摘要:
python-pip security update
安全等级: Medium
公告ID: KylinSec-SA-2025-2786
发布日期: 2025年8月14日
关联CVE: CVE-2024-47081
pip is the package installer for Python. You can use pip to install packages from the Python Package Index and other indexes. %global bashcompdir %(b=$(pkg-config --variable=completionsdir bash-completion 2>/dev/null); echo ${b:-/bash_completion.d}) Name: python-pip Version: 23.3.1 Release: 3 Summary: A tool for installing and managing Python packages License: MIT and Python and ASL 2.0 and BSD and ISC and LGPLv2 and MPLv2.0 and (ASL 2.0 or BSD) URL: http://www.pip-installer.org Source0: Source1: pip.loongarch.conf BuildArch: noarch Patch1: remove-existing-dist-only-if-path-conflicts. Patch6000: dummy-certifi.patch Patch6001: backport-CVE-2023-45803-Made-body-stripped-from-HTTP-requests.patch Patch6002: backport-CVE-2024-37891-Strip-Proxy-Authorization-header-on-redirects.patch
Security Fix(es):
Requests is a HTTP library. Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. Users should upgrade to version 2.32.4 to receive a fix. For older versions of Requests, use of the .netrc file can be disabled with `trust_env=False` on one's Requests Session.(CVE-2024-47081)
| cve名称 | 产品 | 组件 | 是否受影响 |
|---|---|---|---|
| CVE-2024-47081 | KY3.4-5A | python-requests | Fixed |
| 软件名称 | 架构 | 版本号 |
|---|---|---|
| python-pip-help | noarch | 20.2.2-10.kb1.ky3_4 |
| python-pip-wheel | noarch | 20.2.2-10.kb1.ky3_4 |
| python2-pip | noarch | 20.2.2-10.kb1.ky3_4 |
| python3-pip | noarch | 20.2.2-10.kb1.ky3_4 |
方法一:下载安装包进行升级安装
1、通过下载链接下载需要升级的升级包保存,如 xxx.rpm
2、通过rpm命令升级,如 rpm -Uvh xxx.rpm
方法二:通过软件源进行升级安装
1、保持能够连接上互联网
2、通过yum命令升级指定的包,如 yum install 包名
