oss-sec mailing list archives
Re: CVE Request: Insecure Software Download in pip
From: Kurt Seifried <kseifried () redhat com>
Date: Wed, 21 Aug 2013 14:30:53 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/21/2013 02:28 PM, Donald Stufft wrote:
On Aug 21, 2013, at 4:19 PM, Kurt Seifried <kseifried () redhat com> wrote:Signed PGP part On 08/07/2013 11:23 AM, Donald Stufft wrote:On Jul 31, 2013, at 4:11 AM, Kurt Seifried <kseifried () redhat com <mailto:kseifried () redhat com>> wrote:Ok I have no info on that CVE, is it embargoed? I can't find it in google after a quick search. I need to see that one before I can assign anything. As for the reserved thing:This CVE has been fixed, and it is for the issue where pip prior to 1.3 did not download from the central repository using TLS https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1629 So back to the question of mirroring, possible to get a CVE for that now? :) ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFAAck sorry catching up. Please use CVE-2013-4266 for the insecure mirroring stuff. Can you post the Python bug URL for this again? thanks. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993@Kurt can you reject CVE-2013-4266, I had assumed you weren't going to assign one so I contacted cve-assign@mitre and they assigned CVE-2013-5123
Ack,I deserved that =) Please REJECT CVE-2013-4266, use CVE-2013-5123 instead. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) iQIcBAEBAgAGBQJSFSN9AAoJEBYNRVNeJnmTXr0P/2sg0b4pj9GvOOeuyJWZTcRK qN5ZVhLttna0RkyjsxXMsDOCvEFyHV3UsjYhXh+W/qbkmtUlUUNam8J3O09SNRS1 2HieU8NRAHO3PoXTUFsOUAMbX9kBGAdrXrGowLpWDN0Xe+h1fe1nwdzMclXsHjIe uiieM+rlLXXCUf8sUGqdYoqN6yFp9Lq/WrVevUiQbWwF3ICNhQbP3JwPd6OXn4uG UETjH4bHkmNecS/TubcwbRCeCct9DnxcxvqUenfbgCZamfDEGqhxoDGg2YWdGTIs UqcdjIegJD79k+DYQd7BZ10O3KgoRv3Imneb/Xknk3d6jzb2RG/Ou5URvP97Q7NE 40HZysvV/kSAx0JrJbaYBcl2OhDWzMwKvW+TaWmjlf88LGN1p8BAho7hY4esr8/r D1p9QApTI4Z+PwPgbXdcb8S80i4ne5e/mFos3e1V4RjuJImgFp7jvU7m1dbeB+X9 kb0k0XcovDSN10TtDiaJEKPSrCuG4OPxN/u1SfttOOkrpVQjgv2F1OS5xFSCtnas wNR+BFYQmlhT9u3OWJlx9d1TiQsc+lNlwWUqV4tLG48S0lLMFKgAL3QG6sdmOsUh MsSJ1Hh91ru7mr4W0XXFIHgEQ3CcnM15DE4kC0tqn49EgH1IBmunS7dZGUplYWto JnGLAa05rii4Tex4G08P =+jrH -----END PGP SIGNATURE-----
Current thread:
- Re: CVE Request: Insecure Software Download in pip, (continued)
- Re: CVE Request: Insecure Software Download in pip Kurt Seifried (Jul 29)
- Re: CVE Request: Insecure Software Download in pip Donald Stufft (Jul 30)
- Re: CVE Request: Insecure Software Download in pip Kurt Seifried (Jul 31)
- Re: CVE Request: Insecure Software Download in pip Donald Stufft (Jul 31)
- Re: CVE Request: Insecure Software Download in pip Raphael Geissert (Jul 31)
- Re: CVE Request: Insecure Software Download in pip Donald Stufft (Jul 31)
- Re: CVE Request: Insecure Software Download in pip Donald Stufft (Aug 03)
- Re: CVE Request: Insecure Software Download in pip Donald Stufft (Aug 07)
- Re: CVE Request: Insecure Software Download in pip Kurt Seifried (Aug 21)
- Re: CVE Request: Insecure Software Download in pip Donald Stufft (Aug 21)
- Re: CVE Request: Insecure Software Download in pip Kurt Seifried (Aug 21)