It was discovered that there was a directory traversal attack in pip, the Python package installer.
When an URL was given in an install command, as a Content-Disposition header was permitted to have ../ components in their filename, arbitrary local files (eg. /root/.ssh/authorized_keys) could be overidden.
The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.
For Debian 9 Stretch
, these problems have been fixed in version
9.0.1-2+deb9u2.
We recommend that you upgrade your python-pip packages.
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS