Feature implementation for python39-pip, python39-setuptools SUSE Patch security@suse.de SUSE Security Team SUSE-FU-2021:2130-1 Final 1 1 2021-06-23T07:10:31Z current 2021-06-23T07:10:31Z 2021-06-23T07:10:31Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Feature implementation for python39-pip, python39-setuptools This update for python39-pip, python39-setuptools fixes the following issues: Changes in python39-setuptools: - Provide `python39-setuptools` version 44.1.1 with vendored dependencies. (jsc#SLE-17532, jsc#SLE-17957) Changes in python39-pip: - Provide `python39-pip` version 20.2.4 with vendored dependencies. (jsc#SLE-17532, jsc#SLE-17957) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Container bci/python:3-2021-2130,Container containers/python:3.9-2021-2130,Image python_15_6-2021-2130,SUSE-2021-2130,SUSE-SLE-Module-Basesystem-15-SP3-2021-2130 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement//suse-fu-20212130-1/ Link for SUSE-FU-2021:2130-1 https://lists.suse.com/pipermail/sle-updates/2021-June/019414.html E-Mail link for SUSE-FU-2021:2130-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1176262 SUSE Bug 1176262 https://bugzilla.suse.com/1177127 SUSE Bug 1177127 https://bugzilla.suse.com/1187170 SUSE Bug 1187170 https://bugzilla.suse.com/428177 SUSE Bug 428177 https://bugzilla.suse.com/842516 SUSE Bug 842516 https://bugzilla.suse.com/913229 SUSE Bug 913229 https://bugzilla.suse.com/930189 SUSE Bug 930189 https://bugzilla.suse.com/993968 SUSE Bug 993968 https://www.suse.com/security/cve/CVE-2013-5123/ SUSE CVE CVE-2013-5123 page https://www.suse.com/security/cve/CVE-2014-8991/ SUSE CVE CVE-2014-8991 page https://www.suse.com/security/cve/CVE-2015-2296/ SUSE CVE CVE-2015-2296 page https://www.suse.com/security/cve/CVE-2019-20916/ SUSE CVE CVE-2019-20916 page Container bci/python:3 Container containers/python:3.9 Image python_15_6 SUSE Linux Enterprise Module for Basesystem 15 SP3 python39-pip-20.2.4-7.5.1 python39-setuptools-44.1.1-7.3.1 python39-pip-20.2.4-7.5.1 as a component of Container bci/python:3 python39-setuptools-44.1.1-7.3.1 as a component of Container bci/python:3 python39-pip-20.2.4-7.5.1 as a component of Container containers/python:3.9 python39-setuptools-44.1.1-7.3.1 as a component of Container containers/python:3.9 python39-pip-20.2.4-7.5.1 as a component of Image python_15_6 python39-setuptools-44.1.1-7.3.1 as a component of Image python_15_6 python39-pip-20.2.4-7.5.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP3 python39-setuptools-44.1.1-7.3.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP3 The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks. CVE-2013-5123 Container bci/python:3:python39-pip-20.2.4-7.5.1 Container bci/python:3:python39-setuptools-44.1.1-7.3.1 Container containers/python:3.9:python39-pip-20.2.4-7.5.1 Container containers/python:3.9:python39-setuptools-44.1.1-7.3.1 Image python_15_6:python39-pip-20.2.4-7.5.1 Image python_15_6:python39-setuptools-44.1.1-7.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP3:python39-pip-20.2.4-7.5.1 SUSE Linux Enterprise Module for Basesystem 15 SP3:python39-setuptools-44.1.1-7.3.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement//suse-fu-20212130-1/ https://www.suse.com/security/cve/CVE-2013-5123.html CVE-2013-5123 https://bugzilla.suse.com/864406 SUSE Bug 864406 pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a /tmp/pip-build-* file for another user. CVE-2014-8991 Container bci/python:3:python39-pip-20.2.4-7.5.1 Container bci/python:3:python39-setuptools-44.1.1-7.3.1 Container containers/python:3.9:python39-pip-20.2.4-7.5.1 Container containers/python:3.9:python39-setuptools-44.1.1-7.3.1 Image python_15_6:python39-pip-20.2.4-7.5.1 Image python_15_6:python39-setuptools-44.1.1-7.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP3:python39-pip-20.2.4-7.5.1 SUSE Linux Enterprise Module for Basesystem 15 SP3:python39-setuptools-44.1.1-7.3.1 moderate 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement//suse-fu-20212130-1/ https://www.suse.com/security/cve/CVE-2014-8991.html CVE-2014-8991 https://bugzilla.suse.com/907038 SUSE Bug 907038 The resolve_redirects function in sessions.py in requests 2.1.0 through 2.5.3 allows remote attackers to conduct session fixation attacks via a cookie without a host value in a redirect. CVE-2015-2296 Container bci/python:3:python39-pip-20.2.4-7.5.1 Container bci/python:3:python39-setuptools-44.1.1-7.3.1 Container containers/python:3.9:python39-pip-20.2.4-7.5.1 Container containers/python:3.9:python39-setuptools-44.1.1-7.3.1 Image python_15_6:python39-pip-20.2.4-7.5.1 Image python_15_6:python39-setuptools-44.1.1-7.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP3:python39-pip-20.2.4-7.5.1 SUSE Linux Enterprise Module for Basesystem 15 SP3:python39-setuptools-44.1.1-7.3.1 low 1.8 AV:A/AC:H/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement//suse-fu-20212130-1/ https://www.suse.com/security/cve/CVE-2015-2296.html CVE-2015-2296 https://bugzilla.suse.com/922448 SUSE Bug 922448 https://bugzilla.suse.com/926396 SUSE Bug 926396 The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py. CVE-2019-20916 Container bci/python:3:python39-pip-20.2.4-7.5.1 Container bci/python:3:python39-setuptools-44.1.1-7.3.1 Container containers/python:3.9:python39-pip-20.2.4-7.5.1 Container containers/python:3.9:python39-setuptools-44.1.1-7.3.1 Image python_15_6:python39-pip-20.2.4-7.5.1 Image python_15_6:python39-setuptools-44.1.1-7.3.1 SUSE Linux Enterprise Module for Basesystem 15 SP3:python39-pip-20.2.4-7.5.1 SUSE Linux Enterprise Module for Basesystem 15 SP3:python39-setuptools-44.1.1-7.3.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:P/A:N 6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement//suse-fu-20212130-1/ https://www.suse.com/security/cve/CVE-2019-20916.html CVE-2019-20916 https://bugzilla.suse.com/1176262 SUSE Bug 1176262