Source: python-virtualenv Version: 20.35.4+ds-1 Severity: important Tags: security upstream Forwarded: https://github.com/pypa/virtualenv/pull/3013 X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for python-virtualenv. CVE-2026-22702[0]: | virtualenv is a tool for creating isolated virtual python | environments. Prior to version 20.36.1, TOCTOU (Time-of-Check-Time- | of-Use) vulnerabilities in virtualenv allow local attackers to | perform symlink-based attacks on directory creation operations. An | attacker with local access can exploit a race condition between | directory existence checks and creation to redirect virtualenv's | app_data and lock file operations to attacker-controlled locations. | This issue has been patched in version 20.36.1. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-22702 https://www.cve.org/CVERecord?id=CVE-2026-22702 [1] https://github.com/pypa/virtualenv/pull/3013 [2] https://github.com/pypa/virtualenv/security/advisories/GHSA-597g-3phw-6986 [3] https://github.com/pypa/virtualenv/commit/dec4cec5d16edaf83a00a658f32d1e032661cebc Please adjust the affected versions in the BTS as needed. Regards, Salvatore
