PyPi: Pip

CVE-2014-8991

Safety vulnerability ID: 25960

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Nov 24, 2014 Updated at Dec 17, 2024
Scan your Python projects for vulnerabilities →

Advisory

pip before 6.0 is not using a randomized and secure default build directory when possible. (CVE-2014-8991).

Affected package

pip

Latest version: 24.3.1

The PyPA recommended tool for installing Python packages.

Affected versions

Fixed versions

Vulnerability changelog


* **PROCESS** Version numbers are now simply ``X.Y`` where the leading ``1``
has been dropped.

* **BACKWARD INCOMPATIBLE** Dropped support for Python 3.1.

* **BACKWARD INCOMPATIBLE** Removed the bundle support which was deprecated in
1.4. (:pull:`1806`)

* **BACKWARD INCOMPATIBLE** File lists generated by `pip show -f` are now
rooted at the location reported by show, rather than one (unstated)
directory lower. (:pull:`1933`)

* **BACKWARD INCOMPATIBLE** The ability to install files over the FTP protocol
was accidentally lost in pip 1.5 and it has now been decided to not restore
that ability.

* **BACKWARD INCOMPATIBLE** PEP 440 is now fully implemented, this means that
in some cases versions will sort differently or version specifiers will be
interpreted differently than previously. The common cases should all function
similarly to before.

* **DEPRECATION** ``pip install --download-cache`` and
``pip wheel --download-cache`` command line flags have been deprecated and
the functionality removed. Since pip now automatically configures and uses
it's internal HTTP cache which supplants the ``--download-cache`` the
existing options have been made non functional but will still be accepted
until their removal in pip v8.0. For more information please see
https://pip.pypa.io/en/stable/reference/pip_install.htmlcaching

* **DEPRECATION** ``pip install --build`` and ``pip install --no-clean`` are now
*NOT* deprecated. This reverses the deprecation that occurred in v1.5.3. See
:issue:`906` for discussion.

* **DEPRECATION** Implicitly accessing URLs which point to an origin which is
not a secure origin, instead requiring an opt-in for each host using the new
``--trusted-host`` flag (``pip install --trusted-host example.com foo``).

* Allow the new ``--trusted-host`` flag to also disable TLS verification for
a particular hostname.

* Added a ``--user`` flag to ``pip freeze`` and ``pip list`` to check the
user site directory only.

* Fixed :issue:`1873`. Silence byte compile errors when installation succeed.

* Added a virtualenv-specific configuration file. (:pull:`1364`)

* Added site-wide configuration files. (:pull:`1978`)

* Added an automatic check to warn if there is an updated version of pip
available (:pull:`2049`).

* `wsgiref` and `argparse` (for >py26) are now excluded from `pip list` and `pip
freeze` (:pull:`1606`, :pull:`1369`)

* Fixed :issue:`1424`. Add ``--client-cert`` option for SSL client certificates.

* Fixed :issue:`1484`. `pip show --files` was broken for wheel installs. (:pull:`1635`)

* Fixed :issue:`1641`. install_lib should take precedence when reading distutils config.
(:pull:`1642`)

* Send `Accept-Encoding: identity` when downloading files in an attempt to
convince some servers who double compress the downloaded file to stop doing
so. (:pull:`1688`)

* Fixed :issue:`1559`. Stop breaking when given pip commands in uppercase (:pull:`1725`)

* Fixed :issue:`1618`. Pip no longer adds duplicate logging consumers, so it
won't create duplicate output when being called multiple times. (:pull:`1723`)

* Fixed :issue:`1769`. `pip wheel` now returns an error code if any wheels
fail to build.

* Fixed :issue:`1775`. `pip wheel` wasn't building wheels for dependencies of
editable requirements.

* Allow the use of ``--no-use-wheel`` within a requirements file. (:pull:`1859`)

* Fixed :issue:`1680`. Attempt to locate system TLS certificates to use instead
of the included CA Bundle if possible. (:pull:`1866`)

* Fixed :issue:`1319`. Allow use of Zip64 extension in Wheels and other zip
files. (:pull:`1868`)

* Fixed :issue:`1101`. Properly handle an index or --find-links target which
has a <base> without a href attribute. (:pull:`1869`)

* Fixed :issue:`1885`. Properly handle extras when a project is installed
via Wheel. (:pull:`1896`)

* Fixed :issue:`1180`. Added support to respect proxies in ``pip search``. It
also fixes :issue:`932` and :issue:`1104`. (:pull:`1902`)

* Fixed :issue:`798` and :issue:`1060`. `pip install --download` works with vcs links.
(:pull:`1926`)

* Fixed :issue:`1456`. Disabled warning about insecure index host when using localhost.
Based off of Guy Rozendorn's work in :pull:`1718`. (:pull:`1967`)

* Allow the use of OS standard user configuration files instead of ones simply
based around ``$HOME``. (:pull:`2021`)

* Fixed :issue:`1825`. When installing directly from wheel paths or urls,
previous versions were not uninstalled. This also fixes :issue:`804`
specifically for the case of wheel archives. (:pull:`1838`)

* Fixed :issue:`2075`, detect the location of the ``.egg-info`` directory by
looking for any file located inside of it instead of relying on the record
file listing a directory. (:pull:`2076`)

* Fixed :issue:`1964`, :issue:`1935`, :issue:`676`, Use a randomized and secure
default build directory when possible. (:pull:`2122`, CVE-2014-8991)

* Fixed :issue:`1433`. Support environment markers in requirements.txt files.
(:pull:`2134`)

* Automatically retry failed HTTP requests by default. (:pull:`1444`, :pull:`2147`)

* Fixed :issue:`1100` - Handle HTML Encoding better using a method that is more
similar to how browsers handle it. (:pull:`1874`)

* Reduce the verbosity of the pip command by default. (:pull:`2175`,
:pull:`2177`, :pull:`2178`)

* Fixed :issue:`2031` - Respect sys.executable on OSX when installing from
Wheels.

* Display the entire URL of the file that is being downloaded when downloading
from a non PyPI repository (:pull:`2183`).

* Support setuptools style environment markers in a source distribution
(:pull:`2153`).


Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

LOW 2.1

CVSS v2 Details

LOW 2.1
Access Vector (AV)
LOCAL
Access Complexity (AC)
LOW
Authentication (Au)
NONE
Confidentiality Impact (C)
NONE
Integrity Impact (I)
NONE
Availability Impact (A)
PARTIAL