CVE-2013-2099

Advisory

Pip 1.4 includes a security fix related to certificate DNS wildcard matching.
https://github.com/python/cpython/issues/62180

Affected package

Affected versions

Fixed versions

Vulnerability changelog

* **BACKWARD INCOMPATIBLE** pip now only installs stable versions by default,
and offers a new ``--pre`` option to also find pre-release and development
versions. (:pull:`834`)

* **BACKWARD INCOMPATIBLE** Dropped support for Python 2.5. The minimum
supported Python version for pip 1.4 is Python 2.6.

* Added support for installing and building wheel archives.
Thanks Daniel Holth, Marcus Smith, Paul Moore, and Michele Lacchia
(:pull:`845`)

* Applied security patch to pip's ssl support related to certificate DNS
wildcard matching (http://bugs.python.org/issue17980).

* To satisfy pip's setuptools requirement, pip now recommends setuptools>=0.8,
not distribute. setuptools and distribute are now merged into one project
called 'setuptools'. (:pull:`1003`)

* pip will now warn when installing a file that is either hosted externally to
the index or cannot be verified with a hash. In the future pip will default
to not installing them and will require the flags --allow-external NAME, and
--allow-insecure NAME respectively. (:pull:`985`)

* If an already-downloaded or cached file has a bad hash, re-download it rather
than erroring out. (:issue:`963`).

* ``pip bundle`` and support for installing from pybundle files is now
considered deprecated and will be removed in pip v1.5.

* Fixed a number of issues (:issue:`413`, :issue:`709`, :issue:`634`, :issue:`602`, and :issue:`939`) related to
cleaning up and not reusing build directories. (:pull:`865`, :issue:`948`)

* Added a User Agent so that pip is identifiable in logs. (:pull:`901`)

* Added ssl and --user support to get-pip.py. Thanks Gabriel de Perthuis.
(:pull:`895`)

* Fixed the proxy support, which was broken in pip 1.3.x (:pull:`840`)

* Fixed :issue:`32` - pip fails when server does not send content-type header.
Thanks Hugo Lopes Tavares and Kelsey Hightower (:pull:`872`).

* "Vendorized" distlib as pip.vendor.distlib (https://distlib.readthedocs.io/).

* Fixed git VCS backend with git 1.8.3. (:pull:`967`)

Resources

• https://pypi.org/project/pip
• https://pyup.io/changelogs/pip/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2099
• http://secunia.com/advisories/55116
• http://secunia.com/advisories/55107
• https://bugzilla.redhat.com/show_bug.cgi?id=963260
• http://www.ubuntu.com/usn/USN-1983-1
• http://www.ubuntu.com/usn/USN-1985-1
• http://bugs.python.org/issue17980
• http://www.openwall.com/lists/oss-security/2013/05/16/6
• http://www.ubuntu.com/usn/USN-1984-1
• http://rhn.redhat.com/errata/RHSA-2014-1690.html
• https://access.redhat.com/errata/RHSA-2016:1166