Ubuntu alert USN-7084-2 (python-pip)
| From: | Hlib Korzhynskyy <hlib.korzhynskyy@canonical.com> | |
| To: | ubuntu-security-announce@lists.ubuntu.com | |
| Subject: | [USN-7084-2] pip vulnerability | |
| Date: | Wed, 30 Oct 2024 16:07:11 +0100 | |
| Message-ID: | <40017897-d968-4be5-9e4d-806d6071f094@canonical.com> |
========================================================================== Ubuntu Security Notice USN-7084-2 October 30, 2024 python-pip vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.10 - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS Summary: urllib3 could leak sensitive information. Software Description: - python-pip: Python package installer Details: USN-7084-1 fixed vulnerability in urllib3. This update provides the corresponding update for the urllib3 module bundled into pip. Original advisory details: It was discovered that urllib3 didn't strip HTTP Proxy-Authorization header on cross-origin redirects. A remote attacker could possibly use this issue to obtain sensitive information. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 24.10 python3-pip 24.2+dfsg-1ubuntu0.1 python3-pip-whl 24.2+dfsg-1ubuntu0.1 Ubuntu 24.04 LTS python3-pip 24.0+dfsg-1ubuntu1.1 python3-pip-whl 24.0+dfsg-1ubuntu1.1 Ubuntu 22.04 LTS python3-pip 22.0.2+dfsg-1ubuntu0.5 python3-pip-whl 22.0.2+dfsg-1ubuntu0.5 Ubuntu 20.04 LTS python-pip-whl 20.0.2-5ubuntu1.11 python3-pip 20.0.2-5ubuntu1.11 Ubuntu 18.04 LTS python-pip 9.0.1-2.3~ubuntu1.18.04.8+esm6 Available with Ubuntu Pro python-pip-whl 9.0.1-2.3~ubuntu1.18.04.8+esm6 Available with Ubuntu Pro python3-pip 9.0.1-2.3~ubuntu1.18.04.8+esm6 Available with Ubuntu Pro Ubuntu 16.04 LTS python-pip 8.1.1-2ubuntu0.6+esm10 Available with Ubuntu Pro python-pip-whl 8.1.1-2ubuntu0.6+esm10 Available with Ubuntu Pro python3-pip 8.1.1-2ubuntu0.6+esm10 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-7084-2 https://ubuntu.com/security/notices/USN-7084-1 CVE-2024-37891 Package Information: https://launchpad.net/ubuntu/+source/python-pip/24.2+dfsg... https://launchpad.net/ubuntu/+source/python-pip/24.0+dfsg... https://launchpad.net/ubuntu/+source/python-pip/22.0.2+df... https://launchpad.net/ubuntu/+source/python-pip/20.0.2-5u...
Attachment: OpenPGP_signature.asc (type=application/pgp-signature)
-----BEGIN PGP SIGNATURE----- wsF5BAABCAAjFiEELOLXZEFYQHcSWEHiyfW2m9Ldu6sFAmciS58FAwAAAAAACgkQyfW2m9Ldu6u3 bxAAyyxp/pHrbbGIabWFwQLFpYnHV7j3ya958hInpWQAifRv5JgSs4Q0K/Fi1hNBeZN7vy2fLIre JoNBRq6n9YakwptVuvv936PQo/J/YNCX2ZW9GEnH+A6EP44JW3ZtVHTZp3lNFXGUb/Nzno2lLIzX UDGTDf1F44IedjkdyXoVWy3RmFeXlLNPjZx3yvKzAHekTrqvWd8uEs82aI7IQbw3u+uXix1Q+Lwa 8nzSakzkIRUgfDAR8oDuwvPA1OWdFShOk+zEf41DHu2pBh7n2EGlX1XiOlOT4KINwXjaN1W0Z9Zi NmTV0Tai4n7dheSJYRnDVTp6XyXs2yny4j0pFFzr02bLI8ZMl3jzlFXczWutawX56WiOvgg56Qre QlWbaelexAFnR2Jh2LYuSP/aU/re3lGGn1lyu55I3pw3iYPKwBtZBYeOwycaRaQULpiyGqla4loY zYw9VLxnzK0aSzTDJjtLUIJEwBAz8rDZ1mRKRSSTlsGPib7yREwN2Im9nFS8gwR0E910Fhv+opzK P4H+AidiwPKci/r+kb5/VSwBFjU3/SoKHj93efpbB7ZOor2dy2swt/nn/+MR/4+6bO3D0OpzaXCX dGt0Fsbddr1NJOxUsFnH3nLupusV1kgLocFoWkmJco2tVcVuPQuuc0AZXxLblkHGH4qQIVoPqK4S afg= =EOi0 -----END PGP SIGNATURE-----
Attachment: None (type=text/plain)