Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

python:3.11-slim-bookworm CVE-2023-5752 #889

Open
trottomv opened this issue Dec 2, 2023 · 5 comments
Open

python:3.11-slim-bookworm CVE-2023-5752 #889

trottomv opened this issue Dec 2, 2023 · 5 comments

Comments

@trottomv
Copy link

trottomv commented Dec 2, 2023

Library Vulnerability Severity Status Installed Version Fixed Version Title
pip (METADATA) CVE-2023-5752 MEDIUM fixed 23.2.1 23.3 pip: Mercurial configuration injectable in repo revision when installing via pip Link
@trottomv trottomv changed the title CVE-2023-5752 python:3.11-slim-bookworm CVE-2023-5752 Dec 2, 2023
@LaurentGoderre
Copy link
Member

LaurentGoderre commented Dec 4, 2023
edited

Need to be updated here: https://github.com/python/cpython/blob/9560e0d6d7a316341939b4016e47e03bd5bf17c3/Lib/ensurepip/__init__.py#L13

@LaurentGoderre
Copy link
Member

LaurentGoderre commented Dec 4, 2023
edited

python/cpython#112517

@trottomv
Copy link
Author

trottomv commented Dec 5, 2023

Hi @LaurentGoderre

Is it not necessary to modify the pip version here as well?

python/3.11/slim-bookworm/Dockerfile

Line 137 in 8bc80d1

ENV PYTHON_PIP_VERSION 23.2.1

(and in the "not slim" bookworm also)

python/3.11/bookworm/Dockerfile

Line 103 in 8bc80d1

ENV PYTHON_PIP_VERSION 23.2.1

@LaurentGoderre
Copy link
Member

@trottomv that version is derived from the location I pointed to in the update script.

@rv0lt
Copy link

rv0lt commented Jan 12, 2024

As far as I am aware, that issue is only going to be fixed in python 3.13 (currently in alpha). The maintainers decided against back porting to previous versions

python/cpython#112719

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@LaurentGoderre @trottomv @rv0lt