From 697dfc92b45e0a47566de40882c052f9cb123188 Mon Sep 17 00:00:00 2001
From: xieyanlong <xieyanlong@kylinos.cn>
Date: Thu, 18 Sep 2025 09:40:47 +0800
Subject: [PATCH] Fix CVE-2023-32681

---
 backport-CVE-2023-32681.patch | 27 +++++++++++++++++++++++++++
 python-pip.spec               |  6 +++++-
 2 files changed, 32 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2023-32681.patch

diff --git a/backport-CVE-2023-32681.patch b/backport-CVE-2023-32681.patch
new file mode 100644
index 0000000..be6cca2
--- /dev/null
+++ b/backport-CVE-2023-32681.patch
@@ -0,0 +1,27 @@
+From 74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5 Mon Sep 17 00:00:00 2001
+From: Nate Prewitt <nate.prewitt@gmail.com>
+Date: Mon, 22 May 2023 08:08:57 -0700
+Subject: [PATCH] Merge pull request from GHSA-j8r2-6x86-q33q
+
+---
+ pip-20.2.2/src/pip/_vendor/requests/sessions.py | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/pip/_vendor/requests/sessions.py b/src/pip/_vendor/requests/sessions.py
+index e8e2d60..6e73925 100644
+--- a/src/pip/_vendor/requests/sessions.py
++++ b/src/pip/_vendor/requests/sessions.py
+@@ -306,7 +306,9 @@ class SessionRedirectMixin(object):
+         except KeyError:
+             username, password = None, None
+ 
+-        if username and password:
++        # urllib3 handles proxy authorization for us in the standard adapter.
++        # Avoid appending this to TLS tunneled requests where it may be leaked.
++        if not scheme.startswith('https') and username and password:
+             headers['Proxy-Authorization'] = _basic_auth_str(username, password)
+ 
+         return new_proxies
+-- 
+2.49.0
+
diff --git a/python-pip.spec b/python-pip.spec
index 2e17b93..148bbd6 100644
--- a/python-pip.spec
+++ b/python-pip.spec
@@ -7,7 +7,7 @@ pip is the package installer for Python. You can use pip to install packages fro
 %global bashcompdir %(b=$(pkg-config --variable=completionsdir bash-completion 2>/dev/null); echo ${b:-%{_sysconfdir}/bash_completion.d})
 Name:           python-%{srcname}
 Version:        20.2.2
-Release:        11
+Release:        12
 Summary:        A tool for installing and managing Python packages
 License:        MIT and Python and ASL 2.0 and BSD and ISC and LGPLv2 and MPLv2.0 and (ASL 2.0 or BSD)
 URL:            http://www.pip-installer.org
@@ -26,6 +26,7 @@ Patch6006:      backport-CVE-2023-45803-Made-body-stripped-from-HTTP-requests.pa
 Patch6007:      backport-CVE-2024-37891-Strip-Proxy-Authorization-header-on-redirects.patch
 Patch6008:      backport-CVE-2024-47081.patch
 Patch6009:      backport-CVE-2025-50181.patch
+Patch6010:      backport-CVE-2023-32681.patch
 
 Source1:	pip-allow-older-versions.patch
 
@@ -163,6 +164,9 @@ install -p dist/%{python_wheelname} -t %{buildroot}%{python_wheeldir}
 %{python_wheeldir}/%{python_wheelname}
 
 %changelog
+* Thu Sep 18 2025 xieyanlong <xieyanlong@kylinos.cn> - 20.2.2-12
+- Fix CVE-2023-32681
+
 * Wed Sep 10 2025 xiangyuning <xiangyuning@h-partners.com> - 20.2.2-11
 - Fix CVE-2025-50181
 
-- 
Gitee