-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.3656
                       USN-4601-1: pip vulnerability
                              23 October 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           pip
Publisher:         Ubuntu
Operating System:  Ubuntu
Impact/Access:     Overwrite Arbitrary Files -- Remote/Unauthenticated
                   Reduced Security          -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-20916  

Reference:         ESB-2020.3613
                   ESB-2020.3591
                   ESB-2020.3137

Original Bulletin: 
   https://usn.ubuntu.com/4601-1/

- --------------------------BEGIN INCLUDED TEXT--------------------

USN-4601-1: pip vulnerability
22 October 2020

pip could be made to overwrite files as the administrator.
Releases

  o Ubuntu 18.04 LTS

Packages

  o python-pip - Python package installer

Details

It was discovered that pip did not properly sanitize the filename during
pip install. A remote attacker could possible use this issue to read and
write arbitrary files on the host filesystem as root, resulting in a
directory traversal attack. (CVE-2019-20916)

Update instructions

The problem can be corrected by updating your system to the following package
versions:

Ubuntu 18.04

  o python-pip - 9.0.1-2.3~ubuntu1.18.04.4
  o python3-pip - 9.0.1-2.3~ubuntu1.18.04.4

In general, a standard system update will make all the necessary changes.

References

  o CVE-2019-20916

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX5JSXONLKJtyKPYoAQhtAA/+NNZ6ZvplPpQ5FQER+YIiicHTHrvitvPL
1CK5eZrWPldb+1lI+TxktcseBpniWH4vdHpLy2QeCfu6qlWsaf2rlZkDH6P9Ro2Y
j8aCkF0zJxvT8rVv/CR19frQICWJXHoUNHjhkDU4Pm1Gt0IUeTX16E/hrg7ueiAp
46ZFDSSUV5MPoKvA6+EktrBaRm/YgJzKvFU6gqvR25WBZPwVz9FZ3OWriGt+36Rl
P5LKVQzIu1PFMxU7rRueJn6uh8e7NyI866x3SLBOYI4kJaF+xNfFfGAKryTKJxqO
4ClDRMjf4+ECHR7lepdt0K1mDWVFiy+btdEJRZGJO5oXTQ+dROvRgvok1k9jprNM
Aia1Ocab0mskAUNXIGkRDB7w7ummMYC25KpSi6eCBLqBZOxe1kc/rAVsym47B6UT
6MBkJmA0J/8cWOcWUu/XKe7/4YlhqpKA+n0pBnqQl0pR8oM4ETKjTxRVQhhUvMfx
pGBqbVTM8NIU8X61sNMpSweOXscXmqJJn1VonRzaaLfxi+EnN6BBHs2p95LMu8e/
WKpqBV9tHEa7TglYt4qp/tsVBs96HqqZRI3CcE/w72qwKyHFJ1cCGic4WoAh7Nh0
cV3UeurztFvGWo33Rfa7hP3FnGz8+cJvzDa3dJA+KNtulHlsFXAGrde14PqZHMRt
whGa8WkIL6M=
=SMgg
-----END PGP SIGNATURE-----