-
Bug
-
Resolution: Unresolved
-
Undefined
-
rhel-10.0.beta, rhel-10.0
-
None
-
python-pip-23.3.2-2.el10
-
None
-
Low
-
sst_cs_apps
-
ssg_core_services
-
10
-
22
-
5
-
False
-
-
None
-
None
-
Pass
-
None
-
-
All
-
None
RHEL's pip was patched to mitigate malicious tarfile extract, but Fedora's pip was not patched. Upstream has not yet merged https://github.com/pypa/pip/pull/12214 when c10s was forked (and still hasn't now).
tl;dr the pip in RHEL 10.0 will have a regression compared to RHEL 9.x unless we add the patch donwstream.
To reproduce, run https://bugzilla.redhat.com/show_bug.cgi?id=2218247#c2
- is related to
-
RHEL-33847 Add our downstream config for CVE-2007-4559
- Release Pending
- links to
-
RHBA-2024:131757 python-pip update