Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN411
_____________________________________________________________________

DATE                : 22/04/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running pip.

=====================================================================
https://mail.python.org/archives/list/security-announce@python.org/thread/QAJ5JIVWWCAJ4EZL2FP5MOOW35JS7LRJ/
_____________________________________________________________________


[CVE-2026-3219] pip doesn't reject concatenated ZIP and tar archives

Seth Larson
20 avril 2026 15:02

There is a MEDIUM severity vulnerability affecting pip.

pip handles concatenated tar and ZIP files as ZIP files regardless of
filename or whether a file is both a tar and ZIP file. This behavior
could result in confusing installation behavior, such as installing
"incorrect" files according to the filename of the archive. New behavior
only proceeds with installation if the file identifies uniquely as a
ZIP or tar archive, not as both.

Please see the linked CVE ID for the latest information on affected
versions:

    https://www.cve.org/CVERecord?id=CVE-2026-3219
    https://github.com/pypa/pip/pull/13870


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================