USN-8344-1 fixed vulnerabilities in pip. On Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 26.04 LTS the patches for CVE-2025-66471 caused a regression when using pip. The patches for CVE-2025-66471 have been temporarily reverted pending investigation. We apologize for the inconvenience. Original advisory details: It was discovered that pip incorrectly handled TLS certificate verification in session connections. If a session was first used with certificate verification disabled, subsequent requests to the same host would also skip verification regardless of the session's current settings. A remote attacker could possibly use this issue to perform a machine-in-the-middle attack and expose sensitive information. (CVE-2024-35195) It was discovered that pip's bundled urllib3 library did not limit the number of decompression steps when processing HTTP responses. A remote attacker could possibly use this issue to cause pip to consume excessive resources, leading to a denial of service. (CVE-2025-66418) It was discovered that pip's bundled urllib3 library improperly handled streaming decompression of highly compressed data. A remote attacker could possibly use this issue to cause pip to consume excessive resources, leading to a denial of service. (CVE-2025-66471)