[GHSA-4xh5-x5gv-qwph] pip's fallback tar extraction doesn't check symbolic links point to extraction directory #6358
Conversation
There was a problem hiding this comment.
Pull Request Overview
Updates the pip security advisory GHSA-4xh5-x5gv-qwph to reflect that version 25.3 containing the fix has been released, changing the status from unfixed to fixed.
Key changes:
- Updated remediation details to indicate pip 25.3 is now available with the fix
- Changed version range from "last_affected" to "fixed" status with version constraint
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| }, | ||
| { | ||
| "last_affected": "25.2" | ||
| "fixed": ">=25.3" |
There was a problem hiding this comment.
The version constraint uses >=25.3 which suggests any version greater than or equal to 25.3 is fixed. However, this should likely be specified as 25.3 without the comparison operator, as the 'fixed' field typically specifies the exact version where the fix was introduced, not a range. Check the schema documentation for the correct format.
| "fixed": ">=25.3" | |
| "fixed": "25.3" |
There was a problem hiding this comment.
I'm not sure what the best practice is for this field. Reviews, please feel free to accept this suggestion if you think it's better.
github-actions
bot
changed the base branch from
main
to
ichard26/advisory-improvement-6358
advisory-database
bot
merged commit c4b1fce
into
ichard26/advisory-improvement-6358
|
Hi @ichard26! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future! |
Updates
Comments
We released pip 25.3 two days ago which contains a fix for this CVE: https://pypi.org/project/pip/25.3/.