Bug 10956 - Update python-virtualenv to>= 1.10, which includes a pip able to download from PyPI over SSL.
Summary: Update python-virtualenv to>= 1.10, which includes a pip able to download fro...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: 3
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL: http://lwn.net/Vulnerabilities/566721/
Whiteboard: MGA3-64-OK MGA3-32-OK
Keywords: validated_update
: 10955 (view as bug list)
Depends on:
Blocks:
 
Reported: 2013-08-07 14:32 CEST by Hartmut Goebel
Modified: 2013-09-13 18:11 CEST (History)
4 users (show)

See Also:
Source RPM: python-virtualenv-1.7.1.2-4.mga3.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Hartmut Goebel 2013-08-07 14:32:00 CEST 
Please update python-virtualenv to 1.10 (or newer).

Current Currently 1.7.1 is delivered with Mageia 3, which contains an outdated pip, which again is not able to download from PyPI over SSL.

Additionally, it's quite confusing to have different versions of pip inside and outside a virtualenv.

https://pypi.python.org/pypi/virtualenv/1.10 writes:

  Warning:

   We advise installing virtualenv-1.9 or greater. Prior to version 1.9, the
   pip included in virtualenv did not not download from PyPI over SSL.



Reproducible: 

Steps to Reproduce:
Comment 1 Hartmut Goebel 2013-08-07 14:33:53 CEST 
Steps to Reproduce:

$ virtualenv -v xxx
[...]
Installing existing pip-1.1.tar.gz distribution: /usr/lib/python2.7/site-packages/virtualenv_support/pip-1.1.tar.gz
[...]

Keywords: (none) => Junior_job
Hardware: i586 => All

Comment 2 Manuel Hiebel 2013-08-07 19:06:52 CEST 
*** Bug 10955 has been marked as a duplicate of this bug. ***
Manuel Hiebel 2013-08-07 19:08:04 CEST

Keywords: (none) => Triaged
Assignee: bugsquad => makowski.mageia

Comment 3 Philippe Makowski 2013-08-08 11:40:32 CEST 
Version 1.9.1 should be enough and would also fix the security issue in bundled pip

1.10 is a major change I would avoid for mga3

Status: NEW => ASSIGNED

Comment 4 Philippe Makowski 2013-08-08 12:23:39 CEST 

Suggested advisory:
========================

Update to upstream 1.9.1 because of security issues with the bundled python-pip in older releases and to allow download from PyPI over SSL.

========================


Updated packages in core/updates_testing:
========================
python-virtualenv-1.9.1-1.1.mga3.noarch 

Source RPM: 
python-virtualenv-1.9.1-1.1.mga3.src

Keywords: Junior_job, Triaged => (none)
Assignee: makowski.mageia => qa-bugs

Comment 5 Dave Hodgins 2013-08-11 08:02:14 CEST 
Advisory 10956.adv uploaded to svn.

Anyone have a test procedure?

CC: (none) => davidwhodgins

Comment 6 Hartmut Goebel 2013-08-11 08:11:36 CEST 
(In reply to Dave Hodgins from comment #5)
> Anyone have a test procedure?

virtualenv -v xxx | grep Install

should give pip.1.3.1.
Comment 7 Dave Hodgins 2013-08-11 08:58:48 CEST 
Doesn't actually show that pip is working, but I'll accept that.

Testing complete on Mageia 3 i586 and x86_64.

Could someone from the sysadmin team push 10956.adv to updates.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA3-64-OK MGA3-32-OK
CC: (none) => sysadmin-bugs

Comment 8 Thomas Backlund 2013-08-11 15:08:16 CEST 
Update pushed:
http://advisories.mageia.org/MGAA-2013-0082.html

Status: ASSIGNED => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Comment 9 David Walser 2013-09-13 18:11:20 CEST 
This has been assigned CVE-2013-1629.

URL: https://pypi.python.org/pypi/virtualenv => http://lwn.net/Vulnerabilities/566721/
CC: (none) => luigiwalser
Note You need to log in before you can comment on or make changes to this bug.