python:3.11-slim-bookworm CVE-2023-5752

[trottomv]

Library	Vulnerability	Severity	Status	Installed Version	Fixed Version	Title
pip (METADATA)	CVE-2023-5752	MEDIUM	fixed	23.2.1	23.3	pip: Mercurial configuration injectable in repo revision when installing via pip Link

[LaurentGoderre]

Need to be updated here: https://github.com/python/cpython/blob/9560e0d6d7a316341939b4016e47e03bd5bf17c3/Lib/ensurepip/__init__.py#L13

[LaurentGoderre]

python/cpython#112517

[trottomv]

Hi @LaurentGoderre

Is it not necessary to modify the pip version here as well?

python/3.11/slim-bookworm/Dockerfile

Line 137 in 8bc80d1

ENV PYTHON_PIP_VERSION 23.2.1

(and in the "not slim" bookworm also)

python/3.11/bookworm/Dockerfile

Line 103 in 8bc80d1

ENV PYTHON_PIP_VERSION 23.2.1

[LaurentGoderre]

@trottomv that version is derived from the location I pointed to in the update script.

[rv0lt]

As far as I am aware, that issue is only going to be fixed in python 3.13 (currently in alpha). The maintainers decided against back porting to previous versions

python/cpython#112719

[edmorley]

As filed, this issue is now resolved since the Python 3.11 images now ship with pip 24.0:

python/versions.json

Lines 24 to 32 in cc2cf19

	"3.11": {
	"get-pip": {
	"sha256": "6fb7b781206356f45ad79efbb19322caa6c2a5ad39092d0d44d0fec94117e118",
	"url": "https://github.com/pypa/get-pip/raw/66d8a0f637083e2c3ddffc0cb1e65ce126afb856/public/get-pip.py",
	"version": "https://github.com/pypa/get-pip/commit/66d8a0f637083e2c3ddffc0cb1e65ce126afb856"
	},
	"pip": {
	"version": "24.0"
	},

$ docker run -q --rm python:3.11-slim-bookworm pip --version
pip 24.0 from /usr/local/lib/python3.11/site-packages/pip (python 3.11)

Images for older Python versions do still include older pip, but that's by design (since these Docker images intentionally ship with the same pip version that is bundled with the ensurepip module for that Python version).

As such, this issue can be closed.