A flaw was found in python-pip. Installing remote packages is vulnerable to directory traversal via Content-Disposition header by a malicious server. Upstream issue: https://github.com/pypa/pip/issues/6413
Created python-pip tracking bugs for this issue: Affects: epel-6 [bug 1868136] Created python-pip-epel tracking bugs for this issue: Affects: epel-7 [bug 1868137] Created python-virtualenv tracking bugs for this issue: Affects: epel-6 [bug 1868138]
Fixed upstream in version 19.2: """ Prevent pip install <url> from permitting directory traversal if e.g. a malicious server sends a Content-Disposition header with a filename containing ../ or ..\\. (#6413) """ https://pip.pypa.io/en/stable/news/#id219 Upstream PR and commit: https://github.com/pypa/pip/pull/6418 https://github.com/pypa/pip/commit/a4c735b14a62f9cb864533808ac63936704f2ace
Statement: This issue has been rated as having Moderate impact. Installing software from untrusted servers is strongly discouraged, as it may lead to system compromise regardless of this CVE. This flaw did not affect the versions of `python-pip` in Python 3.8 as shipped with Red Hat Enterprise Linux 8 and Red Hat Software Collections 3, as they already included the fix for this CVE.
Mitigation: Avoid downloading or installing packages from potentially malicious servers via the command-line "pip download" or "pip install".
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2020:4285 https://access.redhat.com/errata/RHSA-2020:4285
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-20916
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2020:4273 https://access.redhat.com/errata/RHSA-2020:4273
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4432 https://access.redhat.com/errata/RHSA-2020:4432
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4654 https://access.redhat.com/errata/RHSA-2020:4654
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2022:5234 https://access.redhat.com/errata/RHSA-2022:5234