摘要:
python-virtualenv security update
安全等级: High
公告ID: KylinSec-SA-2025-1617
发布日期: 2025年3月7日
关联CVE: CVE-2024-53899
Virtualenv is a tool to create isolated Python environments. Since Python 3.3, a subset of it has been integrated into the standard library under the venv module. Note though, that the venv module does not offer all features of this library (e.g. cannot create bootstrap scripts, cannot create virtual environments for other python versions than the host python, not relocatable, etc.). Tools in general as such still may prefer using virtualenv for its ease of upgrading (via pip), unified handling of different Python versions and some more advanced features.
Security Fix(es):
virtualenv before 20.26.6 allows command injection through the activation scripts for a virtual environment. Magic template strings are not quoted correctly when replacing. NOTE: this is not the same as CVE-2024-9287.(CVE-2024-53899)
| cve名称 | 产品 | 组件 | 是否受影响 |
|---|---|---|---|
| CVE-2024-53899 | V6 | python-virtualenv | Fixed |
| 软件名称 | 架构 | 版本号 |
|---|---|---|
| python3-virtualenv | noarch | 20.26.6-1.ks6 |
方法一:下载安装包进行升级安装
1、通过下载链接下载需要升级的升级包保存,如 xxx.rpm
2、通过rpm命令升级,如 rpm -Uvh xxx.rpm
方法二:通过软件源进行升级安装
1、保持能够连接上互联网
2、通过yum命令升级指定的包,如 yum install 包名
