SuSE Local Security Checks : SUSE: Security Advisory (SUSE-SU-2020:3737-1)

Vulnerability Search		Search 324607 CVE descriptions and 145615 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.1.4.2020.3737.1

Category: SuSE Local Security Checks

Title: SUSE: Security Advisory (SUSE-SU-2020:3737-1)

Summary: The remote host is missing an update for the 'python-pip, python-scripttest' package(s) announced via the SUSE-SU-2020:3737-1 advisory.

Description: Summary:
The remote host is missing an update for the 'python-pip, python-scripttest' package(s) announced via the SUSE-SU-2020:3737-1 advisory.

Vulnerability Insight:
This update for python-pip, python-scripttest fixes the following issues:

Update in SLE-15 (bsc#1175297, jsc#ECO-3035, jsc#PM-2318)

python-pip was updated to 20.0.2:

Fix a regression in generation of compatibility tags

Rename an internal module, to avoid ImportErrors due to improper
uninstallation

Switch to a dedicated CLI tool for vendoring dependencies.

Remove wheel tag calculation from pip and use packaging.tags. This
should provide more tags ordered better than in prior releases.

Deprecate setup.py-based builds that do not generate an .egg-info
directory.

The pip>=20 wheel cache is not retro-compatible with previous versions.
Until pip 21.0, pip will continue to take advantage of existing legacy
cache entries.

Deprecate undocumented --skip-requirements-regex option.

Deprecate passing install-location-related options via --install-option.

Use literal 'abi3' for wheel tag on CPython 3.x, to align with PEP 384
which only defines it for this platform.

Remove interpreter-specific major version tag e.g. cp3-none-any from
consideration. This behavior was not documented strictly, and this tag
in particular is not useful. Anyone with a use case can create an issue
with pypa/packaging.

Wheel processing no longer permits wheels containing more than one
top-level .dist-info directory.

Support for the git+git@ form of VCS requirement is being deprecated
and will be removed in pip 21.0. Switch to git+https:// or git+ssh://.
git+git:// also works but its use is discouraged as it is insecure.

Default to doing a user install (as if --user was passed) when the main
site-packages directory is not writeable and user site-packages are
enabled.

Warn if a path in PATH starts with tilde during pip install.

Cache wheels built from Git requirements that are considered immutable,
because they point to a commit hash.

Add option --no-python-version-warning to silence warnings related to
deprecation of Python versions.

Cache wheels that pip wheel built locally, matching what pip install
does. This particularly helps performance in workflows where pip wheel
is used for building before installing. Users desiring the original
behavior can use pip wheel --no-cache-dir

Display CA information in pip debug.

Show only the filename (instead of full URL), when downloading from
PyPI.

Suggest a more robust command to upgrade pip itself to avoid confusion
when the current pip command is not available as pip.

Define all old pip console script entrypoints to prevent import issues
in stale wrapper scripts.

The build step of pip wheel now builds all wheels to a cache first,
then copies them to the wheel directory all at once. Before, it built
them to a temporary directory and moved them to the wheel directory one
by one.

Expand ~
prefix to user directory in path options, configs, and
environment variables. Values that may be either URL or path ... [Please see the references for more information on the vulnerabilities]

Affected Software/OS:
'python-pip, python-scripttest' package(s) on SUSE Linux Enterprise Module for Basesystem 15-SP1, SUSE Linux Enterprise Module for Basesystem 15-SP2, SUSE Linux Enterprise Module for Python2 15-SP1, SUSE Linux Enterprise Module for Python2 15-SP2.

Solution:
Please install the updated package(s).

CVSS Score:
5.0

CVSS Vector:
AV:N/AC:L/Au:N/C:N/I:P/A:N

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2019-20916
https://github.com/gzpan123/pip/commit/a4c735b14a62f9cb864533808ac63936704f2ace
https://github.com/pypa/pip/compare/19.1.1...19.2
https://github.com/pypa/pip/issues/6413
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujul2022.html
https://lists.debian.org/debian-lts-announce/2020/09/msg00010.html
SuSE Security Announcement: openSUSE-SU-2020:1598 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00005.html
SuSE Security Announcement: openSUSE-SU-2020:1613 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00010.html

Copyright Copyright (C) 2021 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

Test ID:	1.3.6.1.4.1.25623.1.1.4.2020.3737.1
Category:	SuSE Local Security Checks
Title:	SUSE: Security Advisory (SUSE-SU-2020:3737-1)
Summary:	The remote host is missing an update for the 'python-pip, python-scripttest' package(s) announced via the SUSE-SU-2020:3737-1 advisory.
Description:	Summary: The remote host is missing an update for the 'python-pip, python-scripttest' package(s) announced via the SUSE-SU-2020:3737-1 advisory. Vulnerability Insight: This update for python-pip, python-scripttest fixes the following issues: Update in SLE-15 (bsc#1175297, jsc#ECO-3035, jsc#PM-2318) python-pip was updated to 20.0.2: Fix a regression in generation of compatibility tags Rename an internal module, to avoid ImportErrors due to improper uninstallation Switch to a dedicated CLI tool for vendoring dependencies. Remove wheel tag calculation from pip and use packaging.tags. This should provide more tags ordered better than in prior releases. Deprecate setup.py-based builds that do not generate an .egg-info directory. The pip>=20 wheel cache is not retro-compatible with previous versions. Until pip 21.0, pip will continue to take advantage of existing legacy cache entries. Deprecate undocumented --skip-requirements-regex option. Deprecate passing install-location-related options via --install-option. Use literal 'abi3' for wheel tag on CPython 3.x, to align with PEP 384 which only defines it for this platform. Remove interpreter-specific major version tag e.g. cp3-none-any from consideration. This behavior was not documented strictly, and this tag in particular is not useful. Anyone with a use case can create an issue with pypa/packaging. Wheel processing no longer permits wheels containing more than one top-level .dist-info directory. Support for the git+git@ form of VCS requirement is being deprecated and will be removed in pip 21.0. Switch to git+https:// or git+ssh://. git+git:// also works but its use is discouraged as it is insecure. Default to doing a user install (as if --user was passed) when the main site-packages directory is not writeable and user site-packages are enabled. Warn if a path in PATH starts with tilde during pip install. Cache wheels built from Git requirements that are considered immutable, because they point to a commit hash. Add option --no-python-version-warning to silence warnings related to deprecation of Python versions. Cache wheels that pip wheel built locally, matching what pip install does. This particularly helps performance in workflows where pip wheel is used for building before installing. Users desiring the original behavior can use pip wheel --no-cache-dir Display CA information in pip debug. Show only the filename (instead of full URL), when downloading from PyPI. Suggest a more robust command to upgrade pip itself to avoid confusion when the current pip command is not available as pip. Define all old pip console script entrypoints to prevent import issues in stale wrapper scripts. The build step of pip wheel now builds all wheels to a cache first, then copies them to the wheel directory all at once. Before, it built them to a temporary directory and moved them to the wheel directory one by one. Expand ~ prefix to user directory in path options, configs, and environment variables. Values that may be either URL or path ... [Please see the references for more information on the vulnerabilities] Affected Software/OS: 'python-pip, python-scripttest' package(s) on SUSE Linux Enterprise Module for Basesystem 15-SP1, SUSE Linux Enterprise Module for Basesystem 15-SP2, SUSE Linux Enterprise Module for Python2 15-SP1, SUSE Linux Enterprise Module for Python2 15-SP2. Solution: Please install the updated package(s). CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2019-20916 https://github.com/gzpan123/pip/commit/a4c735b14a62f9cb864533808ac63936704f2ace https://github.com/pypa/pip/compare/19.1.1...19.2 https://github.com/pypa/pip/issues/6413 https://www.oracle.com/security-alerts/cpuapr2022.html https://www.oracle.com/security-alerts/cpujul2022.html https://lists.debian.org/debian-lts-announce/2020/09/msg00010.html SuSE Security Announcement: openSUSE-SU-2020:1598 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00005.html SuSE Security Announcement: openSUSE-SU-2020:1613 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00010.html
Copyright	Copyright (C) 2021 Greenbone AG