Debian Security Advisory
DLA-2370-1 python-pip -- LTS security update
- Date Reported:
- 11 Sep 2020
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2019-20916.
- More information:
It was discovered that there was a directory traversal attack in pip, the Python package installer.
When an URL was given in an install command, as a Content-Disposition header was permitted to have ../ components in their filename, arbitrary local files (eg. /root/.ssh/authorized_keys) could be overidden.
The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.
For Debian 9
Stretch, these problems have been fixed in version 9.0.1-2+deb9u2.
We recommend that you upgrade your python-pip packages.
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS