Fedora has issued an advisory on January 8: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NKGPJLVLVYCL4L4B4G5TIOTVK4BKPG72/ Our system python-urllib3 was fixed in Bug 23880. I don't know why pip would bundle it instead of using the system one.
We should be able to re-use Fedora's patch from 30 if nothing else: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/XOSA2NT4DUQDBEIWE6O7KKD24XND7TE2/
Status comment: (none) => Patch available from Fedora
Done!
CC: (none) => geiger.david68210
Advisory: ======================== Updated python-pip packages fix security vulnerabilities: The python-pip package bundles a copy of python-urllib3, which was affected by security issues. The bundled copy was updated to fix these issues (CVE-2019-11324, CVE-2019-11236). References: https://advisories.mageia.org/MGASA-2019-0258.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/XOSA2NT4DUQDBEIWE6O7KKD24XND7TE2/ ======================== Updated packages in core/updates_testing: ======================== python2-pip-19.0.3-1.1.mga7 python3-pip-19.0.3-1.1.mga7 python-pip-wheel-19.0.3-1.1.mga7 from python-pip-19.0.3-1.1.mga7.src.rpm
Status comment: Patch available from Fedora => (none)Assignee: python => qa-bugs
Mageia7, x86_64 Updated the packages. Ran locate to see where urllib3 lives. Checked dates. $ ll /usr/lib/python2.7/site-packages/pip/_vendor/ | grep urllib3 drwxr-xr-x 5 root root 4096 Jan 24 21:01 urllib3/ $ ll /usr/lib/python3.7/site-packages/pip/_vendor/ | grep urllib3 drwxr-xr-x 6 root root 4096 Jan 24 21:02 urllib3/ Tested pip as user. Looked at what is available at https://pypi.org/ $ pip install --user jsons Collecting jsons Downloading https://files.pythonhosted.org/packages/43/53/cad3fe4c5e5cc58d2d46c51b53b15e330183533136fe6726e09826eaad86/jsons-1.1.1-py3-none-any.whl (52kB) 100% |████████████████████████████████| 61kB 2.0MB/s Collecting typish>=1.3.1 (from jsons) Downloading https://files.pythonhosted.org/packages/69/ac/370f0128f4019720fbfcb326faf44018a46d6567b967aaeed808067b6309/typish-1.3.1-py3-none-any.whl Installing collected packages: typish, jsons Successfully installed jsons-1.1.1 typish-1.3.1 $ pip3 install --user tkcalendar Collecting tkcalendar Using cached https://files.pythonhosted.org/packages/e9/d4/9528ea6ecb5d4394f425df651957da6f6a715b41c5b12d43d41888c14394/tkcalendar-1.6.1-py3-none-any.whl Collecting babel (from tkcalendar) Using cached https://files.pythonhosted.org/packages/15/a1/522dccd23e5d2e47aed4b6a16795b8213e3272c7506e625f2425ad025a19/Babel-2.8.0-py2.py3-none-any.whl Requirement already satisfied: pytz>=2015.7 in /usr/lib/python3.7/site-packages (from babel->tkcalendar) (2018.9) Installing collected packages: babel, tkcalendar Successfully installed babel-2.8.0 tkcalendar-1.6.1 Python wheel is the new standard for binary packaging, replacing python eggs. That is more developer territory so we shall leave it aside. The rest seems to work OK.
Whiteboard: (none) => MGA7-64-OKCC: (none) => tarazed25
A quick enquiry brings up virtualenv: $ urpmq --whatrequires python-pip-wheel | uniq lib64python2.7-stdlib lib64python3.7-stdlib python-pip-wheel python2-virtualenv python3-virtualenv A recursive search shows 3293 entries.
Validating. Advisory in Comment 3.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0063.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
This package manager It will be installed if we are using Python 2>= 2.7.9 or Python 3>= 3.4. https://ovo-game.com
CC: (none) => timothysykestss
Create your own security tool using the Vulnerability API https://ovo-game.com
CC: (none) => drewbinskyn