SUSE Security Update: Security update for python-pip, python-scripttest
______________________________________________________________________________

Announcement ID:    SUSE-SU-2020:3737-1
Rating:             moderate
References:         #1175297 #1176262 ECO-3035 
Cross-References:   CVE-2019-20916
Affected Products:
                    SUSE Linux Enterprise Module for Python2 15-SP2
                    SUSE Linux Enterprise Module for Python2 15-SP1
                    SUSE Linux Enterprise Module for Basesystem 15-SP2
                    SUSE Linux Enterprise Module for Basesystem 15-SP1
______________________________________________________________________________

   An update that solves one vulnerability, contains one
   feature and has one errata is now available.

Description:

   This update for python-pip, python-scripttest fixes the following issues:

   - Update in SLE-15 (bsc#1175297, jsc#ECO-3035, jsc#PM-2318)

   python-pip was updated to 20.0.2:

   * Fix a regression in generation of compatibility tags
   * Rename an internal module, to avoid ImportErrors due to improper
     uninstallation
   * Switch to a dedicated CLI tool for vendoring dependencies.
   * Remove wheel tag calculation from pip and use packaging.tags. This
     should provide more tags ordered better than in prior releases.
   *  Deprecate setup.py-based builds that do not generate an .egg-info
      directory.
   *  The pip>=20 wheel cache is not retro-compatible with previous versions.
      Until pip 21.0, pip will continue to take advantage of existing legacy
      cache entries.
   *  Deprecate undocumented --skip-requirements-regex option.
   *  Deprecate passing install-location-related options via --install-option.
   *  Use literal "abi3" for wheel tag on CPython 3.x, to align with PEP 384
      which only defines it for this platform.
   *  Remove interpreter-specific major version tag e.g. cp3-none-any from
      consideration. This behavior was not documented strictly, and this tag
      in particular is not useful. Anyone with a use case can create an issue
      with pypa/packaging.
   *  Wheel processing no longer permits wheels containing more than one
      top-level .dist-info directory.
   *  Support for the [email protected] form of VCS requirement is being deprecated
      and will be removed in pip 21.0. Switch to git+https:// or git+ssh://.
      git+git:// also works but its use is discouraged as it is insecure.
   *  Default to doing a user install (as if --user was passed) when the main
      site-packages directory is not writeable and user site-packages are
      enabled.
   *  Warn if a path in PATH starts with tilde during pip install.
   *  Cache wheels built from Git requirements that are considered immutable,
      because they point to a commit hash.
   *  Add option --no-python-version-warning to silence warnings related to
      deprecation of Python versions.
   *  Cache wheels that pip wheel built locally, matching what pip install
      does. This particularly helps performance in workflows where pip wheel
      is used for building before installing. Users desiring the original
      behavior can use pip wheel --no-cache-dir
   *  Display CA information in pip debug.
   *  Show only the filename (instead of full URL), when downloading from
      PyPI.
   *  Suggest a more robust command to upgrade pip itself to avoid confusion
      when the current pip command is not available as pip.
   *  Define all old pip console script entrypoints to prevent import issues
      in stale wrapper scripts.
   *  The build step of pip wheel now builds all wheels to a cache first,
      then copies them to the wheel directory all at once. Before, it built
      them to a temporary directory and moved them to the wheel directory one
      by one.
   *  Expand ~ prefix to user directory in path options, configs, and
      environment variables. Values that may be either URL or path are not
      currently supported, to avoid ambiguity:

      --find-links
      --constraint, -c
      --requirement, -r
      --editable, -e

   *  Correctly handle system site-packages, in virtual environments created
      with venv (PEP 405).
   *  Fix case sensitive comparison of pip freeze when used with -r option.
   *  Enforce PEP 508 requirement format in pyproject.toml
      build-system.requires.
   *  Make ensure_dir() also ignore ENOTEMPTY as seen on Windows.
   *  Fix building packages which specify backend-path in pyproject.toml.
   *  Do not attempt to run setup.py clean after a pep517 build error, since
      a setup.py may not exist in that case.
   *  Fix passwords being visible in the index-url in "Downloading "
      message.
   *  Change method from shutil.remove to shutil.rmtree in noxfile.py.
   *  Skip running tests which require subversion, when svn isn't installed
   *  Fix not sending client certificates when using --trusted-host.
   *  Make sure pip wheel never outputs pure python wheels with a python
      implementation tag. Better fix/workaround for #3025 by using a
      per-implementation wheel cache instead of caching pure python wheels
      with an implementation tag in their name.
   *  Include subdirectory URL fragments in cache keys.
   *  Fix typo in warning message when any of --build-option, --global-option
      and --install-option is used in requirements.txt
   *  Fix the logging of cached HTTP response shown as downloading.
   *  Effectively disable the wheel cache when it is not writable, as is the
      case with the http cache.
   *  Correctly handle relative cache directory provided via --cache-dir.


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Module for Python2 15-SP2:

      zypper in -t patch SUSE-SLE-Module-Python2-15-SP2-2020-3737=1

   - SUSE Linux Enterprise Module for Python2 15-SP1:

      zypper in -t patch SUSE-SLE-Module-Python2-15-SP1-2020-3737=1

   - SUSE Linux Enterprise Module for Basesystem 15-SP2:

      zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2020-3737=1

   - SUSE Linux Enterprise Module for Basesystem 15-SP1:

      zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2020-3737=1



Package List:

   - SUSE Linux Enterprise Module for Python2 15-SP2 (noarch):

      python2-pip-20.0.2-6.12.1

   - SUSE Linux Enterprise Module for Python2 15-SP1 (noarch):

      python2-pip-20.0.2-6.12.1

   - SUSE Linux Enterprise Module for Basesystem 15-SP2 (noarch):

      python3-pip-20.0.2-6.12.1

   - SUSE Linux Enterprise Module for Basesystem 15-SP1 (noarch):

      python3-pip-20.0.2-6.12.1


References:

   https://www.suse.com/security/cve/CVE-2019-20916.html
   https://bugzilla.suse.com/1175297
   https://bugzilla.suse.com/1176262