Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade pip version to 23.3 or newer #20632

Closed
Selutario opened this issue Dec 5, 2023 · 3 comments
Closed

Upgrade pip version to 23.3 or newer #20632

Selutario opened this issue Dec 5, 2023 · 3 comments
Assignees
@fdalmaup
Labels
level/task type/bug/vulnerability Exploitable vulnerability

Comments

@Selutario
Copy link
Member

Selutario commented Dec 5, 2023
edited

Component
Embedded python

Description

The current installed pip version (23.0.1) has this CVE:

The only way to exploit it is using Mercurial, so wazuh is not vulnerable, but we should upgrade it anyway.
@Selutario Selutario added type/bug/vulnerability Exploitable vulnerability level/task labels Dec 5, 2023
@fdalmaup fdalmaup self-assigned this Dec 20, 2023
@fdalmaup
Copy link
Member

Issue Update

As mentioned in the setuptools update, to upgrade the pip and setuptools packages, these must be added in cpython/Lib/ensurepip/_bundled and modify the version in cpython/Lib/ensurepip/__init__.py and does not require modifications in framework/requirements.txt.

The present issue won't require an associated PR. The starting point is the packages created for #20586 for aiohttp 3.9.1 to add the update of both in Wazuh v4.7.2.

amd64

Package information 
[root@b06e309d4cc3 external]# ll cpython/Lib/ensurepip/_bundled/
total 3268
-rw-r--r-- 1 root root       0 Nov  7 20:39 __init__.py
-rwxr-xr-x 1 root root 2109393 Dec 20 18:22 pip-23.3.2-py3-none-any.whl
drwxr-xr-x 2 root root    4096 Nov  7 20:45 __pycache__
-rwxr-xr-x 1 root root 1232712 Nov  7 20:39 setuptools-65.5.1-py3-none-any.whl
OS information 
[root@b06e309d4cc3 external]# uname -m
x86_64
[root@b06e309d4cc3 external]# cat /etc/redhat-release
CentOS release 6.10 (Final)
Wazuh v4.7.2 installation 
....
Installed /var/ossec/framework/python/lib/python3.9/site-packages/api-4.7.2-py3.9.egg
Processing dependencies for api==4.7.2
Finished processing dependencies for api==4.7.2
cd ../tools/mitre && /var/ossec/framework/python/bin/python3 mitredb.py -d /var/ossec/var/db/mitre.db
chcon: can't apply partial context to unlabeled file `/var/ossec/lib/libjemalloc.so.2'
Generating self-signed certificate for wazuh-authd...


 - System is Redhat Linux.
 - Init script modified to start Wazuh during boot.
Starting Wazuh...
server
Starting Wazuh v4.7.2...
Started wazuh-apid...
Started wazuh-csyslogd...
Started wazuh-dbd...
2023/12/20 18:28:59 wazuh-integratord: INFO: Remote integrations not configured. Clean exit.
Started wazuh-integratord...
Started wazuh-agentlessd...
Started wazuh-authd...
Started wazuh-db...
Started wazuh-execd...
Started wazuh-analysisd...
Started wazuh-syscheckd...
Started wazuh-remoted...
Started wazuh-logcollector...
Started wazuh-monitord...
Started wazuh-modulesd...
Completed.

 - Configuration finished properly.

 - To start Wazuh:
      /var/ossec/bin/wazuh-control start

 - To stop Wazuh:
      /var/ossec/bin/wazuh-control stop

 - The configuration can be viewed or modified at /var/ossec/etc/ossec.conf


   Thanks for using Wazuh.
   Please don't hesitate to contact us if you need help or find
   any bugs.

   Use our public Mailing List at:
          https://groups.google.com/forum/#!forum/wazuh

   More information can be found at:
          - http://www.wazuh.com

    ---  Press ENTER to finish (maybe more information below). ---

 - In order to connect agent and server, you need to add each agent to the server.

   More information at: 
   https://documentation.wazuh.com/
pip version installed 
[root@b06e309d4cc3 wazuh]# /var/ossec/framework/python/bin/pip3 --version
pip 23.3.2 from /var/ossec/framework/python/lib/python3.9/site-packages/pip (python 3.9)

aarch64

Package information 
[root@2c6d09d551ca external]# ll cpython/Lib/ensurepip/_bundled/
total 3268
-rw-r--r-- 1 root root       0 Nov  7 19:50 __init__.py
drwxr-xr-x 2 root root    4096 Nov  7 20:20 __pycache__
-rwxr-xr-x 1 root root 2109393 Dec 20 18:35 pip-23.3.2-py3-none-any.whl
-rwxr-xr-x 1 root root 1232712 Nov  7 19:50 setuptools-65.5.1-py3-none-any.whl
OS information 
[root@2c6d09d551ca external]# uname -m
aarch64
[root@2c6d09d551ca external]# cat /etc/redhat-release
CentOS Linux release 7.9.2009 (AltArch)
Wazuh v4.7.2 installation 
...
creating 'dist/api-4.7.2-py3.9.egg' and adding 'build/bdist.linux-aarch64/egg' to it
removing 'build/bdist.linux-aarch64/egg' (and everything under it)
Processing api-4.7.2-py3.9.egg
creating /var/ossec/framework/python/lib/python3.9/site-packages/api-4.7.2-py3.9.egg
Extracting api-4.7.2-py3.9.egg to /var/ossec/framework/python/lib/python3.9/site-packages
Adding api 4.7.2 to easy-install.pth file

Installed /var/ossec/framework/python/lib/python3.9/site-packages/api-4.7.2-py3.9.egg
Processing dependencies for api==4.7.2
Finished processing dependencies for api==4.7.2
cd ../tools/mitre && /var/ossec/framework/python/bin/python3 mitredb.py -d /var/ossec/var/db/mitre.db
/usr/bin/chcon: can't apply partial context to unlabeled file '/var/ossec/lib/libjemalloc.so.2'
Generating self-signed certificate for wazuh-authd...


 - System is Redhat Linux.
 - Init script modified to start Wazuh during boot.
Starting Wazuh...
server
Starting Wazuh v4.7.2...
Started wazuh-apid...
Started wazuh-csyslogd...
Started wazuh-dbd...
2023/12/20 19:46:18 wazuh-integratord: INFO: Remote integrations not configured. Clean exit.
Started wazuh-integratord...
Started wazuh-agentlessd...
Started wazuh-authd...
Started wazuh-db...
Started wazuh-execd...
Started wazuh-analysisd...
Started wazuh-syscheckd...
Started wazuh-remoted...
Started wazuh-logcollector...
Started wazuh-monitord...
Started wazuh-modulesd...
Completed.

 - Configuration finished properly.

 - To start Wazuh:
      /var/ossec/bin/wazuh-control start

 - To stop Wazuh:
      /var/ossec/bin/wazuh-control stop

 - The configuration can be viewed or modified at /var/ossec/etc/ossec.conf


   Thanks for using Wazuh.
   Please don't hesitate to contact us if you need help or find
   any bugs.

   Use our public Mailing List at:
          https://groups.google.com/forum/#!forum/wazuh

   More information can be found at:
          - http://www.wazuh.com

    ---  Press ENTER to finish (maybe more information below). ---

 - In order to connect agent and server, you need to add each agent to the server.

   More information at: 
   https://documentation.wazuh.com/
pip version installed 
[root@2c6d09d551ca external]# /var/ossec/framework/python/bin/pip3 --version
pip 23.3.2 from /var/ossec/framework/python/lib/python3.9/site-packages/pip (python 3.9)

Next steps

The 24-20586 package has been created to test the update before uploading it to the official DEPS_VERSION=24.

@fdalmaup
Copy link
Member

Issue Update

The packages were tested as part of #20798 giving successful results. The issue can be cross-reviewed.

@GGP1
Copy link
Member

GGP1 commented Dec 21, 2023

Review

The corresponding cpython files were added and updated accordingly, the pip version present after the installation is the expected one on both architectures and there were no errors found during the tests performed. LGTM!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fdalmaup fdalmaup

Labels
level/task type/bug/vulnerability Exploitable vulnerability
Projects
No open projects
Release 4.7.2
Status: Done
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Selutario @fdalmaup @GGP1