Mageia Linux Local Security Checks : Mageia: Security Advisory (MGASA-2015-0180)

Anfälligkeitssuche		Suche in 324607 CVE Beschreibungen und 145615 Test Beschreibungen, Zugriff auf 10,000+ Quellverweise.
	Tests CVE Alle

Test Kennung: 1.3.6.1.4.1.25623.1.1.10.2015.0180

Kategorie: Mageia Linux Local Security Checks

Titel: Mageia: Security Advisory (MGASA-2015-0180)

Zusammenfassung: The remote host is missing an update for the 'python-pip, python-virtualenv' package(s) announced via the MGASA-2015-0180 advisory.

Beschreibung: Summary:
The remote host is missing an update for the 'python-pip, python-virtualenv' package(s) announced via the MGASA-2015-0180 advisory.

Vulnerability Insight:
Updated python-pip and python-virtualenv packages fix security vulnerability:

The mirroring support in python-pip was implemented without any sort of
authenticity checks and is downloaded over plaintext HTTP. Further more by
default it will dynamically discover the list of available mirrors by
querying a DNS entry and extrapolating from that data. It does not attempt
to use any sort of method of securing this querying of the DNS like DNSSEC.
Software packages are downloaded over these insecure links, unpacked, and
then typically the setup.py python file inside of them is executed
(CVE-2013-5123).

This was fixed in python-pip by removing the mirroring support (i.e., the
--use-mirrors, -M, and --mirrors flags). With the updated version, in order
to use a mirror, one must specify it as the primary index with -i or
--index-url, or as an additional index with --extra-index-url.

The python-virtualenv package bundles a copy of python-pip, so it has also
been updated to fix this issue.

The python-virtualenv package bundles python-requests as well, so this update
fixes the session fixation issue CVE-2015-2296 in the bundled python-requests.

Affected Software/OS:
'python-pip, python-virtualenv' package(s) on Mageia 4.

Solution:
Please install the updated package(s).

CVSS Score:
4.3

CVSS Vector:
AV:N/AC:M/Au:N/C:N/I:P/A:N

Querverweis: Common Vulnerability Exposure (CVE) ID: CVE-2013-5123
http://lists.fedoraproject.org/pipermail/package-announce/2015-April/155248.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-April/155291.html
http://www.openwall.com/lists/oss-security/2013/08/21/17
http://www.openwall.com/lists/oss-security/2013/08/21/18
http://www.securityfocus.com/bid/77520
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-5123
https://bugzilla.suse.com/show_bug.cgi?id=CVE-2013-5123
https://security-tracker.debian.org/tracker/CVE-2013-5123

Copyright Copyright (C) 2022 Greenbone AG

Dies ist nur einer von 145615 Anfälligkeitstests in unserem Testpaket. Finden Sie mehr über unsere vollständigen Sicherheitsüberprüfungen heraus.
Um einen gratis Test für diese Anfälligkeit auf Ihrem System durchlaufen zu lassen, registrieren Sie sich bitte unten.

Test Kennung:	1.3.6.1.4.1.25623.1.1.10.2015.0180
Kategorie:	Mageia Linux Local Security Checks
Titel:	Mageia: Security Advisory (MGASA-2015-0180)
Zusammenfassung:	The remote host is missing an update for the 'python-pip, python-virtualenv' package(s) announced via the MGASA-2015-0180 advisory.
Beschreibung:	Summary: The remote host is missing an update for the 'python-pip, python-virtualenv' package(s) announced via the MGASA-2015-0180 advisory. Vulnerability Insight: Updated python-pip and python-virtualenv packages fix security vulnerability: The mirroring support in python-pip was implemented without any sort of authenticity checks and is downloaded over plaintext HTTP. Further more by default it will dynamically discover the list of available mirrors by querying a DNS entry and extrapolating from that data. It does not attempt to use any sort of method of securing this querying of the DNS like DNSSEC. Software packages are downloaded over these insecure links, unpacked, and then typically the setup.py python file inside of them is executed (CVE-2013-5123). This was fixed in python-pip by removing the mirroring support (i.e., the --use-mirrors, -M, and --mirrors flags). With the updated version, in order to use a mirror, one must specify it as the primary index with -i or --index-url, or as an additional index with --extra-index-url. The python-virtualenv package bundles a copy of python-pip, so it has also been updated to fix this issue. The python-virtualenv package bundles python-requests as well, so this update fixes the session fixation issue CVE-2015-2296 in the bundled python-requests. Affected Software/OS: 'python-pip, python-virtualenv' package(s) on Mageia 4. Solution: Please install the updated package(s). CVSS Score: 4.3 CVSS Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N
Querverweis:	Common Vulnerability Exposure (CVE) ID: CVE-2013-5123 http://lists.fedoraproject.org/pipermail/package-announce/2015-April/155248.html http://lists.fedoraproject.org/pipermail/package-announce/2015-April/155291.html http://www.openwall.com/lists/oss-security/2013/08/21/17 http://www.openwall.com/lists/oss-security/2013/08/21/18 http://www.securityfocus.com/bid/77520 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-5123 https://bugzilla.suse.com/show_bug.cgi?id=CVE-2013-5123 https://security-tracker.debian.org/tracker/CVE-2013-5123
Copyright	Copyright (C) 2022 Greenbone AG