Security update for python-pip SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2026:20423-1 Final 1 1 2026-02-11T19:21:28Z current 2026-02-11T19:21:28Z 2026-02-11T19:21:28Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for python-pip This update for python-pip fixes the following issues: - CVE-2026-1703: files may be extracted outside the installation directory when installing and extracting maliciously crafted wheel archives (bsc#1257599). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLES-16.0-256 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2026/suse-su-202620423-1/ Link for SUSE-SU-2026:20423-1 https://lists.suse.com/pipermail/sle-security-updates/2026-February/024347.html E-Mail link for SUSE-SU-2026:20423-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1257599 SUSE Bug 1257599 https://www.suse.com/security/cve/CVE-2026-1703/ SUSE CVE CVE-2026-1703 page SUSE Linux Enterprise Server 16.0 SUSE Linux Enterprise Server for SAP applications 16.0 python313-pip-25.0.1-160000.3.1 python313-pip-wheel-25.0.1-160000.3.1 python313-pip-25.0.1-160000.3.1 as a component of SUSE Linux Enterprise Server 16.0 python313-pip-wheel-25.0.1-160000.3.1 as a component of SUSE Linux Enterprise Server 16.0 python313-pip-25.0.1-160000.3.1 as a component of SUSE Linux Enterprise Server for SAP applications 16.0 python313-pip-wheel-25.0.1-160000.3.1 as a component of SUSE Linux Enterprise Server for SAP applications 16.0 When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situations. CVE-2026-1703 SUSE Linux Enterprise Server 16.0:python313-pip-25.0.1-160000.3.1 SUSE Linux Enterprise Server 16.0:python313-pip-wheel-25.0.1-160000.3.1 SUSE Linux Enterprise Server for SAP applications 16.0:python313-pip-25.0.1-160000.3.1 SUSE Linux Enterprise Server for SAP applications 16.0:python313-pip-wheel-25.0.1-160000.3.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620423-1/ https://www.suse.com/security/cve/CVE-2026-1703.html CVE-2026-1703 https://bugzilla.suse.com/1257599 SUSE Bug 1257599