From 5e2c8f3a39a78ba4b9eaf919bf8a1b4813c4b5f8 Mon Sep 17 00:00:00 2001
From: Anthonios Partheniou <partheniou@google.com>
Date: Mon, 9 Feb 2026 15:34:15 +0000
Subject: [PATCH] fix(python-multi): remove pip older than 25.3

---
 python/googleapis/python-multi/Dockerfile | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/python/googleapis/python-multi/Dockerfile b/python/googleapis/python-multi/Dockerfile
index d73413c8..1bed70de 100644
--- a/python/googleapis/python-multi/Dockerfile
+++ b/python/googleapis/python-multi/Dockerfile
@@ -116,7 +116,7 @@ RUN LATEST_VERSION="2.6.1" && \
     dpkg -i cosign_${LATEST_VERSION}_amd64.deb && \
     rm cosign_${LATEST_VERSION}_amd64.deb
 
-ARG PYTHON_VERSIONS="3.10.19 3.11.14 3.12.12 3.13.11 3.14.0"
+ARG PYTHON_VERSIONS="3.10.19 3.11.14 3.12.12 3.13.11 3.14.3"
 
 SHELL ["/bin/bash", "-c"]
 
@@ -182,6 +182,10 @@ RUN rm -rf /usr/local/lib/python3.12/test/wheeldata/wheel-0.40.0-py3-none-any.wh
 # See upstream bug https://github.com/python/cpython/issues/131860
 RUN rm -rf /usr/local/lib/python3.10/ensurepip/_bundled/pip-23.0.1-py3-none-any.whl
 
+# TODO: Remove this code once a newer version of Python 3.11 is available
+# There is no patch for CVE-2023-5752. We need to manually remove the vulnerable pip-24.0/pip-25.0.1 binary
+RUN rm -rf /usr/local/lib/python3.11/ensurepip/_bundled/pip-24.0-py3-none-any.whl
+
 # Install pip on Python 3.10 only.
 # If the environment variable is called "PIP_VERSION", pip explodes with
 # "ValueError: invalid truth value '<VERSION>'"
@@ -231,15 +235,23 @@ RUN for PYTHON_VERSION in 3.10 3.11; do \
     # Remove bundled 0.45.1 wheel
     # since it does not include a fix for CVE-2026-24049
     && rm -rf /usr/local/lib/python${PYTHON_VERSION}/site-packages/virtualenv/seed/wheels/embed/wheel-0.45.1-py3-none-any.whl \
+    # Remove bundled pip 25.0.1
+    # since it does not include a fix for CVE-2025-8869
+    && rm -rf /usr/local/lib/python${PYTHON_VERSION}/site-packages/virtualenv/seed/wheels/embed/pip-25.0.1-py3-none-any.whl \
   ; done
 
 # Python 3.12 is preferred because it does not include
 # a bundled version of setuptools in `Lib/ensurepip/_bundled`
 # which could be impacted by CVE-2025-47273/CVE-2025-47273.
 RUN python3.12 -m venv /venv
+RUN /venv/bin/python -m pip install --upgrade pip
 RUN /venv/bin/python -m pip install --no-cache-dir -r /requirements-3.12.txt
 ENV PATH=/venv/bin:$PATH
 
+# TODO: Remove this code once a newer version of Python 3.12 is available
+# There is no patch for CVE-2023-5752. We need to manually remove the vulnerable pip-24.0/pip-25.0.1 binary
+RUN rm -rf /usr/local/lib/python3.12/ensurepip/_bundled/pip-25.0.1-py3-none-any.whl
+
 # TODO: Remove this code once there is a newer version of virtualenv which does not include setuptools 75.3.2
 # https://github.com/pypa/virtualenv/tree/main/src/virtualenv/seed/wheels/embed
 # In the interim, remove the bundled setuptools 75.3.2 wheel
@@ -250,6 +262,11 @@ RUN rm -rf /venv/lib/python3.12/site-packages/virtualenv/seed/wheels/embed/setup
 # In the interim, remove the bundled wheel 45.1
 # since it does not include a fix for CVE-2026-24049
 RUN rm -rf /venv/lib/python3.12/site-packages/virtualenv/seed/wheels/embed/wheel-0.45.1-py3-none-any.whl
+# TODO: Remove this code once there is a newer version of virtualenv which does not include pip 25.0.1
+# https://github.com/pypa/virtualenv/tree/main/src/virtualenv/seed/wheels/embed
+# In the interim, remove the bundled wheel 25.0.1
+# since it does not include a fix for CVE-2025-8869
+RUN rm -rf /venv/lib/python3.12/site-packages/virtualenv/seed/wheels/embed/pip-25.0.1-py3-none-any.whl
 
 # Setup Cloud SDK
 ENV CLOUD_SDK_VERSION=555.0.0