CVE-2014-8991
Published: 24 November 2014
pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a /tmp/pip-build-* file for another user.
Notes
| Author | Note |
|---|---|
| msalvatore | The patch from upstream does not resolve the CVE. Backporting this the actual fix for trusty requires invasive changes that will change the command line interface. The issues is first fixed in version 7.0.0 and the changelog mentions it is backwards incompatible. |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
python-pip Launchpad, Ubuntu, Debian |
artful |
Not vulnerable
|
| bionic |
Not vulnerable
|
|
| lucid |
Ignored
(end of life)
|
|
| precise |
Ignored
(end of life)
|
|
| trusty |
Ignored
(see note above)
|
|
| upstream |
Released
(1.5.6-4)
|
|
| utopic |
Ignored
(end of life)
|
|
| vivid |
Ignored
(end of life)
|
|
| wily |
Ignored
(end of life)
|
|
| xenial |
Not vulnerable
(8.1.1-2ubuntu0.4)
|
|
| yakkety |
Ignored
(end of life)
|
|
| zesty |
Ignored
(end of life)
|