Product Research Enterprise Plans Docs

PyPi: Pip

CVE-2015-2296

Transitive

Safety vulnerability ID: 25961

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Mar 18, 2015 Updated at Feb 03, 2024

Scan your Python projects for vulnerabilities →

Advisory

Pip 6.1.0 updates its bundled dependency 'requests' to 2.6.0 to include a security fix.

Affected package

pip

Latest version: 24.0

The PyPA recommended tool for installing Python packages.

Affected versions

Fixed versions

Vulnerability changelog

* Fixes :issue:`2502`. Upgrades were failing when no potential links were found
for dependencies other than the current installation. (:pull:`2538`)

* Use a smoother progress bar when the terminal is capable of handling it,
otherwise fallback to the original ASCII based progress bar.

* Display much less output when `pip install` succeeds, because on success,
users probably don't care about all the nitty gritty details of compiling and
installing. When `pip install` fails, display the failed install output once
instead of twice, because once is enough. (:pull:`2487`)

* Upgrade the bundled copy of requests to 2.6.0, fixing CVE-2015-2296.

* Display format of latest package when using ``pip list --outdated``.
(:pull:`2475`)

* Don't use pywin32 as ctypes should always be available on Windows, using
pywin32 prevented uninstallation of pywin32 on Windows. (:pull:`2467`)

* Normalize the ``--wheel-dir`` option, expanding out constructs such as ``~``
when used (:pull:`2441`).

* Display a warning when an undefined extra has been requested. (:pull:`2142`)

* Speed up installing a directory in certain cases by creating a sdist instead
of copying the entire directory. (:pull:`2535`)

* Don't follow symlinks when uninstalling files (:pull:`2552`)

* Upgrade the bundled copy of cachecontrol from 0.11.1 to 0.11.2.
Fixes :issue:`2481` (:pull:`2595`)

* Attempt to more smartly choose the order of installation to try and install
dependencies before the projects that depend on them. (:pull:`2616`)

* Skip trying to install libraries which are part of the standard library.
(:pull:`2636`, :pull:`2602`)

* Support arch specific wheels that are not tied to a specific Python ABI.
(:pull:`2561`)

* Output warnings and errors to stderr instead of stdout. (:pull:`2543`)

* Adjust the cache dir file checks to only check ownership if the effective
user is root. (:pull:`2396`)

* Install headers into a per project name directory instead of all of them into
the root directory when inside of a virtual environment. (:pull:`2421`)

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

MEDIUM 6.8

CVSS v2 Details

MEDIUM 6.8

Access Vector (AV): NETWORK
Access Complexity (AC): MEDIUM
Authentication (Au): NONE
Confidentiality Impact (C): PARTIAL
Integrity Impact (I): PARTIAL
Availability Impact (A): PARTIAL