Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pex 2.1.103 uses pip 20.3.4; pip 20.3.4 has vulnerability CVE-2021-3572 #1877

Closed
hpatelbitglass opened this issue Aug 10, 2022 · 2 comments
Closed

pex 2.1.103 uses pip 20.3.4; pip 20.3.4 has vulnerability CVE-2021-3572 #1877

hpatelbitglass opened this issue Aug 10, 2022 · 2 comments
Assignees
@jsirois

Comments

@hpatelbitglass
Copy link

More info regarding the vulnerability can be found at: https://avd.aquasec.com/nvd/2021/cve-2021-3572/
Fixed pip version 21.1
A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in python-pip version 21.1.
@jsirois
Copy link
Member

jsirois commented Aug 10, 2022

Thanks. This will be fixed as part of #1805 - namely, we have other reasons to want to upgrade Pip.

@jsirois jsirois self-assigned this Sep 20, 2022
@jsirois
Copy link
Member

jsirois commented Sep 20, 2022

With the release of Pex 2.1.104 there is now the option to use --pip-version 22.2.2 which will have the vendored Pip used 1 time to download the 22.2.2 version of Pip which will be used from then forward whenever --pip=version 22.2.2 is specified. This is much akin to pip install -U pip.

@jsirois jsirois closed this as completed Sep 20, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jsirois jsirois

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jsirois @hpatelbitglass