CVE-2025-50182
"This issue has been patched in version 2.5.0."
CVE-2025-50181
"This issue has been patched in version 2.5.0."
No sign of the patches...

Assignee: bugsquad => python

Ubuntu has issued an advisory on June 26:
https://ubuntu.com/security/notices/USN-7599-2

Summary: python-urllib3 new security issues CVE-2025-5018[12] => python-urllib3 new security issues CVE-2025-5018[12] ; python-pip new security issue CVE-2025-50181
Source RPM: python-urllib3-2.3.0-2.mga10.src.rpm, python-urllib3-1.26.20-1.mga9.src.rpm => python-urllib3-2.3.0-2.mga10.src.rpm, python-pip-25.1.1-1.mga10.src.rpm, python-urllib3-1.26.20-1.mga9.src.rpm, python-pip-23.0.1-1.1.mga9.src.rpm

Fixed in cauldron with python-urllib3-2.5.0-1.mga10 and python-pip-25.2-1.mga10.

Source RPM: python-urllib3-2.3.0-2.mga10.src.rpm, python-pip-25.1.1-1.mga10.src.rpm, python-urllib3-1.26.20-1.mga9.src.rpm, python-pip-23.0.1-1.1.mga9.src.rpm => python-urllib3-1.26.20-1.mga9.src.rpm, python-pip-23.0.1-1.1.mga9.src.rpm
Version: Cauldron => 9
Whiteboard: MGA9TOO => (none)
CC: (none) => jani.valimaa

CVE-2025-50182 does not affect Mageia 9.

Summary: python-urllib3 new security issues CVE-2025-5018[12] ; python-pip new security issue CVE-2025-50181 => python-urllib3 and python-pip new security issue CVE-2025-50181

Suggested advisory:
========================

The updated packages fix a security vulnerability:

Urllib3 redirects are not disabled when retries are disabled on PoolManager instantiation. (CVE-2025-50181)

References:
https://ubuntu.com/security/notices/USN-7599-1
https://ubuntu.com/security/notices/USN-7599-2
========================

Updated packages in core/updates_testing:
========================
python3-urllib3+brotli-1.26.20-1.1.mga9
python3-urllib3+socks-1.26.20-1.1.mga9
python3-urllib3-1.26.20-1.1.mga9

python-pip-doc-23.0.1-1.2.mga9
python-pip-wheel-23.0.1-1.2.mga9
python3-pip-23.0.1-1.2.mga9

from SRPMS:
python-urllib3-1.26.20-1.1.mga9.src.rpm
python-pip-23.0.1-1.2.mga9.src.rpm

Status: NEW => ASSIGNED
Status comment: Fixed upstream in 2.5.0 and patches available from Ubuntu => (none)
Assignee: python => qa-bugs

MGA9-64 server Plasma Wayland on Compaq H000SB
No installation issues.
For python3-urllib3 ref bug 33716, installed yt-dlp and downloaded from youtube. Resulting file plays OK in vlc.
For python3-pip ref bug 33542 Comment 3.
After removing the existing installation of pandas
$ pip install --user pandas
Collecting pandas
  Downloading pandas-2.3.3-cp310-cp310-manylinux_2_24_x86_64.manylinux_2_28_x86_64.whl (12.8 MB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 12.8/12.8 MB 4.6 MB/s eta 0:00:00
Collecting tzdata>=2022.7
  Downloading tzdata-2025.2-py2.py3-none-any.whl (347 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 347.8/347.8 kB 2.0 MB/s eta 0:00:00
Collecting python-dateutil>=2.8.2
  Downloading python_dateutil-2.9.0.post0-py2.py3-none-any.whl (229 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 229.9/229.9 kB 1.6 MB/s eta 0:00:00
Collecting pytz>=2020.1
  Downloading pytz-2025.2-py2.py3-none-any.whl (509 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 509.2/509.2 kB 2.1 MB/s eta 0:00:00
Requirement already satisfied: numpy>=1.22.4 in /usr/lib64/python3.10/site-packages (from pandas) (1.24.3)
Collecting six>=1.5
  Downloading six-1.17.0-py2.py3-none-any.whl (11 kB)
Installing collected packages: pytz, tzdata, six, python-dateutil, pandas
Successfully installed pandas-2.3.3 python-dateutil-2.9.0.post0 pytz-2025.2 six-1.17.0 tzdata-2025.2
So all OK for me.

Whiteboard: (none) => MGA9-64-OK
CC: (none) => herman.viaene

Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0281.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED