Update bundled pip to address CVE-2023-5752 in cpython 3.9 & 3.10 #131860
Comments
picnixz
added
type-security
|
@sethmlarson @gpshead The CVE has a moderate severity and only affects users using Note that we can still update pip just after downloading it |
|
@briensea thank you for opening the issue. As these are binaries distributed with Python, we generally have a trusted individual (e.g. a pip maintainer) make the pull request. A |
|
Thanks, @AA-Turner. Is there a timeline for when this might be addressed? I understand that users can update pip after downloading, but for environments where the binaries are redistributed, relying on manual updates isn’t always ideal. Avoiding custom patches would be preferable, so I’m curious if there are plans to update the bundled version directly. |
|
3.9 and 3.10 are sources only and thus are usually expected to be used either by downstream distributions, and they could apply their own patches, or by more experienced users that would compile Python from sources. When I said that we can update pip, this is what pip suggests namely "a new pip version is available, install it using Now, the CVE has a moderate severity, and it's only affecting mercurial installations. I don't know hwo much it's used but I don't think we necessarily need to publish a new source-only release for 3.9 and 3.10, hence why I asked Seth whether this should be treated as a security issue to patch. |
|
See also gh-112516, gh-119778, gh-102202, etc. I would not expect updates to the bundled wheels in security branches unless there is a vulnerability identified that prevents safely using the bundled pip to update itself, and maybe not even then. In general, we assume that if a user is security-conscious enough to build and use a Python security-only release, they're also security-conscious enough to handle updating (or otherwise avoiding security issues from) I wonder if we should avoid this class of issues by removing |
FWIW, this is no longer necessary. https://github.com/python/cpython/blob/main/.github/workflows/verify-ensurepip-wheels.yml ensures that the binaries provided have the appropriate checksums. |
|
Closing, for reasons mentioned above. If anyone wants to pursue the removal of wheels from security releases, a new issue for that can be opened. |
Update bundled pip to address CVE-2023-5752 in cpython 3.9 & 3.10
Description:
A security vulnerability, CVE-2023-5752, has been identified in older versions of pip. The versions of pip bundled with CPython 3.9 and 3.10 are affected.
This results in users being required to manually update pip to mitigate the security vulnerability.
CPython versions affected:
Operating systems tested on:
Linked PRs
The text was updated successfully, but these errors were encountered: