Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.3656 USN-4601-1: pip vulnerability 23 October 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: pip Publisher: Ubuntu Operating System: Ubuntu Impact/Access: Overwrite Arbitrary Files -- Remote/Unauthenticated Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-20916 Reference: ESB-2020.3613 ESB-2020.3591 ESB-2020.3137 Original Bulletin: https://usn.ubuntu.com/4601-1/ - --------------------------BEGIN INCLUDED TEXT-------------------- USN-4601-1: pip vulnerability 22 October 2020 pip could be made to overwrite files as the administrator. Releases o Ubuntu 18.04 LTS Packages o python-pip - Python package installer Details It was discovered that pip did not properly sanitize the filename during pip install. A remote attacker could possible use this issue to read and write arbitrary files on the host filesystem as root, resulting in a directory traversal attack. (CVE-2019-20916) Update instructions The problem can be corrected by updating your system to the following package versions: Ubuntu 18.04 o python-pip - 9.0.1-2.3~ubuntu1.18.04.4 o python3-pip - 9.0.1-2.3~ubuntu1.18.04.4 In general, a standard system update will make all the necessary changes. References o CVE-2019-20916 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBX5JSXONLKJtyKPYoAQhtAA/+NNZ6ZvplPpQ5FQER+YIiicHTHrvitvPL 1CK5eZrWPldb+1lI+TxktcseBpniWH4vdHpLy2QeCfu6qlWsaf2rlZkDH6P9Ro2Y j8aCkF0zJxvT8rVv/CR19frQICWJXHoUNHjhkDU4Pm1Gt0IUeTX16E/hrg7ueiAp 46ZFDSSUV5MPoKvA6+EktrBaRm/YgJzKvFU6gqvR25WBZPwVz9FZ3OWriGt+36Rl P5LKVQzIu1PFMxU7rRueJn6uh8e7NyI866x3SLBOYI4kJaF+xNfFfGAKryTKJxqO 4ClDRMjf4+ECHR7lepdt0K1mDWVFiy+btdEJRZGJO5oXTQ+dROvRgvok1k9jprNM Aia1Ocab0mskAUNXIGkRDB7w7ummMYC25KpSi6eCBLqBZOxe1kc/rAVsym47B6UT 6MBkJmA0J/8cWOcWUu/XKe7/4YlhqpKA+n0pBnqQl0pR8oM4ETKjTxRVQhhUvMfx pGBqbVTM8NIU8X61sNMpSweOXscXmqJJn1VonRzaaLfxi+EnN6BBHs2p95LMu8e/ WKpqBV9tHEa7TglYt4qp/tsVBs96HqqZRI3CcE/w72qwKyHFJ1cCGic4WoAh7Nh0 cV3UeurztFvGWo33Rfa7hP3FnGz8+cJvzDa3dJA+KNtulHlsFXAGrde14PqZHMRt whGa8WkIL6M= =SMgg -----END PGP SIGNATURE-----