.04 LTS
  python3-pip                     24.0+dfsg-1ubuntu1.3+esm2
                                  Available with Ubuntu Pro
  python3-pip-whl                 24.0+dfsg-1ubuntu1.3+esm2
                                  Available with Ubuntu Pro

Ubuntu 22.04 LTS
  python3-pip                     22.0.2+dfsg-1ubuntu0.7+esm2
                                  Available with Ubuntu Pro
  python3-pip-whl                 22.0.2+dfsg-1ubuntu0.7+esm2
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References

https://ubuntu.com/security/notices/USN-8344-2

https://ubuntu.com/security/notices/USN-8344-1

https://launchpad.net/bugs/2154576

Severity
critical
Lowest
Low
Medium
High
Critical

Ubuntu Security Notice USN-8344-2

Topics%20covered

Topics Covered

security advisory denial of service critical Ubuntu TLS python-pip

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here