Fedora has issued an advisory on April 11: https://lists.fedoraproject.org/pipermail/package-announce/2015-April/155248.html The issue is fixed upstream in python-pip 1.5. The above advisory is for python-virtualenv, I'm not sure why. Maybe it bundles pip? Perhaps Cauldron could be affected if that's the case. Reproducible: Steps to Reproduce:
Yes python-virtualenv bundles pip so python-virtualenv and python-pip and python3-pip need to be checked
URL: (none) => http://lwn.net/Vulnerabilities/641426/
Upstream changelog lists this issue as fixed in upstream version 1.5: BACKWARD INCOMPATIBLE pip no longer supports the --use-mirrors, -M, and --mirrors flags. The mirroring support has been removed. In order to use a mirror specify it as the primary index with -i or --index-url, or as an additional index with --extra-index-url. (PR #1098, CVE-2013-5123) https://pip.pypa.io/en/latest/news.html https://github.com/pypa/pip/pull/1098 but reading this the news, I see that 6.1.0 fix also CVE-2015-2296
I suggest to have in mga4 virtualenv-1.11.6 and pip 1.5.6 cauldron virtualenv-12.1.1 and pip 6.1.1
hum, that's the usual nightmare with bundles ... seems that the safest is to update mga4 and cauldron to virtualenv-12.1.1 and pip 6.1.1 but we really need to look at the Debian packages to use the .whl files for de-vendorized dependencies.
Freeze push asked for python-pip python-pip-6.1.1-1.mga4 is in testing
Freeze push asked for python-virtualenv python-virtualenv-12.1.1-1.mga4 is in testing
(In reply to Philippe Makowski from comment #2) > but reading this the news, I see that 6.1.0 fix also CVE-2015-2296 That CVE was in python-requests. The news says they upgraded their bundled copy. Does our python-pip bundle it?
Advisory: ======================== Updated python-pip and python-virtualenv packages fix security vulnerability: The mirroring support in python-pip was implemented without any sort of authenticity checks and is downloaded over plaintext HTTP. Further more by default it will dynamically discover the list of available mirrors by querying a DNS entry and extrapolating from that data. It does not attempt to use any sort of method of securing this querying of the DNS like DNSSEC. Software packages are downloaded over these insecure links, unpacked, and then typically the setup.py python file inside of them is executed (CVE-2013-5123). This was fixed in python-pip by removing the mirroring support (i.e., the --use-mirrors, -M, and --mirrors flags). With the updated version, in order to use a mirror, one must specify it as the primary index with -i or --index-url, or as an additional index with --extra-index-url. The python-virtualenv package bundles a copy of python-pip, so it has also been updated to fix this issue. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5123 https://pip.pypa.io/en/latest/news.html https://lists.fedoraproject.org/pipermail/package-announce/2015-April/155248.html ======================== Updated packages in core/updates_testing: ======================== python-pip-6.1.1-1.mga4 python3-pip-6.1.1-1.mga4 python-virtualenv-12.1.1-1.mga4 from SRPMS: python-pip-6.1.1-1.mga4.src.rpm python-virtualenv-12.1.1-1.mga4.src.rpm
CC: (none) => makowski.mageiaAssignee: makowski.mageia => qa-bugs
(In reply to David Walser from comment #7) > (In reply to Philippe Makowski from comment #2) > > but reading this the news, I see that 6.1.0 fix also CVE-2015-2296 > > That CVE was in python-requests. The news says they upgraded their bundled > copy. Does our python-pip bundle it? unfortunatly yes, that's also why I choosed to update to this version for next realeases I will look closer to the Debian way using wheel to unbundle all this, but that's need some work and tests
Thanks Philippe! What a mess :o) Advisory: ======================== Updated python-pip and python-virtualenv packages fix security vulnerability: The mirroring support in python-pip was implemented without any sort of authenticity checks and is downloaded over plaintext HTTP. Further more by default it will dynamically discover the list of available mirrors by querying a DNS entry and extrapolating from that data. It does not attempt to use any sort of method of securing this querying of the DNS like DNSSEC. Software packages are downloaded over these insecure links, unpacked, and then typically the setup.py python file inside of them is executed (CVE-2013-5123). This was fixed in python-pip by removing the mirroring support (i.e., the --use-mirrors, -M, and --mirrors flags). With the updated version, in order to use a mirror, one must specify it as the primary index with -i or --index-url, or as an additional index with --extra-index-url. The python-virtualenv package bundles a copy of python-pip, so it has also been updated to fix this issue. The python-virtualenv package bundles python-requests as well, so this update fixes the session fixation issue CVE-2015-2296 in the bundled python-requests. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5123 https://pip.pypa.io/en/latest/news.html http://advisories.mageia.org/MGASA-2015-0120.html https://lists.fedoraproject.org/pipermail/package-announce/2015-April/155248.html
Procedures: pip - https://bugs.mageia.org/show_bug.cgi?id=14969#c3 virtualenv - https://bugs.mageia.org/show_bug.cgi?id=10761#c2
Whiteboard: (none) => has_procedure
Testing complete mga4 64 To test python3-pip just replace 'pip' in the procedure with 'python3-pip'.
Whiteboard: has_procedure => has_procedure mga4-64-ok
MGA4-32 on AcerD620 Xfce Seems OK, as shown by results: pip list | grep firebirdsql [xxxx@yyyy ~]# pip install firebirdsql Collecting firebirdsql Downloading firebirdsql-0.9.7.tar.gz (47kB) 100% |ââââââââââââââââââââââââââââââââ| 49kB 472kB/s Installing collected packages: firebirdsql Running setup.py install for firebirdsql Successfully installed firebirdsql-0.9.7 pip uninstall firebirdsql Uninstalling firebirdsql-0.9.7: /usr/lib/python2.7/site-packages/firebirdsql-0.9.7-py2.7.egg-info /usr/lib/python2.7/site-packages/firebirdsql/__init__.py ..and some more ...... Proceed (y/n)? y Successfully uninstalled firebirdsql-0.9.7 same results with python3-pip and mkdir test [xxxx@yyyy ~]# cd test [xxxx@yyyy test]# virtualenv --distribute . New python executable in ./bin/python Installing setuptools, pip...done. [xxxx@yyyy test]# source bin/activate (test)[xxxx@yyyy test]# pip install circonus Collecting circonus Downloading circonus-0.0.22.tar.gz Collecting colour (from circonus) Downloading colour-0.1.1.tar.gz Collecting requests (from circonus) Downloading requests-2.6.2-py2.py3-none-any.whl (470kB) 100% |ââââââââââââââââââââââââââââââââ| 471kB 215kB/s Installing collected packages: colour, requests, circonus Running setup.py install for colour Running setup.py install for circonus Successfully installed circonus-0.0.22 colour-0.1.1 requests-2.6.2 (test)[xxxx@yyyy test]# pip uninstall circonus Uninstalling circonus-0.0.22: /root/test/lib/python2.7/site-packages/circonus-0.0.22-py2.7.egg-info ...and some more.... Proceed (y/n)? y Successfully uninstalled circonus-0.0.22
CC: (none) => herman.viaeneWhiteboard: has_procedure mga4-64-ok => has_procedure MGA4-64-OK MGA4-32-OK
Validating. Advisory uploaded. Please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA4-64-OK MGA4-32-OK => has_procedure advisory MGA4-64-OK MGA4-32-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0180.html
Status: NEW => RESOLVEDResolution: (none) => FIXED