python
python copied to clipboard
docker-library
python:3.11-slim-bookworm CVE-2023-5752
| Library | Vulnerability | Severity | Status | Installed Version | Fixed Version | Title |
|---|---|---|---|---|---|---|
| pip (METADATA) | CVE-2023-5752 | MEDIUM | fixed | 23.2.1 | 23.3 | pip: Mercurial configuration injectable in repo revision when installing via pip Link |
Need to be updated here: https://github.com/python/cpython/blob/9560e0d6d7a316341939b4016e47e03bd5bf17c3/Lib/ensurepip/init.py#L13
Hi @LaurentGoderre
Is it not necessary to modify the pip version here as well? https://github.com/docker-library/python/blob/8bc80d1109001365559eded16423ba3692eff1ff/3.11/slim-bookworm/Dockerfile#L137
(and in the "not slim" bookworm also) https://github.com/docker-library/python/blob/8bc80d1109001365559eded16423ba3692eff1ff/3.11/bookworm/Dockerfile#L103
@trottomv that version is derived from the location I pointed to in the update script.
As far as I am aware, that issue is only going to be fixed in python 3.13 (currently in alpha). The maintainers decided against back porting to previous versions
https://github.com/python/cpython/pull/112719
As filed, this issue is now resolved since the Python 3.11 images now ship with pip 24.0: https://github.com/docker-library/python/blob/cc2cf19f2c9a440706d17b5937bf104052eef967/versions.json#L24-L32
$ docker run -q --rm python:3.11-slim-bookworm pip --version
pip 24.0 from /usr/local/lib/python3.11/site-packages/pip (python 3.11)
Images for older Python versions do still include older pip, but that's by design (since these Docker images intentionally ship with the same pip version that is bundled with the ensurepip module for that Python version).
As such, this issue can be closed.
