Malware Devil

Loading...

Friday, December 11, 2020

ESB-2020.4370 – [SUSE] python-pip & python-scripttest: Multiple vulnerabilities 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.4370
             Security update for python-pip, python-scripttest
                             11 December 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           python-pip
                   python-scripttest
Publisher:         SUSE
Operating System:  SUSE
Impact/Access:     Overwrite Arbitrary Files -- Remote with User Interaction
                   Reduced Security          -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-20916  

Reference:         ESB-2020.4281
                   ESB-2020.4237
                   ESB-2020.3864
                   ESB-2020.3656

Original Bulletin: 
   https://www.suse.com/support/update/announcement/2020/suse-su-20203737-1

- --------------------------BEGIN INCLUDED TEXT--------------------

SUSE Security Update: Security update for python-pip, python-scripttest

______________________________________________________________________________

Announcement ID:   SUSE-SU-2020:3737-1
Rating:            moderate
References:        #1175297 #1176262
Cross-References:  CVE-2019-20916
Affected Products:
                   SUSE Linux Enterprise Module for Python2 15-SP2
                   SUSE Linux Enterprise Module for Python2 15-SP1
                   SUSE Linux Enterprise Module for Basesystem 15-SP2
                   SUSE Linux Enterprise Module for Basesystem 15-SP1
______________________________________________________________________________

An update that solves one vulnerability, contains one feature and has one
errata is now available.

Description:

This update for python-pip, python-scripttest fixes the following issues:

  o Update in SLE-15 (bsc#1175297, jsc#ECO-3035, jsc#PM-2318)


python-pip was updated to 20.0.2:

  o Fix a regression in generation of compatibility tags
  o Rename an internal module, to avoid ImportErrors due to improper
    uninstallation
  o Switch to a dedicated CLI tool for vendoring dependencies.
  o Remove wheel tag calculation from pip and use packaging.tags. This should
    provide more tags ordered better than in prior releases.
  o Deprecate setup.py-based builds that do not generate an .egg-info
    directory.
  o The pip>=20 wheel cache is not retro-compatible with previous versions.
    Until pip 21.0, pip will continue to take advantage of existing legacy
    cache entries.
  o Deprecate undocumented --skip-requirements-regex option.
  o Deprecate passing install-location-related options via --install-option.
  o Use literal "abi3" for wheel tag on CPython 3.x, to align with PEP 384
    which only defines it for this platform.
  o Remove interpreter-specific major version tag e.g. cp3-none-any from
    consideration. This behavior was not documented strictly, and this tag in
    particular is not useful. Anyone with a use case can create an issue with
    pypa/packaging.
  o Wheel processing no longer permits wheels containing more than one
    top-level .dist-info directory.
  o Support for the git+git@ form of VCS requirement is being deprecated and
    will be removed in pip 21.0. Switch to git+https:// or git+ssh://. git+git:
    // also works but its use is discouraged as it is insecure.
  o Default to doing a user install (as if --user was passed) when the main
    site-packages directory is not writeable and user site-packages are
    enabled.
  o Warn if a path in PATH starts with tilde during pip install.
  o Cache wheels built from Git requirements that are considered immutable,
    because they point to a commit hash.
  o Add option --no-python-version-warning to silence warnings related to
    deprecation of Python versions.
  o Cache wheels that pip wheel built locally, matching what pip install does.
    This particularly helps performance in workflows where pip wheel is used
    for building before installing. Users desiring the original behavior can
    use pip wheel --no-cache-dir
  o Display CA information in pip debug.
  o Show only the filename (instead of full URL), when downloading from PyPI.
  o Suggest a more robust command to upgrade pip itself to avoid confusion when
    the current pip command is not available as pip.
  o Define all old pip console script entrypoints to prevent import issues in
    stale wrapper scripts.
  o The build step of pip wheel now builds all wheels to a cache first, then
    copies them to the wheel directory all at once. Before, it built them to a
    temporary directory and moved them to the wheel directory one by one.
  o Expand ~ prefix to user directory in path options, configs, and environment
    variables. Values that may be either URL or path are not currently
    supported, to avoid ambiguity:


- --find-links --constraint, -c --requirement, -r --editable, -e

  o Correctly handle system site-packages, in virtual environments created with
    venv (PEP 405).
  o Fix case sensitive comparison of pip freeze when used with -r option.
  o Enforce PEP 508 requirement format in pyproject.toml build-system.requires.
  o Make ensure_dir() also ignore ENOTEMPTY as seen on Windows.
  o Fix building packages which specify backend-path in pyproject.toml.
  o Do not attempt to run setup.py clean after a pep517 build error, since a
    setup.py may not exist in that case.
  o Fix passwords being visible in the index-url in "Downloading " message.
  o Change method from shutil.remove to shutil.rmtree in noxfile.py.
  o Skip running tests which require subversion, when svn isn't installed
  o Fix not sending client certificates when using --trusted-host.
  o Make sure pip wheel never outputs pure python wheels with a python
    implementation tag. Better fix/workaround for #3025 by using a
    per-implementation wheel cache instead of caching pure python wheels with
    an implementation tag in their name.
  o Include subdirectory URL fragments in cache keys.
  o Fix typo in warning message when any of --build-option, --global-option and
    --install-option is used in requirements.txt
  o Fix the logging of cached HTTP response shown as downloading.
  o Effectively disable the wheel cache when it is not writable, as is the case
    with the http cache.
  o Correctly handle relative cache directory provided via --cache-dir.

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  o SUSE Linux Enterprise Module for Python2 15-SP2:
    zypper in -t patch SUSE-SLE-Module-Python2-15-SP2-2020-3737=1
  o SUSE Linux Enterprise Module for Python2 15-SP1:
    zypper in -t patch SUSE-SLE-Module-Python2-15-SP1-2020-3737=1
  o SUSE Linux Enterprise Module for Basesystem 15-SP2:
    zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2020-3737=1
  o SUSE Linux Enterprise Module for Basesystem 15-SP1:
    zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-3737=1

Package List:

  o SUSE Linux Enterprise Module for Python2 15-SP2 (noarch):
       python2-pip-20.0.2-6.12.1
  o SUSE Linux Enterprise Module for Python2 15-SP1 (noarch):
       python2-pip-20.0.2-6.12.1
  o SUSE Linux Enterprise Module for Basesystem 15-SP2 (noarch):
       python3-pip-20.0.2-6.12.1
  o SUSE Linux Enterprise Module for Basesystem 15-SP1 (noarch):
       python3-pip-20.0.2-6.12.1


References:

  o https://www.suse.com/security/cve/CVE-2019-20916.html
  o https://bugzilla.suse.com/1175297
  o https://bugzilla.suse.com/1176262

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX9LGX+NLKJtyKPYoAQgz7w/+MQe98r/CfR7w2GbqXAuG3GeKH7uOKS7J
vaCM7qtnQJwavpvoLvjEApEF2O3Zgtd+aKXdhySDoRxczAx/K0Urf+wGjr0MFuQK
4Lv+ytY64ZLxK6dDu34vzJJ6q4LQ4C5ATs6CIw8uxHUwkYS0gSo/4qwTQ3HVopBw
MI2qBjCIsC6mVSBG6Wm+RuKVBAhmNGHBlAmb+5U42GL9i64KuY8Cd9SuXE0Q1GST
SYdsBk2ODAdtpVfNBy+0ZwWotquv7Qb9chiLFUKNAQnJ0WBttJnGV7Ls2uuMYbDF
TzIHjm0k7VH4xMlOCL5yPq7lzSwTa57jE9Xvdkav2S13P+GaUApNv+01DK8QnFR3
4Zin9ZGl7KQaqiguvfhuuJzAUxOCLawGDUjSI4SSsGQKwVjEUc7OxX/OAZlgQXcB
kQXTc1Euq8M+/OquFeZGvUKZ+2Jfg/BaRWnOYhryuFQJQhr9RuVA57YaV15YRAVl
tANVdmI0pNwCNUj7/YDhcrRFla7QI/K+r4hN5Pdf0A5CeoVbz3Ov97LIvg0Z/e7n
NXFHUlTcsxJrNXb71UJ2V3/LceP+Fl3p3/l+8sqVRFJznLt5V9kGRKCDK5z5Xsqn
mQ1dk1gl3YwgnZGWzF+WXnrc/ZnERImGKTqENJITsM8Pb9CWg4LoDUbNRY/ptKE/
XS81ZIGS7OU=
=/Wx5
-----END PGP SIGNATURE-----

Read More

The post ESB-2020.4370 – [SUSE] python-pip & python-scripttest: Multiple vulnerabilities appeared first on Malware Devil.



https://malwaredevil.com/2020/12/11/esb-2020-4370-suse-python-pip-python-scripttest-multiple-vulnerabilities/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2020-4370-suse-python-pip-python-scripttest-multiple-vulnerabilities
at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Barbary Pirates and Russian Cybercrime

In 1801, the United States had a small Navy. Thomas Jefferson deployed almost half that Navy—three frigates and a schooner—to the Barbary C...