Your message dated Wed, 11 Jun 2014 11:00:07 +0000 with message-id <e1wuggf-00072f...@franck.debian.org> and subject line Bug#719767: fixed in python-virtualenv 1.11.6-1 has caused the Debian Bug report #719767, regarding python-virtualenv: Embedded copies of pip and setuptools to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 719767: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=719767 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: python-virtualenv Version: 1.7.1.2-2 Severity: serious Tags: security Justification: security Hello, It seems as if python-virtualenv embeds a copy of pip[0], and there is a security issue with python-pip noted as CVE-2013-1629 which affects squeeze and wheezy (it appears fixed in sid and jessie). This issue currently is marked as 'reserved' by Mitre, but it is clearly defined on the internet[1],[2]. Please coordinate with the debian security team to update this package as soon as possible to resolve this issue. Please reference this CVE and bug number in any changelog dealing with this problem. Micah 0. This is in violation of debian policy '4.13 Convenience copies of code' and should be fixed to depend on the version of python-pip in the archive. 1.http://www.reddit.com/r/Python/comments/17rfh7/warning_dont_use_pip_in_an_untrusted_network_a/ 2. https://github.com/TheTorProject/ooni-backend/pull/1#discussion_r4084881 -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.8-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
--- End Message ---
--- Begin Message ---Source: python-virtualenv Source-Version: 1.11.6-1 We believe that the bug you reported is fixed in the latest version of python-virtualenv, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 719...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Barry Warsaw <ba...@debian.org> (supplier of updated python-virtualenv package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 10 Jun 2014 18:16:47 -0400 Source: python-virtualenv Binary: python-virtualenv python3-virtualenv virtualenv Architecture: source all Version: 1.11.6-1 Distribution: unstable Urgency: medium Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org> Changed-By: Barry Warsaw <ba...@debian.org> Description: python-virtualenv - Python virtual environment creator python3-virtualenv - Python virtual environment creator virtualenv - Python virtual environment creator Closes: 719767 739195 Changes: python-virtualenv (1.11.6-1) unstable; urgency=medium . * Team upload. - New upstream release. - /usr/bin/virtualenv is now a Python 3 application. - Use -whl packages instead of embedded wheel copies. (Closes: #719767, Closes: #739195) * d/control: - Add binary packages python3-virtualenv (for the Python 3 compatible library), and virtualenv (for the /usr/bin executable and manpage). python-virtualenv now only contains the Python 2 compatible library, and for backward compatibility, it Recommends virtualenv. python-virtualenv no longer recommends pip. - Depend on the appropriate -whl packages to properly de-vendorize, and switch to python3 and python3-pkg-resources. - Build-Depends: add dh-python, and python3-all. - Build-Depends-Indep: add python-pip-whl and python-setuptools-whl. - Add myself to Uploaders. - Add X-Python3-Version. - Change Recommends to python3-pip. - wrap-and-sort * d/install: Don't install the .whl files into /usr/share/python-virtualenv. Now we use the policy-approved location of /usr/share/python-wheels, and the archive's python-*-whl packages. * d/patches: - look_for_external_files.patch: Removed. This patch is obsoleted by use-wheels.patch. - entry-points.patch: Update my email address. - python2-default.patch: Added; continue to use `python2` as default unless the -p/--python option is given. - use-wheels.patch: Added; use the system -whl packages instead of the vendorized versions. - system-python.patch: Update to /usr/bin/python3 shebang. * d/rules: - Switch to pybuild and simplify. Now that we're using the system wheels, we don't need to repack the bundled versions. - Add support for dh_python3. * d/virtualenv.manpages: Replaces debian/manpages. Checksums-Sha1: 0ad54fa7f28351ce81be7220e58494e2c924f24e 2497 python-virtualenv_1.11.6-1.dsc d3f8e94bf825cc999924e276c8f1c63b8eeb0715 1610581 python-virtualenv_1.11.6.orig.tar.gz 4c69c89497f1c53d0b5bd70c84b7216bdd9e853d 40924 python-virtualenv_1.11.6-1.debian.tar.xz dd78158d350577b806df98cce7bc43b83da04c42 62396 python-virtualenv_1.11.6-1_all.deb 704be9059a9d769f06863f5c6ca79793d732de85 61786 python3-virtualenv_1.11.6-1_all.deb c28eaebe81b5cdad9a65268a13167806a2dd32dc 18738 virtualenv_1.11.6-1_all.deb Checksums-Sha256: 65241d45f740ce60f11c6a2e4d7878d0c11724d4bec47483ece4b362dd52500b 2497 python-virtualenv_1.11.6-1.dsc 3e7a4c151e2ee97f51db0215bfd2a073b04a91e9786df6cb67c916f16abe04f7 1610581 python-virtualenv_1.11.6.orig.tar.gz 0b9b72d0bdb0b33a4d5892a5b03f3fbb61bcb3501851ffad4bb61f0c67ef4b01 40924 python-virtualenv_1.11.6-1.debian.tar.xz f2e8d8eaa129e32671a125621af5006ecb09f8150fbda8554029f8a17b765af7 62396 python-virtualenv_1.11.6-1_all.deb 7d8d6fef786e38551345edcb682390c303d9fd6792e71cddb574dc9d73bdcc42 61786 python3-virtualenv_1.11.6-1_all.deb 26d8a29b4f180be323f569580ba54c2d862aa6e7264e4eb41911365b0fbf57c2 18738 virtualenv_1.11.6-1_all.deb Files: 988986e5b48f2c0b20f9cedbd6f601a6 62396 python optional python-virtualenv_1.11.6-1_all.deb 3dceaa5a2cc9e94d4f4b78c3063cb78a 61786 python optional python3-virtualenv_1.11.6-1_all.deb b6870bb8da63d1c7fc4cd9216088139f 18738 python optional virtualenv_1.11.6-1_all.deb af4a57dc293429e4560c76bea8980a46 2497 python optional python-virtualenv_1.11.6-1.dsc f61cdd983d2c4e6aeabb70b1060d6f49 1610581 python optional python-virtualenv_1.11.6.orig.tar.gz 2f266a62c61d59c20bccba117e4e18e1 40924 python optional python-virtualenv_1.11.6-1.debian.tar.xz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJTl4Z5AAoJEBJutWOnSwa/pgsP/iuEU/C5xayUtoj2gWlIzxe7 8Zdc9jnGQu/815KZyGnald9zOfcBg4ftggFLCSFVwqepONx4Qh42acodY4MgMZ5I mlQjbQ3GxAsjTs3KGkbcAw2GI5kw0x7aDcBBMxf23MRbvjfcfgI2RdPfeZ0DYDdM WIonbEuisgGn3GCAmE6w7uMWdiN01NnWpdJsDFWX/NNPRWv4PhXz2y3Iqgye8wEP IFB1v7SW2VWuYiO3GkdWg8mbO+H407WrhTTMUUrZ/XX0WLWWJjCIoZJt3e7KKbaI +apV0Ia4P2S466Rmk+UJQxcg2LdlxqTzYmtI37A8Tvr7JtLmKm9n2iskmh8cyjs9 YYSQLAjb+FP8SODsm/Z2GczvzHKr2s5UdCBzMdgbMQ8iT5LAEgHAxC2KMA4Gdhd4 1D5jEKeMa+eaZl6+i2/H3KZO6E9pbhRzUwTf7+Xn9Bi78guoPbvV77Zh+HdklwiK t66Z5MWzKa5+5DGzW8kHa8o/LcJDut/x53ZlkUy4qZ2pV/cbc+IpmbohiLMJNjUl 3aGMqebRC517BYGB9yqLmJjOFaG3s6XvH9wgI1rB0fm87nDZfRhfAD+a5XHhw7g2 LM3XkjDvBBBDo67ElI1OtSu9igXIZJIMOiO6uridNV5lYFfUDTDlJTLZhGIAj67j PsPcbykvG7NdwX3SRGX1 =rQH7 -----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________ Python-modules-team mailing list Python-modules-team@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/python-modules-team
