Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Pipenv check thinks pip is ancient, fails citing CVE-2013-5123

See original GitHub issue

I’ve searched through existing issues, and tried to find clues in the source (which I’ve never cracked open before). Neither turned up anything for me, so here’s an issue!

Issue description

pipenv check fails when checking pip version. It warns about an issue in version of pip older than 1.5. I’ve seen this on a macOS machine and a circleci docker image running pip 19.3.1 and 20.0.3 respectively.

I’m using Python 3.6, and managing python versions with pyenv.

Expected result

Since the installed version of pip is greater than 1.5, I would expect this check to pass instead of fail.

Actual result

Checking installed package safety…
37752: pip  resolved (19.3.1 installed)!
The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks. See CVE-2013-5123.

Steps to replicate

Here’s a handy little script to reproduce.

mkdir pipenv_check
cd pipenv_check
pipenv --python 3.6
pipenv check

$ pipenv --support

Pipenv version: '2018.11.26'

Pipenv location: '/usr/local/Cellar/pipenv/2018.11.26_2/libexec/lib/python3.7/site-packages/pipenv'

Python location: '/usr/local/Cellar/pipenv/2018.11.26_2/libexec/bin/python3.7'

Python installations found:

3.7.5: /usr/local/bin/python3
3.7.5: /usr/local/bin/python3.7m
3.7.4: /Users/jules/.pyenv/versions/3.7.4/bin/python3
3.7.4: /Users/jules/.pyenv/versions/3.7.4/bin/python3.7m
3.6.6: /Users/jules/.pyenv/versions/645_a2/bin/python3
3.6.6: /Users/jules/.pyenv/versions/3.6.6/bin/python3.6m
2.7.16: /usr/bin/python
2.7.16: /usr/bin/pythonw
2.7.16: /usr/bin/python2.7
2.7.8: /Users/jules/.pyenv/versions/2.7.8/bin/python
2.6.6: /Users/jules/.pyenv/versions/test/bin/python
2.6.6: /Users/jules/.pyenv/versions/hadoop/bin/python
2.6.6: /Users/jules/.pyenv/versions/2.6.6/bin/python
2.6.6: /Users/jules/.pyenv/versions/2.6.6/bin/python2.6

PEP 508 Information:

{'implementation_name': 'cpython',
 'implementation_version': '3.7.5',
 'os_name': 'posix',
 'platform_machine': 'x86_64',
 'platform_python_implementation': 'CPython',
 'platform_release': '17.7.0',
 'platform_system': 'Darwin',
 'platform_version': 'Darwin Kernel Version 17.7.0: Thu Jan 23 07:05:23 PST '
                     '2020; root:xnu-4570.71.69~1/RELEASE_X86_64',
 'python_full_version': '3.7.5',
 'python_version': '3.7',
 'sys_platform': 'darwin'}

System environment variables:

PATH
__GIT_PROMPT_IGNORE_STASH
TERM_PROGRAM
PYENV_ROOT
ANDROID_HOME
TERM
SHELL
TMPDIR
Apple_PubSub_Socket_Render
TERM_PROGRAM_VERSION
TERM_SESSION_ID
__GIT_PROMPT_SHOW_UPSTREAM
USER
__GIT_PROMPT_SHOW_UNTRACKED_FILES
SSH_AUTH_SOCK
PYENV_VIRTUALENV_INIT
_
PWD
LANG
XPC_FLAGS
XPC_SERVICE_NAME
HOME
SHLVL
PYENV_SHELL
GIT_BRANCH
__GIT_PROMPT_SHOW_CHANGED_FILES_COUNT
__GIT_PROMPT_IGNORE_SUBMODULES
LOGNAME
__CF_USER_TEXT_ENCODING
PIP_DISABLE_PIP_VERSION_CHECK
PYTHONDONTWRITEBYTECODE
PIP_SHIMS_BASE_MODULE
PIP_PYTHON_PATH
PYTHONFINDER_IGNORE_UNSUPPORTED

Pipenv–specific environment variables:

Debug–specific environment variables:

PATH: /usr/local/Cellar/pipenv/2018.11.26_2/libexec/tools:/Users/jules/Library/Python/2.7/bin:/usr/local/Cellar/pyenv-virtualenv/1.1.3/shims:/Users/jules/.pyenv/shims:/Users/jules/.pyenv/bin:/usr/local/opt/gettext/bin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/sbin:/Applications/Wireshark.app/Contents/MacOS:/Users/jules/Library/Android/sdk/tools:/Users/jules/Library/Android/sdk/platform-tools:/Applications/microchip/xc8/v2.05/bin:/Applications/microchip/xc8/v2.05/bin
SHELL: /bin/bash
LANG: en_CA.UTF-8
PWD: /Users/jules/pipenv_check

Contents of Pipfile (‘/Users/jules/pipenv_check/Pipfile’):

[[source]]
name = "pypi"
url = "https://pypi.org/simple"
verify_ssl = true

[dev-packages]

[packages]

[requires]
python_version = "3.6"

Issue Analytics

State:
Created 4 years ago
Reactions:68
Comments:8

Top GitHub Comments

13reactions

lubocommented, Mar 9, 2020

@d-me-tree, @belthaZornv, @isabelrios @AlexSunins-ECS and anybody else with the similar thoughts in mind, please don’t do this ever again, anywhere. If you’re affected by the issue, hit 👍 under the first comment please. Be considerate of your fellow readers/subscribers and don’t spam the thread and their inboxes with meaningless messages. Thanks.

9reactions

780Farvacommented, Mar 11, 2020

The fix in pyupio/safety-db#2286 should be enough to resolve this issue. I verified pipenv check is no longer complaining on my projects. Closing this issue. Thanks @thehesiod for your help!

Top Results From Across the Web

Frequently Encountered Pipenv Problems - Read the Docs

Here are some common questions people have using Pipenv. Please take a look below and see if they resolve your problem. Note. Make...

Numpy 1.15.2 in Learn Python: pipenv - Codecademy Forums

My Terminal says the installation fails. The entirety of the code output is far too long to include here, but this is the...

Pipenv: A Guide to the New Python Packaging Tool

Pipenv is a packaging tool for Python that solves some common problems associated with the typical workflow using pip, virtualenv, and the good...

pipenv Documentation - Read the Docs

Generates and checks file hashes for locked dependencies when installing from Pipfile.lock. • Automatically install required Python version when pyenv is ...

Common Pipenv Errors and How to Solve Them: Why Won't it ...

For more information on Pipenv, or environments, check out this Medium article! ... Typos in the Pipfile are the most common reason that...