This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of Fedora EPEL. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When creating a Bodhi update request, please use the bodhi submission link noted in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the Bodhi notes field when available. Please note: this issue affects multiple supported versions of Fedora EPEL. Only one tracking bug has been filed; please ensure that it is only closed when all affected versions are fixed. [bug automatically created by: add-tracking-bugs]
Please use the following update submission link to create the Bodhi request for this issue as it contains the top-level parent bug(s) as well as this tracking bug. This will ensure that all associated bugs get updated when new packages are pushed to stable. Please also ensure that the "Close bugs when update is stable" option remains checked. Bodhi update submission link: https://admin.fedoraproject.org/updates/new/?type_=security&bugs=923974,923976
python-pip-1.3.1-1.el6 has been submitted as an update for Fedora EPEL 6. https://admin.fedoraproject.org/updates/python-pip-1.3.1-1.el6
Crashes on el5, not updated: Python 2.4.3 (#1, Jan 9 2013, 06:49:54) [GCC 4.1.2 20080704 (Red Hat 4.1.2-54)] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import pip Traceback (most recent call last): File "<stdin>", line 1, in ? File "/usr/lib/python2.4/site-packages/pip/__init__.py", line 12, in ? from pip.commands import commands, get_similar_commands, get_summaries File "/usr/lib/python2.4/site-packages/pip/commands/__init__.py", line 6, in ? from pip.commands.bundle import BundleCommand File "/usr/lib/python2.4/site-packages/pip/commands/bundle.py", line 5, in ? from pip.commands.install import InstallCommand File "/usr/lib/python2.4/site-packages/pip/commands/install.py", line 5, in ? from pip.req import InstallRequirement, RequirementSet, parse_requirements File "/usr/lib/python2.4/site-packages/pip/req.py", line 1292 skip_regex = options.skip_requirements_regex if options else None ^ SyntaxError: invalid syntax
Package python-pip-1.3.1-1.el6: * should fix your issue, * was pushed to the Fedora EPEL 6 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=epel-testing python-pip-1.3.1-1.el6' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-5562/python-pip-1.3.1-1.el6 then log in and leave karma (feedback).
talked with tflink on IRC about el5. He's leaning towards retiring python-pip for EL5. Then it would be possible for someone interested to create a python26-pip package if they wished. That would mean that installing modules via pip would only be possible for the python26 interpreter, not the python-2.4 that ships with RHEL5. But for a lot of developers, that might not be so bad. If someone really wants pip as an rpm for python-2.4 they'd need to either port the current pip to python-2.4 or backport this security fix, backport pip's change to use pypi's https url and check the SSL hostname, and fix pip's implementation of ssl_match_hostname to either use the python-backports-ssl-match_hostname package or to not be vulnerable to CVE-2013-2099: https://bugzilla.redhat.com/show_bug.cgi?id=963260#c14 Let me know what is decided here so that I can advise the python-virtualenv maintainer what to do for these vulnerabilities and issues in the python-virtualenv epel5 package (which is bundling an this older, insecure version of pip).
We have no problem with either retiring it or backporting, so I suppose the answer is whether or not anyone wants to invest the effort there. My personal opinion is that not having python-pip available is better than having it available and unfixed.
This message is a reminder that EPEL 6 is nearing its end of life. Fedora will stop maintaining and issuing updates for EPEL 6 on 2020-11-30. It is our policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a 'version' of 'el6'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later EPEL version. Thank you for reporting this issue and we are sorry that we were not able to fix it before EPEL 6 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above.
EPEL el6 changed to end-of-life (EOL) status on 2020-11-30. EPEL el6 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of EPEL please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.