All commit authors signed the Contributor License Agreement.

Most changes to Pythonrequire a NEWS entry. Add one using theblurb_it web app or theblurb command-line tool.

If this change has little impact on Python users, wait for a maintainer to apply theskip news label instead.

Checked the.whl file at and it matches theSHA256 on PyPI:

$ wget https://github.com/python/cpython/raw/e7fe64508d58d51f0682b15336534b538cc78123/Lib/ensurepip/_bundled/pip-23.3.1-py3-none-any.whl--2023-12-04 11:24:03--  https://github.com/python/cpython/raw/e7fe64508d58d51f0682b15336534b538cc78123/Lib/ensurepip/_bundled/pip-23.3.1-py3-none-any.whlResolving github.com (github.com)... 140.82.114.3Connecting to github.com (github.com)|140.82.114.3|:443... connected.HTTP request sent, awaiting response... 302 FoundLocation: https://raw.githubusercontent.com/python/cpython/e7fe64508d58d51f0682b15336534b538cc78123/Lib/ensurepip/_bundled/pip-23.3.1-py3-none-any.whl [following]--2023-12-04 11:24:03--  https://raw.githubusercontent.com/python/cpython/e7fe64508d58d51f0682b15336534b538cc78123/Lib/ensurepip/_bundled/pip-23.3.1-py3-none-any.whlResolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.111.133, 185.199.110.133, 185.199.108.133, ...Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.111.133|:443... connected.HTTP request sent, awaiting response... 200 OKLength: 2107242 (2.0M) [application/octet-stream]Saving to: ‘pip-23.3.1-py3-none-any.whl’pip-23.3.1-py3-none-any.whl                         100%[==================================================================================================================>]   2.01M  4.65MB/s    in 0.4s    s2023-12-04 11:24:04 (4.65 MB/s) - ‘pip-23.3.1-py3-none-any.whl’ saved [2107242/2107242]$ sha256sum pip-23.3.1-py3-none-any.whl 55eb67bb6171d37447e82213be585b75fe2b12b359e993773aca4de9247a052b  pip-23.3.1-py3-none-any.whl

In a separate directory:

$ python -m pip download pipCollecting pip  Obtaining dependency information for pip from https://files.pythonhosted.org/packages/47/6a/453160888fab7c6a432a6e25f8afe6256d0d9f2cbd25971021da6491d899/pip-23.3.1-py3-none-any.whl.metadata  Using cached pip-23.3.1-py3-none-any.whl.metadata (3.5 kB)Using cached pip-23.3.1-py3-none-any.whl (2.1 MB)Saved ./pip-23.3.1-py3-none-any.whlSuccessfully downloaded pip[notice] A new release of pip is available: 23.2.1 -> 23.3.1[notice] To update, run: pip install --upgrade pip$ sha256sum pip-23.3.1-py3-none-any.whl 55eb67bb6171d37447e82213be585b75fe2b12b359e993773aca4de9247a052b  pip-23.3.1-py3-none-any.whl

Those hashes match, therefore we should be fine to merge the commit:e7fe645

Thanks@schribl for the PR, and@ambv for merging it 🌮🎉.. I'm working now to backport this PR to: 3.12.
🐍🍒⛏🤖

Thanks@schribl for the PR, and@ambv for merging it 🌮🎉.. I'm working now to backport this PR to: 3.11.
🐍🍒⛏🤖

Sorry,@schribl and@ambv, I could not cleanly backport this to3.11 due to a conflict.
Please backport usingcherry_picker on command line.

cherry_picker 1e4680ce52ab6c065f5e0bb27e0b156b897aff67 3.11

GH-112718 is a backport of this pull request to the3.12 branch.

I'm handling the 3.11 backport.

GH-112719 is a backport of this pull request to the3.11 branch.

I'm handling the 3.11 backport.

Hi I'm curious if this would be backported to 3.8 version? Thanks

Python 3.8 only gets security fixes, and 3.8 releases are now provided as source only, so I don't think this qualifies for backporting on either count.

• https://devguide.python.org/versions/
• https://peps.python.org/pep-0569/#source-only-security-fix-releases
• https://devguide.python.org/developer-workflow/development-cycle/#security-branches

You can update pip through pip (e.g.python -m pip install --upgrade pip) or through your distro package manager.

I think what we've observed is that there's a vulnability in pip 23.2, and pip 23.3 would fix it, do you think this would qualify a bump for the security fix?https://nvd.nist.gov/vuln/detail/CVE-2023-5752

I'm also curious about the statement "Provided irregularly on an “as-needed” basis until October 2024." What are the regular security fixes that the community is watching an eye on for 3.8 to do the source fix?

I think what we've observed is that there's a vulnability in pip 23.2, and pip 23.3 would fix it, do you think this would qualify a bump for the security fix?nvd.nist.gov/vuln/detail/CVE-2023-5752

I don't think so, but it's up to the release managers and security team to decide. My understanding is that the CVE would only affect people trying to install a package from a Mercurial repo. Plus I'm not sure how worthwhile it is updating a pip binary file in a source-only release, when pip can be directly updated in other ways.

But let's ask 3.8 release manager@ambv to confirm.

I'm also curious about the statement "Provided irregularly on an “as-needed” basis until October 2024." What are the regular security fixes that the community is watching an eye on for 3.8 to do the source fix?

It means there are no longer planned release dates for new 3.8 versions. If a security fix comes up that is important enough to warrant a 3.8 release, one will be made at that time.