PyPi: Pip

CVE-2013-2099

Safety vulnerability ID: 25959

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Oct 09, 2013 Updated at Dec 10, 2024
Scan your Python projects for vulnerabilities →

Advisory

Pip 1.4 includes a security fix related to certificate DNS wildcard matching.
https://github.com/python/cpython/issues/62180

Affected package

pip

Latest version: 24.3.1

The PyPA recommended tool for installing Python packages.

Affected versions

Fixed versions

Vulnerability changelog



* **BACKWARD INCOMPATIBLE** pip now only installs stable versions by default,
and offers a new ``--pre`` option to also find pre-release and development
versions. (:pull:`834`)

* **BACKWARD INCOMPATIBLE** Dropped support for Python 2.5. The minimum
supported Python version for pip 1.4 is Python 2.6.

* Added support for installing and building wheel archives.
Thanks Daniel Holth, Marcus Smith, Paul Moore, and Michele Lacchia
(:pull:`845`)

* Applied security patch to pip's ssl support related to certificate DNS
wildcard matching (http://bugs.python.org/issue17980).

* To satisfy pip's setuptools requirement, pip now recommends setuptools>=0.8,
not distribute. setuptools and distribute are now merged into one project
called 'setuptools'. (:pull:`1003`)

* pip will now warn when installing a file that is either hosted externally to
the index or cannot be verified with a hash. In the future pip will default
to not installing them and will require the flags --allow-external NAME, and
--allow-insecure NAME respectively. (:pull:`985`)

* If an already-downloaded or cached file has a bad hash, re-download it rather
than erroring out. (:issue:`963`).

* ``pip bundle`` and support for installing from pybundle files is now
considered deprecated and will be removed in pip v1.5.

* Fixed a number of issues (:issue:`413`, :issue:`709`, :issue:`634`, :issue:`602`, and :issue:`939`) related to
cleaning up and not reusing build directories. (:pull:`865`, :issue:`948`)

* Added a User Agent so that pip is identifiable in logs. (:pull:`901`)

* Added ssl and --user support to get-pip.py. Thanks Gabriel de Perthuis.
(:pull:`895`)

* Fixed the proxy support, which was broken in pip 1.3.x (:pull:`840`)

* Fixed :issue:`32` - pip fails when server does not send content-type header.
Thanks Hugo Lopes Tavares and Kelsey Hightower (:pull:`872`).

* "Vendorized" distlib as pip.vendor.distlib (https://distlib.readthedocs.io/).

* Fixed git VCS backend with git 1.8.3. (:pull:`967`)


Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

MEDIUM 4.3

CVSS v2 Details

MEDIUM 4.3
Access Vector (AV)
NETWORK
Access Complexity (AC)
MEDIUM
Authentication (Au)
NONE
Confidentiality Impact (C)
NONE
Integrity Impact (I)
NONE
Availability Impact (A)
PARTIAL