Debian Security Advisory

DLA-2370-1 python-pip -- LTS security update

Date Reported:
11 Sep 2020
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2019-20916.
More information:

It was discovered that there was a directory traversal attack in pip, the Python package installer.

When an URL was given in an install command, as a Content-Disposition header was permitted to have ../ components in their filename, arbitrary local files (eg. /root/.ssh/authorized_keys) could be overidden.

  • CVE-2019-20916

    The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/

For Debian 9 Stretch, these problems have been fixed in version 9.0.1-2+deb9u2.

We recommend that you upgrade your python-pip packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: