Security update for python-pip SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2021:4001-1 Final 1 1 2021-12-13T09:30:04Z current 2021-12-13T09:30:04Z 2021-12-13T09:30:04Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for python-pip This update for python-pip fixes the following issues: - CVE-2021-3572: Fixed incorrect handling of unicode separators in git references (bsc#1186819). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Container bci/python:3-2021-4001,Container trento/trento-runner:latest-2021-4001,Image SLES15-SP3-BYOS-Azure-2021-4001,Image SLES15-SP3-HPC-Azure-2021-4001,Image SLES15-SP3-HPC-BYOS-Azure-2021-4001,Image SLES15-SP3-Manager-4-2-Proxy-BYOS-Azure-2021-4001,Image SLES15-SP3-Manager-4-2-Server-BYOS-Azure-2021-4001,Image SLES15-SP3-SAP-Azure-2021-4001,Image SLES15-SP3-SAP-BYOS-Azure-2021-4001,Image SLES15-SP3-SAPCAL-Azure-2021-4001,SUSE-2021-4001,SUSE-SLE-Module-Basesystem-15-SP2-2021-4001,SUSE-SLE-Module-Basesystem-15-SP3-2021-4001,SUSE-SLE-Module-Python2-15-SP2-2021-4001,SUSE-SLE-Module-Python2-15-SP3-2021-4001 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2021/suse-su-20214001-1/ Link for SUSE-SU-2021:4001-1 https://lists.suse.com/pipermail/sle-security-updates/2021-December/009888.html E-Mail link for SUSE-SU-2021:4001-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1186819 SUSE Bug 1186819 https://www.suse.com/security/cve/CVE-2021-3572/ SUSE CVE CVE-2021-3572 page Container bci/python:3 Container trento/trento-runner:latest Image SLES15-SP3-BYOS-Azure Image SLES15-SP3-HPC-Azure Image SLES15-SP3-HPC-BYOS-Azure Image SLES15-SP3-Manager-4-2-Proxy-BYOS-Azure Image SLES15-SP3-Manager-4-2-Server-BYOS-Azure Image SLES15-SP3-SAP-Azure Image SLES15-SP3-SAP-BYOS-Azure Image SLES15-SP3-SAPCAL-Azure SUSE Linux Enterprise Module for Basesystem 15 SP2 SUSE Linux Enterprise Module for Basesystem 15 SP3 SUSE Linux Enterprise Module for Python 2 15 SP2 SUSE Linux Enterprise Module for Python 2 15 SP3 python3-pip-20.0.2-6.15.1 python2-pip-20.0.2-6.15.1 python3-pip-20.0.2-6.15.1 as a component of Container bci/python:3 python3-pip-20.0.2-6.15.1 as a component of Container trento/trento-runner:latest python3-pip-20.0.2-6.15.1 as a component of Image SLES15-SP3-BYOS-Azure python3-pip-20.0.2-6.15.1 as a component of Image SLES15-SP3-HPC-Azure python3-pip-20.0.2-6.15.1 as a component of Image SLES15-SP3-HPC-BYOS-Azure python3-pip-20.0.2-6.15.1 as a component of Image SLES15-SP3-Manager-4-2-Proxy-BYOS-Azure python3-pip-20.0.2-6.15.1 as a component of Image SLES15-SP3-Manager-4-2-Server-BYOS-Azure python3-pip-20.0.2-6.15.1 as a component of Image SLES15-SP3-SAP-Azure python3-pip-20.0.2-6.15.1 as a component of Image SLES15-SP3-SAP-BYOS-Azure python3-pip-20.0.2-6.15.1 as a component of Image SLES15-SP3-SAPCAL-Azure python3-pip-20.0.2-6.15.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP2 python3-pip-20.0.2-6.15.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP3 python2-pip-20.0.2-6.15.1 as a component of SUSE Linux Enterprise Module for Python 2 15 SP2 python2-pip-20.0.2-6.15.1 as a component of SUSE Linux Enterprise Module for Python 2 15 SP3 A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1. CVE-2021-3572 Container bci/python:3:python3-pip-20.0.2-6.15.1 Container trento/trento-runner:latest:python3-pip-20.0.2-6.15.1 Image SLES15-SP3-BYOS-Azure:python3-pip-20.0.2-6.15.1 Image SLES15-SP3-HPC-Azure:python3-pip-20.0.2-6.15.1 Image SLES15-SP3-HPC-BYOS-Azure:python3-pip-20.0.2-6.15.1 Image SLES15-SP3-Manager-4-2-Proxy-BYOS-Azure:python3-pip-20.0.2-6.15.1 Image SLES15-SP3-Manager-4-2-Server-BYOS-Azure:python3-pip-20.0.2-6.15.1 Image SLES15-SP3-SAP-Azure:python3-pip-20.0.2-6.15.1 Image SLES15-SP3-SAP-BYOS-Azure:python3-pip-20.0.2-6.15.1 Image SLES15-SP3-SAPCAL-Azure:python3-pip-20.0.2-6.15.1 SUSE Linux Enterprise Module for Basesystem 15 SP2:python3-pip-20.0.2-6.15.1 SUSE Linux Enterprise Module for Basesystem 15 SP3:python3-pip-20.0.2-6.15.1 SUSE Linux Enterprise Module for Python 2 15 SP2:python2-pip-20.0.2-6.15.1 SUSE Linux Enterprise Module for Python 2 15 SP3:python2-pip-20.0.2-6.15.1 moderate 3.5 AV:N/AC:M/Au:S/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20214001-1/ https://www.suse.com/security/cve/CVE-2021-3572.html CVE-2021-3572 https://bugzilla.suse.com/1186819 SUSE Bug 1186819