SB2026041738 - Anolis OS update for python-pip
Published: April 17, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 vulnerabilities.
1) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2025-66418)
CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to missing limits on the number of links in the decompression chain when handling gzip or zstd data in the server response. A malicious server can send a response with a large amount of links and cause high CPU load, leading to a denial of service condition.
2) Resource exhaustion (CVE-ID: CVE-2025-66471)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to the streaming API does not properly control consumption of internal resources. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
3) Path traversal (CVE-ID: CVE-2026-1703)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when installing and extracting wheel archives. A remote attacker can trick the victim into installing a malicious wheel archive and overwrite arbitrary files on the system.
Remediation
Install update from vendor's website.