Re: CVE Request: Insecure Software Download in pip

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/07/2013 11:23 AM, Donald Stufft wrote:
> On Jul 31, 2013, at 4:11 AM, Kurt Seifried <kseifried () redhat com 
> <mailto:kseifried () redhat com>> wrote:
>
> > Ok I have no info on that CVE, is it embargoed? I can't find it
> > in google after a quick search. I need to see that one before I
> > can assign anything. As for the reserved thing:
>
> This CVE has been fixed, and it is for the issue where pip prior to
> 1.3 did not download from the central repository using TLS
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1629
>
> So back to the question of mirroring, possible to get a CVE for
> that now? :)
>
> ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B
> 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

Ack sorry catching up. Please use CVE-2013-4266  for the insecure
mirroring stuff. Can you post the Python bug URL for this again? thanks.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQIcBAEBAgAGBQJSFSC9AAoJEBYNRVNeJnmTCxIP/iAbXnPgKfRjlgCGYknvTjIN
wqlj3kvHUOhME6V+ihjKVpQMIFCNJRePWPSAGswyNHh4/zuONqhy23Mf55dXxF1d
nNrQZxyOaa/LroY6YwLGQl8Lc7fa8ZmnzFZNd+c+q4YU6nIbJRjQrihAGuLhc+NA
Vm+3W+nz7raq5Spe19RK7QXiWu6tLaonT4frdc7CjqrVRrYqDtdnut10o5vFvPJU
3sUXReKjLMG0sB7PaYYlcL3EO/cGaVOM03deylDx59S80awHc09iVyMET6alSYrO
2XTru+Cur7le+SbU5vrCuC0Sxwe/IC3VkEQhwEiz2jPxTcxTOleLJKpEnrabcf+b
4eaZ939oJgw7D5pPph2wkoIyF1/AJxV7L+yWIR5Swk265zYdVaWogBFSNoHbF7dw
nnb2KOcB28R+0lVIszRHgrwyeqJhW9jkJxmTXbQqMiC4IJ/jh5a7FcdtAAiY7To6
htfmXReGRxqA3+HpQleS9xhLEHF4iU4xuCRSgYfjrlj96Fdo+YDSppOeMMQME0RX
Gr1Qh0AErF7HZxfoXeKpyWnKPxuiKDeamD+aSmGPTx+9Y8NLezMYCrZcKRUMJZuD
eVEHYbLHYAKtwksgVJF2ToxmtCN87eqE5PbWi0RHaoXrhQyE3zPP5UrO0OwpO2r3
c1DPYPHPECR4lrjm33Zs
=1q5a
-----END PGP SIGNATURE-----