oss-sec mailing list archives
Re: CVE Request: Insecure Software Download in pip
From: Donald Stufft <donald () stufft io>
Date: Wed, 31 Jul 2013 05:11:41 -0400
On Jul 31, 2013, at 4:33 AM, Raphael Geissert <geissert () debian org> wrote:
On 31 July 2013 10:11, Kurt Seifried <kseifried () redhat com> wrote:On 07/30/2013 12:44 PM, Donald Stufft wrote:There was a CVE for pip not verifying TLS, https://access.redhat.com/security/cve/CVE-2013-1629 However that says it was RESERVED so I'm not sure how to make that unreserved? I've not done much with requesting CVEs before.Ok I have no info on that CVE, is it embargoed? I can't find it in google after a quick search. I need to see that one before I can assign anything.From the bugzilla info: "source=debian", and looking at our tracker: https://security-tracker.debian.org/tracker/CVE-2013-1629 points to: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=710163 I don't know who assigned the id, however. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net
Ha, Awesome. This CVE is some sort of ghost ;) Debian bug links to https://security-tracker.debian.org/tracker/CVE-2013-1629 Which links to.. This conversation in oss-sec, NVD which says it doesn't exist, The RedHat Bugzilla, Gentoo which says it doesn't exist, Ubuntu which says it does but doesn't give any more info other than linking to the page on Mitre that just says the reserved bit. A google search turns up http://www.reddit.com/r/Python/comments/17rfh7/warning_dont_use_pip_in_an_untrusted_network_a/c8ay4xt but it's unclear if that person requested the CVE or not. So uh how do we figure it out? Can I as a pip developer contact Mitre and release data for it? ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail
Current thread:
- Re: CVE Request: Insecure Software Download in pip, (continued)
- Re: CVE Request: Insecure Software Download in pip Kurt Seifried (Jul 27)
- Re: CVE Request: Insecure Software Download in pip Donald Stufft (Jul 27)
- Re: CVE Request: Insecure Software Download in pip Donald Stufft (Jul 27)
- Re: CVE Request: Insecure Software Download in pip Kurt Seifried (Jul 29)
- Re: CVE Request: Insecure Software Download in pip Donald Stufft (Jul 29)
- Re: CVE Request: Insecure Software Download in pip Kurt Seifried (Jul 29)
- Re: CVE Request: Insecure Software Download in pip Donald Stufft (Jul 30)
- Re: CVE Request: Insecure Software Download in pip Kurt Seifried (Jul 31)
- Re: CVE Request: Insecure Software Download in pip Donald Stufft (Jul 31)
- Re: CVE Request: Insecure Software Download in pip Raphael Geissert (Jul 31)
- Re: CVE Request: Insecure Software Download in pip Donald Stufft (Jul 31)
- Re: CVE Request: Insecure Software Download in pip Donald Stufft (Aug 03)
- Re: CVE Request: Insecure Software Download in pip Donald Stufft (Jul 27)
- Re: CVE Request: Insecure Software Download in pip Donald Stufft (Aug 07)
- Re: CVE Request: Insecure Software Download in pip Kurt Seifried (Aug 21)
- Re: CVE Request: Insecure Software Download in pip Donald Stufft (Aug 21)
- Re: CVE Request: Insecure Software Download in pip Kurt Seifried (Aug 21)
- Re: CVE Request: Insecure Software Download in pip Kurt Seifried (Jul 27)