|
|
Log in / Subscribe / Register

Mageia alert MGASA-2015-0180 (python-pip)



From:
    	      Mageia Updates <buildsystem-daemon@mageia.org> 


To:
    	      updates-announce@ml.mageia.org 


Subject:
    	      [updates-announce] MGASA-2015-0180: Updated python-pip packages fix security vulnerabilities 


Date:
    	      Sun, 3 May 2015 02:19:45 +0200


Message-ID:
    	      <20150503001945.98F594193B@valstar.mageia.org>


MGASA-2015-0180 - Updated python-pip packages fix security vulnerabilities

Publication date: 03 May 2015
URL: http://advisories.mageia.org/MGASA-2015-0180.html
Type: security
Affected Mageia releases: 4
CVE: CVE-2013-5123

Description:
Updated python-pip and python-virtualenv packages fix security vulnerability:

The mirroring support in python-pip was implemented without any sort of
authenticity checks and is downloaded over plaintext HTTP. Further more by
default it will dynamically discover the list of available mirrors by
querying a DNS entry and extrapolating from that data. It does not attempt
to use any sort of method of securing this querying of the DNS like DNSSEC.
Software packages are downloaded over these insecure links, unpacked, and
then typically the setup.py python file inside of them is executed
(CVE-2013-5123).

This was fixed in python-pip by removing the mirroring support (i.e., the
--use-mirrors, -M, and --mirrors flags). With the updated version, in order
to use a mirror, one must specify it as the primary index with -i or
--index-url, or as an additional index with --extra-index-url.

The python-virtualenv package bundles a copy of python-pip, so it has also
been updated to fix this issue.

The python-virtualenv package bundles python-requests as well, so this update
fixes the session fixation issue CVE-2015-2296 in the bundled python-requests.

References:
- https://bugs.mageia.org/show_bug.cgi?id=15748
- https://pip.pypa.io/en/latest/news.html
- http://advisories.mageia.org/MGASA-2015-0120.html
- https://lists.fedoraproject.org/pipermail/package-announc...
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5123

SRPMS:
- 4/core/python-pip-6.1.1-1.mga4
- 4/core/python-virtualenv-12.1.1-1.mga4
to post comments


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds