CVE-2022-30877 The keep for Python included a backdoor inserted by a third party.

The keep command is a backup and restore tool that can run in different modes. The current version (v1.2 as of writing) is distributed under the name “pyvault”, and it is available on PyPI. As mentioned, the current version is v1.2, which is under version control with the last commit being v1.2.5. The current version is not vulnerable to the keep command backdoor. It is recommended that keep is updated to v1.3 to avoid the backdoor. It is also recommended that keep is not run as root. Keep is a simple command line tool that can be installed with pip command. At the time of writing, keep was not updated to v1.3. It is recommended that pip is updated to v9.0.1, which is the latest version. To install keep, use the command below. pip install -- upgrade keep To update pip, use the command below. pip upgrade -- upgrade pip To update keep, use the command below. pip install -- upgrade -e git://github.com --trunk/keep To install keep from the current version, use the command below. pip install -- upgrade keep As of writing this article, keep was not updated to v1.3. If you have pip 9.0.1 or above and keep v1.2.5 or above, you are safe.

Conclusion: Keep is not vulnerable to the backdoor

When keep was last updated, the current version was v1.2 and it was not vulnerable to the backdoor. It is recommended that keep is updated to v1.3 in order to avoid the backdoor.

What is keep?

Keep is a simple backup and restore tool that can run in different modes. The current version (v1.2 as of writing) is distributed under the name “pyvault”, and it is available on PyPI. It is recommended that keep is updated to v1.3 to avoid the backdoor. It is also recommended that keep be not run as root. Keep is a simple command line tool that can be installed with pip command.

Timeline

Published on: 06/08/2022 18:15:00 UTC
Last modified on: 06/15/2022 14:33:00 UTC

References