Your message dated Sat, 06 Dec 2014 06:33:55 +0000 with message-id <[email protected]> and subject line Bug#725847: fixed in python-pip 1.5.6-4 has caused the Debian Bug report #725847, regarding python-pip: CVE-2014-8991: DoS by other users on the same system to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 725847: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=725847 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: python-pip Version: 1.4.1-2 Severity: normal Tags: security Usertags: tmp pip uses a non-random per-user build directory that is in /tmp. This means that any user can prevent any other user from installing packages. There is the --build-directory option to override this but it isn't documented in the manual page, only the --help output. It would be much better to use the tempfile.mkdtemp() to create the build directory. $ pip install foo The temporary folder for building (/tmp/pip_build_pabs) is not owned by your user! pip will not work until the temporary folder is either deleted or owned by your user account. Traceback (most recent call last): File "/usr/bin/pip", line 9, in <module> load_entry_point('pip==1.4.1', 'console_scripts', 'pip')() File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 345, in load_entry_point return get_distribution(dist).load_entry_point(group, name) File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 2381, in load_entry_point return ep.load() File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 2087, in load entry = __import__(self.module_name, globals(),globals(), ['__name__']) File "/usr/lib/python2.7/dist-packages/pip/__init__.py", line 10, in <module> from pip.util import get_installed_distributions, get_prog File "/usr/lib/python2.7/dist-packages/pip/util.py", line 15, in <module> from pip.locations import site_packages, running_under_virtualenv, virtualenv_no_global File "/usr/lib/python2.7/dist-packages/pip/locations.py", line 92, in <module> build_prefix = _get_build_prefix() File "/usr/lib/python2.7/dist-packages/pip/locations.py", line 82, in _get_build_prefix raise pip.exceptions.InstallationError(msg) pip.exceptions.InstallationError: The temporary folder for building (/tmp/pip_build_pabs) is not owned by your user! -- System Information: Debian Release: jessie/sid APT prefers testing APT policy: (700, 'testing'), (600, 'unstable'), (550, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.11-trunk-amd64 (SMP w/4 CPU cores) Locale: LANG=en_AU.utf8, LC_CTYPE=en_AU.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages python-pip depends on: ii ca-certificates 20130906 ii python 2.7.5-5 ii python-pkg-resources 0.6.49-2 ii python-setuptools 0.6.49-2 Versions of packages python-pip recommends: ii build-essential 11.6 pn python-dev-all <none> -- bye, pabs http://wiki.debian.org/PaulWise
signature.asc
Description: This is a digitally signed message part
--- End Message ---
--- Begin Message ---Source: python-pip Source-Version: 1.5.6-4 We believe that the bug you reported is fixed in the latest version of python-pip, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Scott Kitterman <[email protected]> (supplier of updated python-pip package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Wed, 03 Dec 2014 13:46:31 -0500 Source: python-pip Binary: python-pip python3-pip python-pip-whl Architecture: source all Version: 1.5.6-4 Distribution: unstable Urgency: medium Maintainer: Debian Python Modules Team <[email protected]> Changed-By: Scott Kitterman <[email protected]> Description: python-pip - alternative Python package installer python-pip-whl - alternative Python package installer python3-pip - alternative Python package installer - Python 3 version of the pa Closes: 725847 769930 771794 Changes: python-pip (1.5.6-4) unstable; urgency=medium . * Team upload. * Backport upstream fix to use non-predictable download directories - Fixes denial of service vector (CVE-2014-8991) (Closes: #725847) - Fixes retry failures (Closes: #769930) * Add patch (reviewed by upstream, but not commited there yet) to prevent pip from removing system python packages (Closes: #771794) Checksums-Sha1: 833bc78df6adda5d7b4567fea0ce4f940fc33dec 2339 python-pip_1.5.6-4.dsc ce6671b73684babd0ad81027df91a679457ddc0d 18700 python-pip_1.5.6-4.debian.tar.xz 5ca4cdaa523d9ece454d28ef020aad3b9ce7d1fd 113744 python-pip_1.5.6-4_all.deb 0d8d8ef2b7bfa02d9bfcfff0b6903c2b9f5fc197 96758 python3-pip_1.5.6-4_all.deb 988654787702f7b5169220192b071eddf8c0fa8c 125758 python-pip-whl_1.5.6-4_all.deb Checksums-Sha256: ee7a2339f5dbe4c4b153254f2a3e2ac766d72a80e1bebf08efb910c95d9431cf 2339 python-pip_1.5.6-4.dsc ca116ab41783c4c18c77d3887cb4fd218711b845fe12b289d4d7573b3d31226e 18700 python-pip_1.5.6-4.debian.tar.xz 91e6248ad99fdc068878c434d5cd4eb092d910df859d9e2045107c767f3f362b 113744 python-pip_1.5.6-4_all.deb c51c35a930cb4487f22a63e1c6a7426802be99b2ca8894f6a0d1d12da0abac48 96758 python3-pip_1.5.6-4_all.deb 8946a41f70986396d2932e01bd88dbf480dfa309ae08a8051db4a2ff52c19134 125758 python-pip-whl_1.5.6-4_all.deb Files: a0852e2ef14b4bbb50de1bdd159e687c 2339 python optional python-pip_1.5.6-4.dsc 953eae825364097bd01a50ec05406cfd 18700 python optional python-pip_1.5.6-4.debian.tar.xz 686379cd38d2ca6f734795c6dc01d7ec 113744 python optional python-pip_1.5.6-4_all.deb e35285813e2fc96e9c538200a9c615aa 96758 python optional python3-pip_1.5.6-4_all.deb 402ffb66182bf4f19fb7f4400fa5565d 125758 python optional python-pip-whl_1.5.6-4_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJUgqF5AAoJEHjX3vua1ZrxK9kQAMsCMtTfwJx2OF0LQlohwDSQ b1igGmQXTICrWT0heM08gi/+LMHM88esCqFAQae9PvNOAJxh+HeEtGgwVHijhl/c CtZH4gMiWBT0hyp9Z5FX/hqpzZEDGDjVr97ITyIJMIvZkeRop0Yd9oUJo8HGmvAs yiShxbHDC5+yxgpE55za5uEbbC+bW0TINVoMryeodKih8WA1CkrN4KJAWg8iDDFn cHsz8DLmcDgt27X0EHLnkdUxdaOIi64JWa1+/v+mf+9OQwaBiDCONmHh1fKlTOkq Z/FYzw+9v40pRuTB7dmSFaosbZ9zpfyT5cXsUc2W26SYK4efVC7CL6NF00hwGAG4 q4adKTmzVMfmnaRIX+iGn+lF+bvfoM+NFNsWF/Ot4fOo7jqx5EHyJeUE8TChuP1N J893XBmCe3Ea2+z/AZ1OdaFJ5rNCLjaPSK7zbdwWAVOfUdQmRFU8wIWJFTjI8MJM j1Jk7wT+YAuziF332+Kc0tag5GJCz/GyJefoqUeKk5jSBtB1xX8ajndzPKQpaAnR NJb8QE2dWeYjs+AuCne6NLmrkTXiAqZe3KQ6ct+2hiBFol8asBTjW1rjhfn9yIV7 PagfZI4ddsGP714Ud+zF1ynDKDkgGodbGrUnhMwN7hY0yJTWczJRhyVp/buJt93C /llO9EYWOy2NGOChFFEJ =vsFM -----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________ Python-modules-team mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/python-modules-team
