SUSE-SU-2020:3737-1: moderate: Security update for python-pip, python-scripttest
sle-security-updates at lists.suse.com
sle-security-updates at lists.suse.com
Wed Dec 9 16:15:39 MST 2020
SUSE Security Update: Security update for python-pip, python-scripttest
______________________________________________________________________________
Announcement ID: SUSE-SU-2020:3737-1
Rating: moderate
References: #1175297 #1176262 ECO-3035
Cross-References: CVE-2019-20916
Affected Products:
SUSE Linux Enterprise Module for Python2 15-SP2
SUSE Linux Enterprise Module for Python2 15-SP1
SUSE Linux Enterprise Module for Basesystem 15-SP2
SUSE Linux Enterprise Module for Basesystem 15-SP1
______________________________________________________________________________
An update that solves one vulnerability, contains one
feature and has one errata is now available.
Description:
This update for python-pip, python-scripttest fixes the following issues:
- Update in SLE-15 (bsc#1175297, jsc#ECO-3035, jsc#PM-2318)
python-pip was updated to 20.0.2:
* Fix a regression in generation of compatibility tags
* Rename an internal module, to avoid ImportErrors due to improper
uninstallation
* Switch to a dedicated CLI tool for vendoring dependencies.
* Remove wheel tag calculation from pip and use packaging.tags. This
should provide more tags ordered better than in prior releases.
* Deprecate setup.py-based builds that do not generate an .egg-info
directory.
* The pip>=20 wheel cache is not retro-compatible with previous versions.
Until pip 21.0, pip will continue to take advantage of existing legacy
cache entries.
* Deprecate undocumented --skip-requirements-regex option.
* Deprecate passing install-location-related options via --install-option.
* Use literal "abi3" for wheel tag on CPython 3.x, to align with PEP 384
which only defines it for this platform.
* Remove interpreter-specific major version tag e.g. cp3-none-any from
consideration. This behavior was not documented strictly, and this tag
in particular is not useful. Anyone with a use case can create an issue
with pypa/packaging.
* Wheel processing no longer permits wheels containing more than one
top-level .dist-info directory.
* Support for the git+git@ form of VCS requirement is being deprecated
and will be removed in pip 21.0. Switch to git+https:// or git+ssh://.
git+git:// also works but its use is discouraged as it is insecure.
* Default to doing a user install (as if --user was passed) when the main
site-packages directory is not writeable and user site-packages are
enabled.
* Warn if a path in PATH starts with tilde during pip install.
* Cache wheels built from Git requirements that are considered immutable,
because they point to a commit hash.
* Add option --no-python-version-warning to silence warnings related to
deprecation of Python versions.
* Cache wheels that pip wheel built locally, matching what pip install
does. This particularly helps performance in workflows where pip wheel
is used for building before installing. Users desiring the original
behavior can use pip wheel --no-cache-dir
* Display CA information in pip debug.
* Show only the filename (instead of full URL), when downloading from
PyPI.
* Suggest a more robust command to upgrade pip itself to avoid confusion
when the current pip command is not available as pip.
* Define all old pip console script entrypoints to prevent import issues
in stale wrapper scripts.
* The build step of pip wheel now builds all wheels to a cache first,
then copies them to the wheel directory all at once. Before, it built
them to a temporary directory and moved them to the wheel directory one
by one.
* Expand ~ prefix to user directory in path options, configs, and
environment variables. Values that may be either URL or path are not
currently supported, to avoid ambiguity:
--find-links
--constraint, -c
--requirement, -r
--editable, -e
* Correctly handle system site-packages, in virtual environments created
with venv (PEP 405).
* Fix case sensitive comparison of pip freeze when used with -r option.
* Enforce PEP 508 requirement format in pyproject.toml
build-system.requires.
* Make ensure_dir() also ignore ENOTEMPTY as seen on Windows.
* Fix building packages which specify backend-path in pyproject.toml.
* Do not attempt to run setup.py clean after a pep517 build error, since
a setup.py may not exist in that case.
* Fix passwords being visible in the index-url in "Downloading <url>"
message.
* Change method from shutil.remove to shutil.rmtree in noxfile.py.
* Skip running tests which require subversion, when svn isn't installed
* Fix not sending client certificates when using --trusted-host.
* Make sure pip wheel never outputs pure python wheels with a python
implementation tag. Better fix/workaround for #3025 by using a
per-implementation wheel cache instead of caching pure python wheels
with an implementation tag in their name.
* Include subdirectory URL fragments in cache keys.
* Fix typo in warning message when any of --build-option, --global-option
and --install-option is used in requirements.txt
* Fix the logging of cached HTTP response shown as downloading.
* Effectively disable the wheel cache when it is not writable, as is the
case with the http cache.
* Correctly handle relative cache directory provided via --cache-dir.
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Module for Python2 15-SP2:
zypper in -t patch SUSE-SLE-Module-Python2-15-SP2-2020-3737=1
- SUSE Linux Enterprise Module for Python2 15-SP1:
zypper in -t patch SUSE-SLE-Module-Python2-15-SP1-2020-3737=1
- SUSE Linux Enterprise Module for Basesystem 15-SP2:
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2020-3737=1
- SUSE Linux Enterprise Module for Basesystem 15-SP1:
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-3737=1
Package List:
- SUSE Linux Enterprise Module for Python2 15-SP2 (noarch):
python2-pip-20.0.2-6.12.1
- SUSE Linux Enterprise Module for Python2 15-SP1 (noarch):
python2-pip-20.0.2-6.12.1
- SUSE Linux Enterprise Module for Basesystem 15-SP2 (noarch):
python3-pip-20.0.2-6.12.1
- SUSE Linux Enterprise Module for Basesystem 15-SP1 (noarch):
python3-pip-20.0.2-6.12.1
References:
https://www.suse.com/security/cve/CVE-2019-20916.html
https://bugzilla.suse.com/1175297
https://bugzilla.suse.com/1176262
More information about the sle-security-updates
mailing list