mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-01-29 21:08:42 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
8a6b3d82f6e075a1a67ca4ba6c21a04799d1f575
poky/meta/recipes-devtools/python/python3-pip
History
Jiaying Song 53801adf75 python3-pip: fix CVE-2023-5752 
When installing a package from a Mercurial VCS URL (ie "pip install
hg+...") with pip prior to v23.3, the specified Mercurial revision could
be used to inject arbitrary configuration options to the "hg clone" call
(ie "--config"). Controlling the Mercurial configuration can modify how
and which repository is installed. This vulnerability does not affect
users who aren't installing from Mercurial.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-5752

Upstream patches:
389cb799d0

(From OE-Core rev: 862c0338fba06077a26c775b49f993eac63762c9)

Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2024-12-02 06:23:20 -08:00
..
0001-change-shebang-to-python3.patch
python3-pip: update 21.2.4 -> 21.3
2021-10-23 17:42:25 +01:00
CVE-2023-5752.patch
python3-pip: fix CVE-2023-5752
2024-12-02 06:23:20 -08:00
no_shebang_mangling.patch
python3-pip: Don't change shebang
2022-02-25 15:07:50 +00:00
reproducible.patch
python3-pip: Improve reproducibility
2022-02-25 15:07:50 +00:00