GLSA Advocate
Joined: 12 May 2004 Posts: 2663
|
Posted: Thu Sep 12, 2013 9:26 pm Post subject: [ GLSA 201309-05 ] pip: Multiple vulnerabilities |
|
|
Gentoo Linux Security Advisory
Title: pip: Multiple vulnerabilities (GLSA 201309-05)
Severity: normal
Exploitable: local, remote
Date: September 12, 2013
Bug(s): #462616, #480202
ID: 201309-05
Synopsis
Multiple vulnerabilities have been found in pip, which may allow
remote attackers to execute arbitrary code or local attackers to conduct
symlink attacks.
Background
pip is a tool for installing and managing Python packages.
Affected Packages
Package: dev-python/pip
Vulnerable: < 1.3.1
Unaffected: >= 1.3.1
Architectures: All supported architectures
Description
Multiple vulnerabilities have been discovered in pip. Please review the
CVE identifiers referenced below for details.
Impact
A remote attacker could conduct a Man-in-the-Middle attack to cause pip
to execute arbitrary code. A local attacker could perform symlink attacks
to overwrite arbitrary files with the privileges of the user running the
application.
Workaround
There is no known workaround at this time.
Resolution
All pip users should upgrade to the latest version: Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=dev-python/pip-1.3.1"
|
References
CVE-2013-1629
CVE-2013-1888 |
|