Open trottomv opened 7 months ago
Library | Vulnerability | Severity | Status | Installed Version | Fixed Version | Title |
---|---|---|---|---|---|---|
pip (METADATA) | CVE-2023-5752 | MEDIUM | fixed | 23.2.1 | 23.3 | pip: Mercurial configuration injectable in repo revision when installing via pip Link |
Hi @LaurentGoderre
Is it not necessary to modify the pip version here as well? https://github.com/docker-library/python/blob/8bc80d1109001365559eded16423ba3692eff1ff/3.11/slim-bookworm/Dockerfile#L137
(and in the "not slim" bookworm also) https://github.com/docker-library/python/blob/8bc80d1109001365559eded16423ba3692eff1ff/3.11/bookworm/Dockerfile#L103
@trottomv that version is derived from the location I pointed to in the update script.
As far as I am aware, that issue is only going to be fixed in python 3.13 (currently in alpha). The maintainers decided against back porting to previous versions