SB2026041738 - Anolis OS update for python-pip
Published: April 17, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2025-66418)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to missing limits on the number of links in the decompression chain when handling gzip or zstd data in the server response. A malicious server can send a response with a large amount of links and cause high CPU load, leading to a denial of service condition.
2) Resource exhaustion (CVE-ID: CVE-2025-66471)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to the streaming API does not properly control consumption of internal resources. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
3) Path traversal (CVE-ID: CVE-2026-1703)
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when installing and extracting wheel archives. A remote attacker can trick the victim into installing a malicious wheel archive and overwrite arbitrary files on the system.
Remediation
Install update from vendor's website.