Skip to content

[MEDIUM] Upgrade python-virtualenv to 20.36.1 for CVE-2026-22702#15509

Merged
kgodara912 merged 5 commits intomicrosoft:mainfrom
azurelinux-security:topic_python-virtualenv-2.0
Feb 19, 2026
Merged

[MEDIUM] Upgrade python-virtualenv to 20.36.1 for CVE-2026-22702#15509
kgodara912 merged 5 commits intomicrosoft:mainfrom
azurelinux-security:topic_python-virtualenv-2.0

Conversation

@archana25-ms
Copy link
Copy Markdown
Contributor

@archana25-ms archana25-ms commented Jan 15, 2026
edited
Loading

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

  • The toolchain has been rebuilt successfully (or no changes were made to it)
  • The toolchain/worker package manifests are up-to-date
  • Any updated packages successfully build (or no packages were changed)
  • Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
  • Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
  • All package sources are available
  • cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
  • LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
  • All source files have up-to-date hashes in the *.signatures.json files
  • sudo make go-tidy-all and sudo make go-test-coverage pass
  • Documentation has been updated to match any changes to the build system
  • Ready to merge
Summary

What does the PR accomplish, why was it needed?
Upgrade python-virtualenv to 20.36.1 for CVE-2026-22702

Change Log
  • modified: ../SPECS/python-virtualenv/0001-replace-to-flit.patch
  • renamed: ../SPECS/python-virtualenv/CVE-2025-50181v1.patch -> ../SPECS/python-virtualenv/CVE-2025-50181.patch
  • deleted: ../SPECS/python-virtualenv/CVE-2025-50181v0.patch
  • deleted: ../SPECS/python-virtualenv/CVE-2025-50181v2.patch
  • deleted: ../SPECS/python-virtualenv/CVE-2025-50181v3.patch
  • modified: ../SPECS/python-virtualenv/python-virtualenv.signatures.json
  • modified: ../SPECS/python-virtualenv/python-virtualenv.spec
  • modified: ../cgmanifest.json
Does this affect the toolchain?

NO

Links to CVEs
Test Methodology
  • Pipeline build id: xxxx
    Build and Test is successful
image

@archana25-ms archana25-ms requested a review from a team as a code owner January 15, 2026 13:48
@Kanishk-Bansal Kanishk-Bansal added security CVE-fixed-by-upgrade CVE fixed by package upgrade labels Jan 15, 2026
@Kanishk-Bansal Kanishk-Bansal marked this pull request as draft January 15, 2026 14:25
@Kanishk-Bansal Kanishk-Bansal marked this pull request as ready for review January 15, 2026 18:02
@Kanishk-Bansal
Copy link
Copy Markdown
Contributor

Kanishk-Bansal commented Jan 15, 2026

Build

@archana25-ms
Copy link
Copy Markdown
Contributor Author

archana25-ms commented Jan 16, 2026

Build

Buddy Build successful

mfrw
mfrw approved these changes Jan 16, 2026
View reviewed changes
Comment thread SPECS/python-virtualenv/python-virtualenv.spec
@Kanishk-Bansal Kanishk-Bansal added the ready-for-stable-review PR has passed initial review and is now ready for a second-level stable maintainer review label Jan 16, 2026
@kgodara912
Copy link
Copy Markdown
Contributor

kgodara912 commented Jan 18, 2026

Same as 3.0, #15507 (comment), there may be breaking changes.

@Kanishk-Bansal
Copy link
Copy Markdown
Contributor

Kanishk-Bansal commented Jan 21, 2026

I feel there is no breaking changes according to changelogs. Co-pilot also suggested no breaking changes.
Hence, we can move ahead with the upgrade.

kgodara912
kgodara912 reviewed Feb 15, 2026
View reviewed changes
Comment thread SPECS/python-virtualenv/python-virtualenv.spec Outdated
kgodara912
kgodara912 approved these changes Feb 19, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@kgodara912 kgodara912 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Version upgrade to python-virtualenv. Buddy build is successful. The removed cve patches are not needed. LGTM.

@kgodara912 kgodara912 merged commit 696c708 into microsoft:main Feb 19, 2026
13 checks passed
@Kanishk-Bansal Kanishk-Bansal mentioned this pull request Feb 24, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mfrw mfrw mfrw approved these changes

@kgodara912 kgodara912 kgodara912 approved these changes

Assignees

No one assigned

Labels

CVE-fixed-by-upgrade CVE fixed by package upgrade main PR Destined for main Packaging ready-for-stable-review PR has passed initial review and is now ready for a second-level stable maintainer review security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@archana25-ms @Kanishk-Bansal @kgodara912 @mfrw