python:3.11-slim-bookworm CVE-2023-5752
trottomv opened this issue · comments
Matteo Vitali commented
Library | Vulnerability | Severity | Status | Installed Version | Fixed Version | Title |
---|---|---|---|---|---|---|
pip (METADATA) | CVE-2023-5752 | MEDIUM | fixed | 23.2.1 | 23.3 | pip: Mercurial configuration injectable in repo revision when installing via pip Link |
Laurent Goderre commented
Laurent Goderre commented
Matteo Vitali commented
Is it not necessary to modify the pip version here as well?
python/3.11/slim-bookworm/Dockerfile
Line 137 in 8bc80d1
(and in the "not slim" bookworm also)
python/3.11/bookworm/Dockerfile
Line 103 in 8bc80d1
Laurent Goderre commented
@trottomv that version is derived from the location I pointed to in the update script.
Álvaro Revuelta commented
As far as I am aware, that issue is only going to be fixed in python 3.13 (currently in alpha). The maintainers decided against back porting to previous versions