Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2026/VULN590 _____________________________________________________________________ DATE : 04/06/2026 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running pip, CPython. ===================================================================== https://mail.python.org/archives/list/security-announce@python.org/thread/YV63UET5D3OOJY7O4M5XCVYO2YM4NBYJ/ https://mail.python.org/archives/list/security-announce@python.org/thread/PP5HB4K7727OBBM76KA2ILID76K3OZGZ/ https://mail.python.org/archives/list/security-announce@python.org/thread/4FU62L2M6RMMHT2QPGQNPEHHUND7CEX5/ https://mail.python.org/archives/list/security-announce@python.org/thread/ITF2BAPBQEPYK3LDMPRSY435JGNHYNDP/ _____________________________________________________________________ [CVE-2026-8643] pip can extract console_scripts and gui_scripts outside installation directory Seth Larson 1 juin 2026 15:03 There is a MEDIUM severity vulnerability affecting pip. pip would treat console_scripts and gui_scripts as paths instead of file names without sanitizing the resolved absolute path to the installation directory, leading to entry points being installed outside the installation directory. Please see the linked CVE ID for the latest information on affected versions: https://www.cve.org/CVERecord?id=CVE-2026-8643 https://github.com/pypa/pip/pull/14000 _____________________________________________________________________ [CVE-2026-3276] Potential DoS via quadratic complexity in unicodedata.normalize() Stan Ulbrych 3 juin 2026 13:56 There is a MEDIUM severity vulnerability affecting CPython. unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms. Please see the linked CVE ID for the latest information on affected versions: https://www.cve.org/CVERecord?id=CVE-2026-3276 https://github.com/python/cpython/pull/149080 _____________________________________________________________________ [CVE-2026-7774] tarfile.data_filter path traversal bypass allows writing outside the extraction directory Stan Ulbrych 4 juin 2026 14:12 There is a MEDIUM severity vulnerability affecting CPython. tarfile.data_filter could be bypassed using crafted link entries, including symlinks with empty or directory-like names, to redirect later archive members outside the intended extraction directory. This allowed a malicious tar archive to cause tarfile.extractall() to write files outside the destination directory, subject to the permissions of the extracting process. Please see the linked CVE ID for the latest information on affected versions: https://www.cve.org/CVERecord?id=CVE-2026-7774 https://github.com/python/cpython/pull/149487 _____________________________________________________________________ [CVE-2026-8328] FTP PASV SSRF, ftpcp() does not use actual peer address, trusts server-supplied PASV host address Seth Larson 13 mai 2026 20:15 There is a MEDIUM severity vulnerability affecting CPython. The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). Please see the linked CVE ID for the latest information on affected versions: https://www.cve.org/CVERecord?id=CVE-2026-8328 https://github.com/python/cpython/pull/149648 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================