Summary: | <dev-python/pip-7.0.0: insecure software download with mirroring support | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | python |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1066692 | ||
Whiteboard: | B3 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2014-02-19 08:38:49 UTC
commit 015c1f58eed5da83e9b4602b91fb34f898c8a3a6 Author: Justin Lecher <jlec@gentoo.org> Date: Mon Nov 23 10:54:42 2015 +0100 dev-python/pip: Drop vulnerable versions for CVE-2014-8991 and CVE-2013-5123 Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=529954 Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=501752 Package-Manager: portage-2.2.25 Signed-off-by: Justin Lecher <jlec@gentoo.org> https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=015c1f58eed5da83e9b4602b91fb34f898c8a3a6 @security Tree is clean again This issue was fixed in version 1.5: https://pip.pypa.io/en/latest/news/ 1.5 (2014-01-01) BACKWARD INCOMPATIBLE pip no longer supports the --use-mirrors, -M, and --mirrors flags. The mirroring support has been removed. In order to use a mirror specify it as the primary index with -i or --index-url, or as an additional index with --extra-index-url. (PR #1098, CVE-2013-5123) GLSA Vote: No |