SUSE-SU-2020:3737-1

Source
https://www.suse.com/support/update/announcement/2020/suse-su-20203737-1/
Import Source
https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2020:3737-1.json
JSON Data
https://api.osv.dev/v1/vulns/SUSE-SU-2020:3737-1
Related
Published
2020-12-09T17:21:03Z
Modified
2020-12-09T17:21:03Z
Summary
Security update for python-pip, python-scripttest
Details

This update for python-pip, python-scripttest fixes the following issues:

  • Update in SLE-15 (bsc#1175297, jsc#ECO-3035, jsc#PM-2318)

python-pip was updated to 20.0.2:

  • Fix a regression in generation of compatibility tags
  • Rename an internal module, to avoid ImportErrors due to improper uninstallation
  • Switch to a dedicated CLI tool for vendoring dependencies.
  • Remove wheel tag calculation from pip and use packaging.tags. This should provide more tags ordered better than in prior releases.
  • Deprecate setup.py-based builds that do not generate an .egg-info directory.
  • The pip>=20 wheel cache is not retro-compatible with previous versions. Until pip 21.0, pip will continue to take advantage of existing legacy cache entries.
  • Deprecate undocumented --skip-requirements-regex option.
  • Deprecate passing install-location-related options via --install-option.
  • Use literal 'abi3' for wheel tag on CPython 3.x, to align with PEP 384 which only defines it for this platform.
  • Remove interpreter-specific major version tag e.g. cp3-none-any from consideration. This behavior was not documented strictly, and this tag in particular is not useful. Anyone with a use case can create an issue with pypa/packaging.
  • Wheel processing no longer permits wheels containing more than one top-level .dist-info directory.
  • Support for the git+git@ form of VCS requirement is being deprecated and will be removed in pip 21.0. Switch to git+https:// or git+ssh://. git+git:// also works but its use is discouraged as it is insecure.
  • Default to doing a user install (as if --user was passed) when the main site-packages directory is not writeable and user site-packages are enabled.
  • Warn if a path in PATH starts with tilde during pip install.
  • Cache wheels built from Git requirements that are considered immutable, because they point to a commit hash.
  • Add option --no-python-version-warning to silence warnings related to deprecation of Python versions.
  • Cache wheels that pip wheel built locally, matching what pip install does. This particularly helps performance in workflows where pip wheel is used for building before installing. Users desiring the original behavior can use pip wheel --no-cache-dir
  • Display CA information in pip debug.
  • Show only the filename (instead of full URL), when downloading from PyPI.
  • Suggest a more robust command to upgrade pip itself to avoid confusion when the current pip command is not available as pip.
  • Define all old pip console script entrypoints to prevent import issues in stale wrapper scripts.
  • The build step of pip wheel now builds all wheels to a cache first, then copies them to the wheel directory all at once. Before, it built them to a temporary directory and moved them to the wheel directory one by one.
  • Expand ~ prefix to user directory in path options, configs, and environment variables. Values that may be either URL or path are not currently supported, to avoid ambiguity:

    --find-links --constraint, -c --requirement, -r --editable, -e

  • Correctly handle system site-packages, in virtual environments created with venv (PEP 405).

  • Fix case sensitive comparison of pip freeze when used with -r option.
  • Enforce PEP 508 requirement format in pyproject.toml build-system.requires.
  • Make ensure_dir() also ignore ENOTEMPTY as seen on Windows.
  • Fix building packages which specify backend-path in pyproject.toml.
  • Do not attempt to run setup.py clean after a pep517 build error, since a setup.py may not exist in that case.
  • Fix passwords being visible in the index-url in 'Downloading <url>' message.
  • Change method from shutil.remove to shutil.rmtree in noxfile.py.
  • Skip running tests which require subversion, when svn isn't installed
  • Fix not sending client certificates when using --trusted-host.
  • Make sure pip wheel never outputs pure python wheels with a python implementation tag. Better fix/workaround for #3025 by using a per-implementation wheel cache instead of caching pure python wheels with an implementation tag in their name.
  • Include subdirectory URL fragments in cache keys.
  • Fix typo in warning message when any of --build-option, --global-option and --install-option is used in requirements.txt
  • Fix the logging of cached HTTP response shown as downloading.
  • Effectively disable the wheel cache when it is not writable, as is the case with the http cache.
  • Correctly handle relative cache directory provided via --cache-dir.
References

Affected packages

SUSE:Linux Enterprise Module for Basesystem 15 SP1 / python-pip

Package

Name
python-pip
Purl
pkg:rpm/suse/python-pip&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP1

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
20.0.2-6.12.1

Ecosystem specific

{
    "binaries": [
        {
            "python3-pip": "20.0.2-6.12.1"
        }
    ]
}

SUSE:Linux Enterprise Module for Basesystem 15 SP2 / python-pip

Package

Name
python-pip
Purl
pkg:rpm/suse/python-pip&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP2

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
20.0.2-6.12.1

Ecosystem specific

{
    "binaries": [
        {
            "python3-pip": "20.0.2-6.12.1"
        }
    ]
}

SUSE:Linux Enterprise Module for Python 2 15 SP1 / python-pip

Package

Name
python-pip
Purl
pkg:rpm/suse/python-pip&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Python%202%2015%20SP1

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
20.0.2-6.12.1

Ecosystem specific

{
    "binaries": [
        {
            "python2-pip": "20.0.2-6.12.1"
        }
    ]
}

SUSE:Linux Enterprise Module for Python 2 15 SP2 / python-pip

Package

Name
python-pip
Purl
pkg:rpm/suse/python-pip&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Python%202%2015%20SP2

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
20.0.2-6.12.1

Ecosystem specific

{
    "binaries": [
        {
            "python2-pip": "20.0.2-6.12.1"
        }
    ]
}