Gentoo Archives: gentoo-announce

From: Chris Reffett <creffett@g.o>
To: gentoo-announce@g.o
Subject: [gentoo-announce] [ GLSA 201309-05 ] pip: Multiple vulnerabilities
Date: Thu, 12 Sep 2013 21:43:56
Message-Id: 52323531.2030300@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 201309-05
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: pip: Multiple vulnerabilities
9 Date: September 12, 2013
10 Bugs: #462616, #480202
11 ID: 201309-05
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 Multiple vulnerabilities have been found in pip, which may allow remote
19 attackers to execute arbitrary code or local attackers to conduct
20 symlink attacks.
21
22 Background
23 ==========
24
25 pip is a tool for installing and managing Python packages.
26
27 Affected packages
28 =================
29
30 -------------------------------------------------------------------
31 Package / Vulnerable / Unaffected
32 -------------------------------------------------------------------
33 1 dev-python/pip < 1.3.1 >= 1.3.1
34
35 Description
36 ===========
37
38 Multiple vulnerabilities have been discovered in pip. Please review the
39 CVE identifiers referenced below for details.
40
41 Impact
42 ======
43
44 A remote attacker could conduct a Man-in-the-Middle attack to cause pip
45 to execute arbitrary code. A local attacker could perform symlink
46 attacks to overwrite arbitrary files with the privileges of the user
47 running the application.
48
49 Workaround
50 ==========
51
52 There is no known workaround at this time.
53
54 Resolution
55 ==========
56
57 All pip users should upgrade to the latest version:
58
59 # emerge --sync
60 # emerge --ask --oneshot --verbose ">=dev-python/pip-1.3.1"
61
62 References
63 ==========
64
65 [ 1 ] CVE-2013-1629
66 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1629
67 [ 2 ] CVE-2013-1888
68 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1888
69
70 Availability
71 ============
72
73 This GLSA and any updates to it are available for viewing at
74 the Gentoo Security Website:
75
76 http://security.gentoo.org/glsa/glsa-201309-05.xml
77
78 Concerns?
79 =========
80
81 Security is a primary focus of Gentoo Linux and ensuring the
82 confidentiality and security of our users' machines is of utmost
83 importance to us. Any security concerns should be addressed to
84 security@g.o or alternatively, you may file a bug at
85 https://bugs.gentoo.org.
86
87 License
88 =======
89
90 Copyright 2013 Gentoo Foundation, Inc; referenced text
91 belongs to its owner(s).
92
93 The contents of this document are licensed under the
94 Creative Commons - Attribution / Share Alike license.
95
96 http://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature