Bug 10956

Summary: Update python-virtualenv to>= 1.10, which includes a pip able to download from PyPI over SSL.
Product: Mageia Reporter: Hartmut Goebel <h.goebel>
Component: RPM PackagesAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: davidwhodgins, luigiwalser, sysadmin-bugs, tmb
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/566721/
Whiteboard: MGA3-64-OK MGA3-32-OK
Source RPM: python-virtualenv-1.7.1.2-4.mga3.src.rpm CVE:
Status comment:

Description Hartmut Goebel 2013-08-07 14:32:00 CEST 
Please update python-virtualenv to 1.10 (or newer).

Current Currently 1.7.1 is delivered with Mageia 3, which contains an outdated pip, which again is not able to download from PyPI over SSL.

Additionally, it's quite confusing to have different versions of pip inside and outside a virtualenv.

https://pypi.python.org/pypi/virtualenv/1.10 writes:

  Warning:

   We advise installing virtualenv-1.9 or greater. Prior to version 1.9, the
   pip included in virtualenv did not not download from PyPI over SSL.



Reproducible: 

Steps to Reproduce:
Comment 1 Hartmut Goebel 2013-08-07 14:33:53 CEST 
Steps to Reproduce:

$ virtualenv -v xxx
[...]
Installing existing pip-1.1.tar.gz distribution: /usr/lib/python2.7/site-packages/virtualenv_support/pip-1.1.tar.gz
[...]

Keywords: (none) => Junior_job
Hardware: i586 => All

Comment 2 Manuel Hiebel 2013-08-07 19:06:52 CEST 
*** Bug 10955 has been marked as a duplicate of this bug. ***
Manuel Hiebel 2013-08-07 19:08:04 CEST

Keywords: (none) => Triaged
Assignee: bugsquad => makowski.mageia

Comment 3 Philippe Makowski 2013-08-08 11:40:32 CEST 
Version 1.9.1 should be enough and would also fix the security issue in bundled pip

1.10 is a major change I would avoid for mga3

Status: NEW => ASSIGNED

Comment 4 Philippe Makowski 2013-08-08 12:23:39 CEST 

Suggested advisory:
========================

Update to upstream 1.9.1 because of security issues with the bundled python-pip in older releases and to allow download from PyPI over SSL.

========================


Updated packages in core/updates_testing:
========================
python-virtualenv-1.9.1-1.1.mga3.noarch 

Source RPM: 
python-virtualenv-1.9.1-1.1.mga3.src

Keywords: Junior_job, Triaged => (none)
Assignee: makowski.mageia => qa-bugs

Comment 5 Dave Hodgins 2013-08-11 08:02:14 CEST 
Advisory 10956.adv uploaded to svn.

Anyone have a test procedure?

CC: (none) => davidwhodgins

Comment 6 Hartmut Goebel 2013-08-11 08:11:36 CEST 
(In reply to Dave Hodgins from comment #5)
> Anyone have a test procedure?

virtualenv -v xxx | grep Install

should give pip.1.3.1.
Comment 7 Dave Hodgins 2013-08-11 08:58:48 CEST 
Doesn't actually show that pip is working, but I'll accept that.

Testing complete on Mageia 3 i586 and x86_64.

Could someone from the sysadmin team push 10956.adv to updates.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA3-64-OK MGA3-32-OK
CC: (none) => sysadmin-bugs

Comment 8 Thomas Backlund 2013-08-11 15:08:16 CEST 
Update pushed:
http://advisories.mageia.org/MGAA-2013-0082.html

Status: ASSIGNED => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Comment 9 David Walser 2013-09-13 18:11:20 CEST 
This has been assigned CVE-2013-1629.

URL: https://pypi.python.org/pypi/virtualenv => http://lwn.net/Vulnerabilities/566721/
CC: (none) => luigiwalser