python:3.11-slim-bookworm CVE-2023-5752

docker-library / python

Docker Official Image packaging for Python

https://www.python.org/

MIT License

2.5k stars 1.04k forks source link

python:3.11-slim-bookworm CVE-2023-5752 #889

Open trottomv opened 7 months ago

trottomv commented 7 months ago

Library	Vulnerability	Severity	Status	Installed Version	Fixed Version	Title
pip (METADATA)	CVE-2023-5752	MEDIUM	fixed	23.2.1	23.3	pip: Mercurial configuration injectable in repo revision when installing via pip Link

LaurentGoderre commented 7 months ago

Need to be updated here: https://github.com/python/cpython/blob/9560e0d6d7a316341939b4016e47e03bd5bf17c3/Lib/ensurepip/__init__.py#L13

LaurentGoderre commented 7 months ago

https://github.com/python/cpython/pull/112517

trottomv commented 7 months ago

Hi @LaurentGoderre

Is it not necessary to modify the pip version here as well? https://github.com/docker-library/python/blob/8bc80d1109001365559eded16423ba3692eff1ff/3.11/slim-bookworm/Dockerfile#L137

(and in the "not slim" bookworm also) https://github.com/docker-library/python/blob/8bc80d1109001365559eded16423ba3692eff1ff/3.11/bookworm/Dockerfile#L103

LaurentGoderre commented 7 months ago

@trottomv that version is derived from the location I pointed to in the update script.

rv0lt commented 5 months ago

As far as I am aware, that issue is only going to be fixed in python 3.13 (currently in alpha). The maintainers decided against back porting to previous versions

https://github.com/python/cpython/pull/112719