An update for python-virtualenv is now available for openEuler-24.03-LTS-SP1 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2026-1188 Final 1.0 1.0 2026-01-16 Initial 2026-01-16 2026-01-16 openEuler SA Tool V1.0 2026-01-16 python-virtualenv security update An update for python-virtualenv is now available for openEuler-24.03-LTS-SP1 Virtualenv is a tool to create isolated Python environments. Since Python 3.3, a subset of it has been integrated into the standard library under the venv module. Note though, that the venv module does not offer all features of this library (e.g. cannot create bootstrap scripts, cannot create virtual environments for other python versions than the host python, not relocatable, etc.). Tools in general as such still may prefer using virtualenv for its ease of upgrading (via pip), unified handling of different Python versions and some more advanced features. Security Fix(es): virtualenv is a tool for creating isolated virtual python environments. Prior to version 20.36.1, TOCTOU (Time-of-Check-Time-of-Use) vulnerabilities in virtualenv allow local attackers to perform symlink-based attacks on directory creation operations. An attacker with local access can exploit a race condition between directory existence checks and creation to redirect virtualenv's app_data and lock file operations to attacker-controlled locations. This issue has been patched in version 20.36.1.(CVE-2026-22702) An update for python-virtualenv is now available for master/openEuler-22.03-LTS-SP3/openEuler-22.03-LTS-SP4/openEuler-24.03-LTS/openEuler-24.03-LTS-Next/openEuler-24.03-LTS-SP1/openEuler-24.03-LTS-SP2/openEuler-24.03-LTS-SP3. openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Medium python-virtualenv https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1188 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-22702 https://nvd.nist.gov/vuln/detail/CVE-2026-22702 openEuler-24.03-LTS-SP1 python-virtualenv-20.26.6-2.oe2403sp1.src.rpm python3-virtualenv-20.26.6-2.oe2403sp1.noarch.rpm virtualenv is a tool for creating isolated virtual python environments. Prior to version 20.36.1, TOCTOU (Time-of-Check-Time-of-Use) vulnerabilities in virtualenv allow local attackers to perform symlink-based attacks on directory creation operations. An attacker with local access can exploit a race condition between directory existence checks and creation to redirect virtualenv's app_data and lock file operations to attacker-controlled locations. This issue has been patched in version 20.36.1. 2026-01-16 CVE-2026-22702 openEuler-24.03-LTS-SP1 Medium 4.5 AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L python-virtualenv security update 2026-01-16 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1188