Bug 26058

We should be able to re-use Fedora's patch from 30 if nothing else:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/XOSA2NT4DUQDBEIWE6O7KKD24XND7TE2/

Done!

CC: (none) => geiger.david68210

Advisory:
========================

Updated python-pip packages fix security vulnerabilities:

The python-pip package bundles a copy of python-urllib3, which was affected by
security issues.  The bundled copy was updated to fix these issues
(CVE-2019-11324, CVE-2019-11236).

References:
https://advisories.mageia.org/MGASA-2019-0258.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/XOSA2NT4DUQDBEIWE6O7KKD24XND7TE2/
========================

Updated packages in core/updates_testing:
========================
python2-pip-19.0.3-1.1.mga7
python3-pip-19.0.3-1.1.mga7
python-pip-wheel-19.0.3-1.1.mga7

from python-pip-19.0.3-1.1.mga7.src.rpm

Status comment: Patch available from Fedora => (none)
Assignee: python => qa-bugs

Mageia7, x86_64

Updated the packages.
Ran locate to see where urllib3 lives.
Checked dates.
$ ll /usr/lib/python2.7/site-packages/pip/_vendor/ | grep urllib3
drwxr-xr-x 5 root root   4096 Jan 24 21:01 urllib3/
$ ll /usr/lib/python3.7/site-packages/pip/_vendor/ | grep urllib3
drwxr-xr-x 6 root root   4096 Jan 24 21:02 urllib3/

Tested pip as user.
Looked at what is available at https://pypi.org/

$ pip install --user jsons
Collecting jsons
  Downloading https://files.pythonhosted.org/packages/43/53/cad3fe4c5e5cc58d2d46c51b53b15e330183533136fe6726e09826eaad86/jsons-1.1.1-py3-none-any.whl (52kB)
    100% |████████████████████████████████| 61kB 2.0MB/s 
Collecting typish>=1.3.1 (from jsons)
  Downloading https://files.pythonhosted.org/packages/69/ac/370f0128f4019720fbfcb326faf44018a46d6567b967aaeed808067b6309/typish-1.3.1-py3-none-any.whl
Installing collected packages: typish, jsons
Successfully installed jsons-1.1.1 typish-1.3.1

$ pip3 install --user tkcalendar
Collecting tkcalendar
  Using cached https://files.pythonhosted.org/packages/e9/d4/9528ea6ecb5d4394f425df651957da6f6a715b41c5b12d43d41888c14394/tkcalendar-1.6.1-py3-none-any.whl
Collecting babel (from tkcalendar)
  Using cached https://files.pythonhosted.org/packages/15/a1/522dccd23e5d2e47aed4b6a16795b8213e3272c7506e625f2425ad025a19/Babel-2.8.0-py2.py3-none-any.whl
Requirement already satisfied: pytz>=2015.7 in /usr/lib/python3.7/site-packages (from babel->tkcalendar) (2018.9)
Installing collected packages: babel, tkcalendar
Successfully installed babel-2.8.0 tkcalendar-1.6.1

Python wheel is the new standard for binary packaging, replacing python eggs.
That is more developer territory so we shall leave it aside.

The rest seems to work OK.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => tarazed25

A quick enquiry brings up virtualenv:

$ urpmq --whatrequires python-pip-wheel | uniq
lib64python2.7-stdlib
lib64python3.7-stdlib
python-pip-wheel
python2-virtualenv
python3-virtualenv

A recursive search shows 3293 entries.

Validating. Advisory in Comment 3.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0063.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED