Описание
Security update for python-pip
This update for python-pip fixes the following issues:
- CVE-2023-5752: Fixed injection of arbitrary configuration through Mercurial parameter (bsc#1217353).
Список пакетов
Image SLES12-SP5-Azure-BYOS
python3-pip-10.0.1-13.14.1
Image SLES12-SP5-Azure-Basic-On-Demand
python3-pip-10.0.1-13.14.1
Image SLES12-SP5-Azure-HPC-BYOS
python3-pip-10.0.1-13.14.1
Image SLES12-SP5-Azure-HPC-On-Demand
python3-pip-10.0.1-13.14.1
Image SLES12-SP5-Azure-SAP-BYOS
python3-pip-10.0.1-13.14.1
Image SLES12-SP5-Azure-SAP-On-Demand
python3-pip-10.0.1-13.14.1
Image SLES12-SP5-Azure-Standard-On-Demand
python3-pip-10.0.1-13.14.1
SUSE Linux Enterprise Server 12 SP5
python-pip-10.0.1-13.14.1
python3-pip-10.0.1-13.14.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5
python-pip-10.0.1-13.14.1
python3-pip-10.0.1-13.14.1
Ссылки
- Link for SUSE-SU-2023:4987-1
- E-Mail link for SUSE-SU-2023:4987-1
- SUSE Security Ratings
- SUSE Bug 1217353
- SUSE CVE CVE-2023-5752 page
Описание
When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.
Затронутые продукты
Image SLES12-SP5-Azure-BYOS:python3-pip-10.0.1-13.14.1
Image SLES12-SP5-Azure-Basic-On-Demand:python3-pip-10.0.1-13.14.1
Image SLES12-SP5-Azure-HPC-BYOS:python3-pip-10.0.1-13.14.1
Image SLES12-SP5-Azure-HPC-On-Demand:python3-pip-10.0.1-13.14.1
Ссылки
- CVE-2023-5752
- SUSE Bug 1217353