[Bug 1926957] [NEW] security fix in pip 21.1: Don't split git references on unicode separators #9827

Fri, 07 May 2021 06:31:37 -0700 

*** This bug is a security vulnerability ***

You have been subscribed to a public security bug by Marc Deslauriers 
(mdeslaur):

In pip 21.1 there is a security fix for an issue with git references:
https://github.com/pypa/pip/pull/9827

pip 21.1 release notes: https://pip.pypa.io/en/stable/news/

I think it would be great, if this security fix could be made available
to Ubuntu Focal.

I tested it with the ubuntu:focal docker container.

cat /etc/lsb-release:

lsb-release:
```
$ lsb-release -rd

Description:    Ubuntu 20.04.2 LTS
Release:        20.04
```
```
$ apt-cache policy python3-pip
python3-pip:
  Installed: (none)
  Candidate: 20.0.2-5ubuntu1.3
  Version table:
     20.0.2-5ubuntu1.3 500
        500 http://archive.ubuntu.com/ubuntu focal-updates/universe amd64 
Packages
     20.0.2-5ubuntu1.1 500
        500 http://security.ubuntu.com/ubuntu focal-security/universe amd64 
Packages
     20.0.2-5ubuntu1 500
        500 http://archive.ubuntu.com/ubuntu focal/universe amd64 Packages
```

I expected that this security fix is back-ported or pip is upgraded to 21.1.
Until now, It seems not to be back-ported, as far as I understand the commits 
in the python3-pip package from this year correctly 
(https://code.launchpad.net/~usd-import-team/ubuntu/+source/python-pip/+git/python-pip/+ref/ubuntu/focal-updates).
> Recent commits
>
> e36399c... by Stefano Rivera on 2021-02-27
>
>    20.0.2-5ubuntu1.3 (patches unapplied)
> 
>    Imported using git-ubuntu import.
> d635985... by Stefano Rivera on 2021-01-26
> 
>    20.0.2-5ubuntu1.2 (patches unapplied)
>
>    Imported using git-ubuntu import.


PS: I'm sorry if this issue is wrong, but I'm confused, because in my
container the package is called python3-pip, though here I can only
select python-pip.

** Affects: python-pip (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: community-security
-- 
security fix in pip 21.1: Don't split git references on unicode separators #9827
https://bugs.launchpad.net/bugs/1926957
You received this bug notification because you are a member of Ubuntu Bugs, 
which is subscribed to the bug report.

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to