Bug 33542 - python-pip new seciurity issue CVE-2023-5752
Summary: python-pip new seciurity issue CVE-2023-5752
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: https://lists.opensuse.org/archives/l...
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2024-09-08 09:43 CEST by Nicolas Salguero
Modified: 2025-02-12 07:38 CET (History)
5 users (show)

See Also:
Source RPM: python-pip-23.0.1-1.mga9.src.rpm
CVE: CVE-2023-5752
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2024-09-08 09:43:48 CEST 
openSUSE has issued an advisory on September 6:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/LNQOIWP4YVW27J2PSFKW5GCWPMU7ZATV/
Nicolas Salguero 2024-09-08 09:44:51 CEST

Status comment: (none) => Fixed upstream in 23.3 and patch available from upstream and openSUSE
CVE: (none) => CVE-2023-5752
Source RPM: (none) => python-pip-23.0.1-1.mga9.src.rpm

Comment 1 Marja Van Waes 2024-09-08 17:22:14 CEST 
Assigning to our Python Stack Maintainers, CC'ing our registered maintainer.

CC: (none) => mageia, marja11
Assignee: bugsquad => python
URL: (none) => https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/LNQOIWP4YVW27J2PSFKW5GCWPMU7ZATV/

Comment 2 Nicolas Salguero 2025-02-10 16:32:02 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Mercurial configuration injectable in repo revision when installing via pip. (CVE-2023-5752)

References:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/LNQOIWP4YVW27J2PSFKW5GCWPMU7ZATV/
========================

Updated packages in core/updates_testing:
========================
python-pip-doc-23.0.1-1.1.mga9
python-pip-wheel-23.0.1-1.1.mga9
python3-pip-23.0.1-1.1.mga9

from SRPM:
python-pip-23.0.1-1.1.mga9.src.rpm

Status: NEW => ASSIGNED
Status comment: Fixed upstream in 23.3 and patch available from upstream and openSUSE => (none)
Assignee: python => qa-bugs

katnatek 2025-02-10 20:17:57 CET

Keywords: (none) => advisory

Comment 3 Herman Viaene 2025-02-11 14:46:41 CET 
MGA9-64 Plasma Wayland on Compaq H000SB
No installation issues.
Tested using Len's wisdom from bug 29010:
$ pip install --user pandas
Collecting pandas
  Downloading pandas-2.2.3-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (13.1 MB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 13.1/13.1 MB 5.0 MB/s eta 0:00:00
Requirement already satisfied: pytz>=2020.1 in /usr/lib/python3.10/site-packages (from pandas) (2023.3)
Requirement already satisfied: numpy>=1.22.4 in /usr/lib64/python3.10/site-packages (from pandas) (1.24.3)
Requirement already satisfied: python-dateutil>=2.8.2 in /usr/lib/python3.10/site-packages (from pandas) (2.8.2)
Collecting tzdata>=2022.7
  Downloading tzdata-2025.1-py2.py3-none-any.whl (346 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 346.8/346.8 kB 2.7 MB/s eta 0:00:00
Requirement already satisfied: six>=1.5 in /usr/lib/python3.10/site-packages (from python-dateutil>=2.8.2->pandas) (1.16.0)
Installing collected packages: tzdata, pandas
Successfully installed pandas-2.2.3 tzdata-2025.1
Good to go for me.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA9-64-OK

Comment 4 Thomas Andrews 2025-02-11 16:30:39 CET 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 5 Mageia Robot 2025-02-12 07:38:46 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0055.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.