From ${URL} : Description A security issue has been reported in the virtualenvwrapper module for Python, which can be exploited by malicious, local users to manipulate certain data. The security issue is caused due to the application creating certain directories and scripts with insecure group-writable permissions. This can be exploited to e.g. manipulate the script files and subsequently e.g. execute arbitrary shell commands with privileges of another user. Solution: Fixed in the source code repository. Provided and/or discovered by: Simon Ruderich within a Debian bug report. Original Advisory: virtualenvwrapper: https://bitbucket.org/dhellmann/virtualenvwrapper/commits/04f897165c1eb84e6fe52442b0a8fc9f01915aa6 Simon Ruderich: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=745580 @maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
29 Jun 2014; Ian Delaney <idella4@gentoo.org> -virtualenvwrapper-3.7.1.ebuild, -virtualenvwrapper-4.0.ebuild, -virtualenvwrapper-4.1.1.ebuild, -virtualenvwrapper-4.2.ebuild: clean old vulnerable versions wrt Bug #509348 Checked -4.3 and it has the patch merged. This appears to need / warrant a stable version but is only a couple of weeks in portage.
All vulnerable versions have been removed. @security: Please mark this bug as resolved.
Per previous comments all vulnerable versions have been removed.
