-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - ------------------------------------------------------------------------- Debian LTS Advisory DLA-2370-1 debian-...@lists.debian.org https://www.debian.org/lts/security/ Chris Lamb September 11, 2020 https://wiki.debian.org/LTS - -------------------------------------------------------------------------
Package : python-pip Version : 9.0.1-2+deb9u2 CVE ID : CVE-2019-20916 It was discovered that there was a directory traversal attack in pip, the Python package installer. When an URL was given in an install command, as a Content-Disposition header was permitted to have "../" components in their filename, arbitrary local files (eg. /root/.ssh/authorized_keys) could be overidden. For Debian 9 "Stretch", this problem has been fixed in version 9.0.1-2+deb9u2. We recommend that you upgrade your python-pip packages. For the detailed security status of python-pip please refer to its security tracker page at: https://security-tracker.debian.org/tracker/python-pip Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAl9bTjcACgkQHpU+J9Qx Hlhh1hAAsI+0E3D6LHzlTyomo6KUX4N+Mz2K2FIMPC+3Nb6zzPO0RWqFJfFPvMt8 2XaaBVZMkUselmg/tDqiChSNBCvOZSgRMutKUsTgzTwIGcdDVaJ63mvNyQx7e14w ZVjJCAeUyi5rGBPsyj0aZpXZo5Z/OLdi+H+tbSfmGoIqs5O0OmL0iJ2fQ4SOupUM M57c3gqIp9m3r862T8U6f1LhfzQbavvY0EJrVHPz0faUF+svb8+1b7DqGDJqrvIM OHovogTafhOAE8HU5Sbv7ZbNkwMsdYFUa39AUvDhpWCVKKX8Jy7QVgC4L/wuGXb+ zclhA2l7Vt40ZtSnlrSVE1PlSljkUQ28Yzhws8U4dHV/aGcvUDtcsdjfwxdr7zlW M5hf59kGD17xeEQxMiTf++uzbJwThbRe7k4y4zmgZdpydA5kiMkCnPU2ne+UmYAj AJmf51NfWbT82E2bokInmhqdV1ZEeOMZXt/OOasG6I+7c50kGmtbJ1kMS7pPbG5q +PgGtZ8FWyNf2EfORXmI4KvITVTUeFmoI8zxSSQMoI98N9mAi5isXZGm7P2ISQqV Ylv8muqz+d2EqepCoGrEZntsJjC/fp+mXGPCLbETOyEHLdDV3vVHO8tm9puzIebY eZ6eNN+Zl6gzyRHQS1Z8rKFWuYYS0gbN+MJqSgKsbQ/Qz5WylPU= =ixof -----END PGP SIGNATURE-----
