microsoft
diff --git a/‎SPECS/python-virtualenv/0001-replace-to-flit.patch‎
Lines changed: 9 additions & 9 deletions b/‎SPECS/python-virtualenv/0001-replace-to-flit.patch‎
Lines changed: 9 additions & 9 deletions
diff --git a/‎…python-virtualenv/CVE-2025-50181v1.patch‎ ‎…S/python-virtualenv/CVE-2025-50181.patch‎SPECS/python-virtualenv/CVE-2025-50181v1.patch renamed to SPECS/python-virtualenv/CVE-2025-50181.patch
Lines changed: 5 additions & 5 deletions b/‎…python-virtualenv/CVE-2025-50181v1.patch‎ ‎…S/python-virtualenv/CVE-2025-50181.patch‎SPECS/python-virtualenv/CVE-2025-50181v1.patch renamed to SPECS/python-virtualenv/CVE-2025-50181.patch
Lines changed: 5 additions & 5 deletions
diff --git a/‎SPECS/python-virtualenv/CVE-2025-50181v0.patch‎
Lines changed: 0 additions & 48 deletions b/‎SPECS/python-virtualenv/CVE-2025-50181v0.patch‎
Lines changed: 0 additions & 48 deletions
diff --git a/‎SPECS/python-virtualenv/CVE-2025-50181v2.patch‎
Lines changed: 0 additions & 48 deletions b/‎SPECS/python-virtualenv/CVE-2025-50181v2.patch‎
Lines changed: 0 additions & 48 deletions
diff --git a/‎SPECS/python-virtualenv/CVE-2025-50181v3.patch‎
Lines changed: 0 additions & 48 deletions b/‎SPECS/python-virtualenv/CVE-2025-50181v3.patch‎
Lines changed: 0 additions & 48 deletions
diff --git a/‎SPECS/python-virtualenv/python-virtualenv.signatures.json‎
Lines changed: 1 addition & 1 deletion b/‎SPECS/python-virtualenv/python-virtualenv.signatures.json‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎SPECS/python-virtualenv/python-virtualenv.spec‎
Lines changed: 24 additions & 61 deletions b/‎SPECS/python-virtualenv/python-virtualenv.spec‎
Lines changed: 24 additions & 61 deletions
diff --git a/‎cgmanifest.json‎
Lines changed: 2 additions & 2 deletions b/‎cgmanifest.json‎
Lines changed: 2 additions & 2 deletions
@@ -1,14 +1,14 @@
-From efa2c18a0c114f2d32e2c101401b716e4ac9e6f4 Mon Sep 17 00:00:00 2001
-From: Kanishk-Bansal <kbkanishk975@gmail.com>
-Date: Wed, 26 Feb 2025 06:31:14 +0000
+From a778f8a379f75100d24159c4c3ffdbce4ff36e07 Mon Sep 17 00:00:00 2001
+From: Archana Shettigar <v-shettigara@microsoft.com>
+Date: Wed, 14 Jan 2026 15:30:01 +0530
 Subject: [PATCH] replace-to-flit
 
 ---
  pyproject.toml | 23 ++++-------------------
  1 file changed, 4 insertions(+), 19 deletions(-)
 
 diff --git a/pyproject.toml b/pyproject.toml
-index fabf434..179525d 100644
+index 0a7ca00..03706b2 100644
 --- a/pyproject.toml
 +++ b/pyproject.toml
@@ -1,9 +1,6 @@
@@ -41,9 +41,9 @@ index fabf434..179525d 100644
 -]
 +version = "3.10.0"
  dependencies = [
-   "distlib<1,>=0.3.7",
-   "filelock<4,>=3.12.2",
-@@ -95,16 +90,6 @@ entry-points."virtualenv.discovery".builtin = "virtualenv.discovery.builtin:Buil
+   "distlib>=0.3.7,<1",
+   "filelock>=3.16.1,<4; python_version<'3.10'",
+@@ -99,16 +94,6 @@ entry-points."virtualenv.discovery".builtin = "virtualenv.discovery.builtin:Buil
  entry-points."virtualenv.seed".app-data = "virtualenv.seed.embed.via_app_data.via_app_data:FromAppData"
  entry-points."virtualenv.seed".pip = "virtualenv.seed.embed.pip_invoke:PipInvoke"
 
@@ -58,8 +58,8 @@ index fabf434..179525d 100644
 -version.source = "vcs"
 -
  [tool.ruff]
- target-version = "py37"
  line-length = 120
+ format.preview = true
 -- 
-2.45.2
+2.45.4
 
@@ -1,7 +1,7 @@
-From 8275bde7d461c4d6cd44397529fcb75847eee97c Mon Sep 17 00:00:00 2001
-From: Aninda <v-anipradhan@microsoft.com>
-Date: Wed, 9 Jul 2025 22:12:03 -0400
-Subject: [PATCH] Address CVE-xxxx-yyyy
+From 58ec34d3c1b0505961c7d17a7e89c8a5e8e701cb Mon Sep 17 00:00:00 2001
+From: Archana Shettigar <v-shettigara@microsoft.com>
+Date: Thu, 15 Jan 2026 16:20:25 +0530
+Subject: [PATCH] Address CVE-2025-50181v0
 Upstream Patch Reference: https://github.com/urllib3/urllib3/commit/f05b1329126d5be6de501f9d1e3e36738bc08857
 ---
  pip/_vendor/urllib3/poolmanager.py | 18 +++++++++++++++++-
@@ -44,5 +44,5 @@ index fb51bf7..a8de7c6 100644
              retries = Retry.from_int(retries, redirect=redirect)
 
 -- 
-2.34.1
+2.45.4
 
@@ -1,5 +1,5 @@
 {
   "Signatures": {
-    "python-virtualenv-20.26.6.tar.gz": "280aede09a2a5c317e409a00102e7077c6432c5a38f0ef938e643805a7ad2c48"
+    "virtualenv-20.36.1.tar.gz": "8befb5c81842c641f8ee658481e42641c68b5eab3521d8e092d18320902466ba"
   }
 }
@@ -1,18 +1,15 @@
 Summary:        Virtual Python Environment builder
 Name:           python-virtualenv
-Version:        20.26.6
-Release:        2%{?dist}
+Version:        20.36.1
+Release:        1%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Group:          Development/Languages/Python
 URL:            https://pypi.python.org/pypi/virtualenv
-Source0:        https://files.pythonhosted.org/packages/3f/40/abc5a766da6b0b2457f819feab8e9203cbeae29327bd241359f866a3da9d/virtualenv-20.26.6.tar.gz#/%{name}-%{version}.tar.gz
+Source0:        https://files.pythonhosted.org/packages/aa/a3/4d310fa5f00863544e1d0f4de93bddec248499ccf97d4791bc3122c9d4f3/virtualenv-20.36.1.tar.gz
 Patch0:         0001-replace-to-flit.patch
-Patch1000:      CVE-2025-50181v0.patch
-Patch1001:      CVE-2025-50181v1.patch
-Patch1002:      CVE-2025-50181v2.patch
-Patch1003:      CVE-2025-50181v3.patch
+Patch1000:      CVE-2025-50181.patch
 BuildArch:      noarch
 
 %description
@@ -54,66 +51,29 @@ virtualenv is a tool to create isolated Python environment.
 # For the poolmanager.py under tests, it is archived inside a .whl file, which in turn is archived inside another .whl file,
 # so, we need to unpack the outer .whl, then unpack the inner .whl, apply the patch, and then re-zip both levels.
 
-echo "Manually Patching virtualenv-20.26.6/src/virtualenv/seed/wheels/embed/pip-24.0-py3-none-any.whl/pip/_vendor/urllib3/poolmanager.py"
-mkdir -p unpacked_pip-24.0-py3-none-any
-unzip src/virtualenv/seed/wheels/embed/pip-24.0-py3-none-any.whl -d unpacked_pip-24.0-py3-none-any
-patch -p1 -d unpacked_pip-24.0-py3-none-any < %{PATCH1000}
+echo "Manually Patching virtualenv-20.36.1/src/virtualenv/seed/wheels/embed/pip-25.0.1-py3-none-any.whl/pip/_vendor/urllib3/poolmanager.py"
+mkdir -p unpacked_pip-25.0.1-py3-none-any
+unzip src/virtualenv/seed/wheels/embed/pip-25.0.1-py3-none-any.whl -d unpacked_pip-25.0.1-py3-none-any
+patch -p1 -d unpacked_pip-25.0.1-py3-none-any < %{PATCH1000}
 # Remove the original file
-rm -f src/virtualenv/seed/wheels/embed/pip-24.0-py3-none-any.whl
+rm -f src/virtualenv/seed/wheels/embed/pip-25.0.1-py3-none-any.whl
 # After patching, re-zip the contents back into a .whl
-pushd unpacked_pip-24.0-py3-none-any
-zip -r ../src/virtualenv/seed/wheels/embed/pip-24.0-py3-none-any.whl *
+pushd unpacked_pip-25.0.1-py3-none-any
+zip -r ../src/virtualenv/seed/wheels/embed/pip-25.0.1-py3-none-any.whl *
 popd
-rm -rf unpacked_pip-24.0-py3-none-any
+rm -rf unpacked_pip-25.0.1-py3-none-any
 
-echo "Manually Patching virtualenv-20.26.6/src/virtualenv/seed/wheels/embed/pip-24.2-py3-none-any.whl/pip/_vendor/urllib3/poolmanager.py"
-mkdir -p unpacked_pip-24.2-py3-none-any
-unzip src/virtualenv/seed/wheels/embed/pip-24.2-py3-none-any.whl -d unpacked_pip-24.2-py3-none-any
-patch -p1 -d unpacked_pip-24.2-py3-none-any < %{PATCH1001}
+echo "Manually Patching virtualenv-20.36.1/src/virtualenv/seed/wheels/embed/pip-25.3-py3-none-any.whl/pip/_vendor/urllib3/poolmanager.py"
+mkdir -p unpacked_pip-25.3-py3-none-any
+unzip src/virtualenv/seed/wheels/embed/pip-25.3-py3-none-any.whl -d unpacked_pip-25.3-py3-none-any
+patch -p1 -d unpacked_pip-25.3-py3-none-any < %{PATCH1000}
 # Remove the original file
-rm -f src/virtualenv/seed/wheels/embed/pip-24.2-py3-none-any.whl
+rm -f src/virtualenv/seed/wheels/embed/pip-25.3-py3-none-any.whl
 # After patching, re-zip the contents back into a .whl
-pushd unpacked_pip-24.2-py3-none-any
-zip -r ../src/virtualenv/seed/wheels/embed/pip-24.2-py3-none-any.whl *
-popd
-rm -rf unpacked_pip-24.2-py3-none-any
-
-echo "Manually Patching the poolmanager.py under tests, it needs to be unpacked from a .whl file, which is inside another .whl file"
-# unpack the outer wheel
-mkdir -p unpacked_virtualenv-16.7.9-py2.py3-none-any
-unzip tests/unit/create/virtualenv-16.7.9-py2.py3-none-any.whl -d unpacked_virtualenv-16.7.9-py2.py3-none-any
-
-# This is the pip-19.1.1 wheel that is archived inside the virtualenv_support directory of the outer wheel
-# We need to unpack it, apply the patch, and then re-zip it
-echo "Manually Patching virtualenv-16.7.9-py2.py3-none-any/virtualenv_support/pip-19.1.1-py2.py3-none-any.whl/pip/_vendor/urllib3/poolmanager.py"
-# unpack the inner wheel
-mkdir -p unpacked_pip-19.1.1-py2.py3-none-any
-unzip unpacked_virtualenv-16.7.9-py2.py3-none-any/virtualenv_support/pip-19.1.1-py2.py3-none-any.whl -d unpacked_pip-19.1.1-py2.py3-none-any
-patch -p1 -d unpacked_pip-19.1.1-py2.py3-none-any < %{PATCH1002}
-rm -f unpacked_virtualenv-16.7.9-py2.py3-none-any/virtualenv_support/pip-19.1.1-py2.py3-none-any.whl
-pushd unpacked_pip-19.1.1-py2.py3-none-any
-zip -r ../unpacked_virtualenv-16.7.9-py2.py3-none-any/virtualenv_support/pip-19.1.1-py2.py3-none-any.whl *
-popd
-rm -rf unpacked_pip-19.1.1-py2.py3-none-any
-
-# Now, we need to patch the pip-19.3.1 wheel that is archived inside the virtualenv_support directory of the outer wheel
-# We need to unpack it, apply the patch, and then re-zip it
-echo "Manually Patching virtualenv-16.7.9-py2.py3-none-any/virtualenv_support/pip-19.3.1-py2.py3-none-any.whl/pip/_vendor/urllib3/poolmanager.py"
-mkdir -p unpacked_pip-19.3.1-py2.py3-none-any
-unzip unpacked_virtualenv-16.7.9-py2.py3-none-any/virtualenv_support/pip-19.3.1-py2.py3-none-any.whl -d unpacked_pip-19.3.1-py2.py3-none-any
-patch -p1 -d unpacked_pip-19.3.1-py2.py3-none-any < %{PATCH1003}
-# Repack the inner wheel
-rm -f unpacked_virtualenv-16.7.9-py2.py3-none-any/virtualenv_support/pip-19.3.1-py2.py3-none-any.whl
-pushd unpacked_pip-19.3.1-py2.py3-none-any
-zip -r ../unpacked_virtualenv-16.7.9-py2.py3-none-any/virtualenv_support/pip-19.3.1-py2.py3-none-any.whl *
-popd
-rm -rf unpacked_pip-19.3.1-py2.py3-none-any
-
-# Repack the outer wheel
-rm -f tests/unit/create/virtualenv-16.7.9-py2.py3-none-any.whl
-pushd unpacked_virtualenv-16.7.9-py2.py3-none-any
-zip -r ../tests/unit/create/unpacked_virtualenv-16.7.9-py2.py3-none-any *
+pushd unpacked_pip-25.3-py3-none-any
+zip -r ../src/virtualenv/seed/wheels/embed/pip-25.3-py3-none-any.whl *
 popd
+rm -rf unpacked_pip-25.3-py3-none-any
 
 %generate_buildrequires
 
@@ -126,7 +86,7 @@ popd
 %check
 pip3 install 'tox>=3.27.1,<4.0.0'
 # skip "test_can_build_c_extensions" tests since they fail on python3_version >= 3.12. See https://src.fedoraproject.org/rpms/python-virtualenv/blob/rawhide/f/python-virtualenv.spec#_153
-sed -i 's/coverage run -m pytest {posargs:--junitxml {toxworkdir}\/junit\.{envname}\.xml tests --int}/coverage run -m pytest {posargs:--junitxml {toxworkdir}\/junit\.{envname}\.xml tests -k "not test_can_build_c_extensions" --int}/g' tox.ini
+export PYTEST_ADDOPTS='-k "not test_can_build_c_extensions"'
 tox -e py
 
 %files -n python3-virtualenv
@@ -136,6 +96,9 @@ tox -e py
 %{_bindir}/virtualenv
 
 %changelog
+* Thu Jan 15 2026 Archana Shettigar <v-shettigara@microsoft.com> - 20.36.1-1
+- Upgrade to 20.36.1 for CVE-2026-22702
+
 * Wed Jul 09 2025 Aninda Pradhan <v-anipradhan@microsoft.com> - 20.26.6-2
 - Add patch to fix CVE-2025-50181 in urllib3 poolmanager.py
 
 
@@ -24914,8 +24914,8 @@
         "type": "other",
         "other": {
           "name": "python-virtualenv",
-          "version": "20.26.6",
-          "downloadUrl": "https://files.pythonhosted.org/packages/3f/40/abc5a766da6b0b2457f819feab8e9203cbeae29327bd241359f866a3da9d/virtualenv-20.26.6.tar.gz"
+          "version": "20.36.1",
+          "downloadUrl": "https://files.pythonhosted.org/packages/aa/a3/4d310fa5f00863544e1d0f4de93bddec248499ccf97d4791bc3122c9d4f3/virtualenv-20.36.1.tar.gz"
         }
       }
     },
Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`{`
`2`	`2`	`"Signatures": {`
`3`		`- "python-virtualenv-20.26.6.tar.gz": "280aede09a2a5c317e409a00102e7077c6432c5a38f0ef938e643805a7ad2c48"`
	`3`	`+ "virtualenv-20.36.1.tar.gz": "8befb5c81842c641f8ee658481e42641c68b5eab3521d8e092d18320902466ba"`
`4`	`4`	`}`
`5`	`5`	`}`
Original file line number	Diff line number	Diff line change
`@@ -24914,8 +24914,8 @@`
`24914`	`24914`	`"type": "other",`
`24915`	`24915`	`"other": {`
`24916`	`24916`	`"name": "python-virtualenv",`
`24917`		`- "version": "20.26.6",`
`24918`		`- "downloadUrl": "https://files.pythonhosted.org/packages/3f/40/abc5a766da6b0b2457f819feab8e9203cbeae29327bd241359f866a3da9d/virtualenv-20.26.6.tar.gz"`
	`24917`	`+ "version": "20.36.1",`
	`24918`	`+ "downloadUrl": "https://files.pythonhosted.org/packages/aa/a3/4d310fa5f00863544e1d0f4de93bddec248499ccf97d4791bc3122c9d4f3/virtualenv-20.36.1.tar.gz"`
`24919`	`24919`	`}`
`24920`	`24920`	`}`
`24921`	`24921`	`},`