Bug 923976
| Summary: | python-pip: insecure temporary directory usage [epel-all] | ||
|---|---|---|---|
| Product: | [Fedora] Fedora EPEL | Reporter: | Vincent Danen <vdanen> |
| Component: | python-pip | Assignee: | Tim Flink <tflink> |
| Status: | CLOSED EOL | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | el6 | CC: | a.badger, gwync, metherid, tflink |
| Target Milestone: | --- | Keywords: | Security, SecurityTracking |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Release Note | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-11-30 15:57:28 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 923974 | ||
|
Description
Vincent Danen
2013-03-20 20:19:34 UTC
Please use the following update submission link to create the Bodhi request for this issue as it contains the top-level parent bug(s) as well as this tracking bug. This will ensure that all associated bugs get updated when new packages are pushed to stable. Please also ensure that the "Close bugs when update is stable" option remains checked. Bodhi update submission link: https://admin.fedoraproject.org/updates/new/?type_=security&bugs=923974,923976 python-pip-1.3.1-1.el6 has been submitted as an update for Fedora EPEL 6. https://admin.fedoraproject.org/updates/python-pip-1.3.1-1.el6 Crashes on el5, not updated:
Python 2.4.3 (#1, Jan 9 2013, 06:49:54)
[GCC 4.1.2 20080704 (Red Hat 4.1.2-54)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import pip
Traceback (most recent call last):
File "<stdin>", line 1, in ?
File "/usr/lib/python2.4/site-packages/pip/__init__.py", line 12, in ?
from pip.commands import commands, get_similar_commands, get_summaries
File "/usr/lib/python2.4/site-packages/pip/commands/__init__.py", line 6, in ?
from pip.commands.bundle import BundleCommand
File "/usr/lib/python2.4/site-packages/pip/commands/bundle.py", line 5, in ?
from pip.commands.install import InstallCommand
File "/usr/lib/python2.4/site-packages/pip/commands/install.py", line 5, in ?
from pip.req import InstallRequirement, RequirementSet, parse_requirements
File "/usr/lib/python2.4/site-packages/pip/req.py", line 1292
skip_regex = options.skip_requirements_regex if options else None
^
SyntaxError: invalid syntax
Package python-pip-1.3.1-1.el6: * should fix your issue, * was pushed to the Fedora EPEL 6 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=epel-testing python-pip-1.3.1-1.el6' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-5562/python-pip-1.3.1-1.el6 then log in and leave karma (feedback). talked with tflink on IRC about el5. He's leaning towards retiring python-pip for EL5. Then it would be possible for someone interested to create a python26-pip package if they wished. That would mean that installing modules via pip would only be possible for the python26 interpreter, not the python-2.4 that ships with RHEL5. But for a lot of developers, that might not be so bad. If someone really wants pip as an rpm for python-2.4 they'd need to either port the current pip to python-2.4 or backport this security fix, backport pip's change to use pypi's https url and check the SSL hostname, and fix pip's implementation of ssl_match_hostname to either use the python-backports-ssl-match_hostname package or to not be vulnerable to CVE-2013-2099: https://bugzilla.redhat.com/show_bug.cgi?id=963260#c14 Let me know what is decided here so that I can advise the python-virtualenv maintainer what to do for these vulnerabilities and issues in the python-virtualenv epel5 package (which is bundling an this older, insecure version of pip). We have no problem with either retiring it or backporting, so I suppose the answer is whether or not anyone wants to invest the effort there. My personal opinion is that not having python-pip available is better than having it available and unfixed. This message is a reminder that EPEL 6 is nearing its end of life. Fedora will stop maintaining and issuing updates for EPEL 6 on 2020-11-30. It is our policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a 'version' of 'el6'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later EPEL version. Thank you for reporting this issue and we are sorry that we were not able to fix it before EPEL 6 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. EPEL el6 changed to end-of-life (EOL) status on 2020-11-30. EPEL el6 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of EPEL please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed. |