MGASA-2021-0054

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2021-0054.html

Import Source

https://advisories.mageia.org/MGASA-2021-0054.json

JSON Data

https://api.osv.dev/v1/vulns/MGASA-2021-0054

Related

Published

2021-01-25T15:25:52Z

Modified

2021-01-25T14:34:38Z

Summary

Updated python-pip packages fix security vulnerabilities

Details

It was discovered that pip did not properly sanitize the filename during pip install. A remote attacker could possible use this issue to read and write arbitrary files on the host filesystem as root, resulting in a directory traversal attack (CVE-2019-20916).

urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). The python-pip package bundles a copy of python-urllib3, which was affected by this issue. The bundled copy was patched to fix the issue (CVE-2020-26137).

References

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

Affected packages

Mageia:7 / python-pip

Package

Name: python-pip
Purl: pkg:rpm/mageia/python-pip?distro=mageia-7

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

19.0.3-1.3.mga7

Ecosystem specific

{
    "section": "core"
}