{"id":"MGASA-2015-0180","summary":"Updated python-pip packages fix security vulnerabilities","details":"Updated python-pip and python-virtualenv packages fix security vulnerability:\n\nThe mirroring support in python-pip was implemented without any sort of\nauthenticity checks and is downloaded over plaintext HTTP. Further more by\ndefault it will dynamically discover the list of available mirrors by\nquerying a DNS entry and extrapolating from that data. It does not attempt\nto use any sort of method of securing this querying of the DNS like DNSSEC.\nSoftware packages are downloaded over these insecure links, unpacked, and\nthen typically the setup.py python file inside of them is executed\n(CVE-2013-5123).\n\nThis was fixed in python-pip by removing the mirroring support (i.e., the\n--use-mirrors, -M, and --mirrors flags). With the updated version, in order\nto use a mirror, one must specify it as the primary index with -i or\n--index-url, or as an additional index with --extra-index-url.\n\nThe python-virtualenv package bundles a copy of python-pip, so it has also\nbeen updated to fix this issue.\n\nThe python-virtualenv package bundles python-requests as well, so this update\nfixes the session fixation issue CVE-2015-2296 in the bundled python-requests.\n","modified":"2026-04-16T06:22:25.337657348Z","published":"2015-05-03T00:19:16Z","upstream":["CVE-2013-5123"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2015-0180.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=15748"},{"type":"WEB","url":"https://pip.pypa.io/en/latest/news.html"},{"type":"ADVISORY","url":"http://advisories.mageia.org/MGASA-2015-0120.html"},{"type":"WEB","url":"https://lists.fedoraproject.org/pipermail/package-announce/2015-April/155248.html"}],"affected":[{"package":{"name":"python-pip","ecosystem":"Mageia:4","purl":"pkg:rpm/mageia/python-pip?arch=source&distro=mageia-4"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.1.1-1.mga4"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2015-0180.json"}},{"package":{"name":"python-virtualenv","ecosystem":"Mageia:4","purl":"pkg:rpm/mageia/python-virtualenv?arch=source&distro=mageia-4"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"12.1.1-1.mga4"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2015-0180.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}