Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Undefined
Fix Version/s: rhel-10.0.beta
Affects Version/s: rhel-10.0.beta, rhel-10.0
Component/s: python-pip
Labels:
None

Fixed in Build:
python-pip-23.3.2-2.el10
Regression:
None
Severity:
Low

Pool Team:

sst_cs_apps
Sub-System Group:

ssg_core_services

Dev Target Milestone:
10
Internal Target Milestone:
22
Story Points:
5
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
None
Sprint:
None

Git Pull Request:
https://gitlab.com/redhat/centos-stream/rpms/python-pip/-/merge_requests/19
Preliminary Testing:
Pass
Errata Link:
https://errata.engineering.redhat.com/advisory/131757
Test Coverage:
None

Experience:
Architecture:

All

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

RHEL's pip was patched to mitigate malicious tarfile extract, but Fedora's pip was not patched. Upstream has not yet merged https://github.com/pypa/pip/pull/12214 when c10s was forked (and still hasn't now).

tl;dr the pip in RHEL 10.0 will have a regression compared to RHEL 9.x unless we add the patch donwstream.

To reproduce, run https://bugzilla.redhat.com/show_bug.cgi?id=2218247#c2

is related to

RHEL-33847 Add our downstream config for CVE-2007-4559

Release Pending

links to

RHBA-2024:131757 python-pip update

Assignee:: python-maint

Reporter:: Miro Hrončok

Developer:: Charalampos Stratakis

QA Contact:: Lukas Zachar

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2024/02/16 11:20 AM

Updated:: 2024/10/04 7:46 AM

Dev Target end:: 2024/05/06

Target end:: 2024/07/29

Details

Description

Attachments

Issue Links

Activity

People

Dates