oss-sec mailing list archives

Re: CVE Request: Insecure Software Download in pip

From: Kurt Seifried <kseifried () redhat com>
Date: Wed, 21 Aug 2013 14:30:53 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/21/2013 02:28 PM, Donald Stufft wrote:


On Aug 21, 2013, at 4:19 PM, Kurt Seifried <kseifried () redhat com>
wrote:

Signed PGP part On 08/07/2013 11:23 AM, Donald Stufft wrote:


On Jul 31, 2013, at 4:11 AM, Kurt Seifried
<kseifried () redhat com <mailto:kseifried () redhat com>> wrote:

Ok I have no info on that CVE, is it embargoed? I can't find
it in google after a quick search. I need to see that one
before I can assign anything. As for the reserved thing:


This CVE has been fixed, and it is for the issue where pip
prior to 1.3 did not download from the central repository using
TLS

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1629

So back to the question of mirroring, possible to get a CVE
for that now? :)

----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA //
7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA


Ack sorry catching up. Please use CVE-2013-4266  for the
insecure mirroring stuff. Can you post the Python bug URL for
this again? thanks.

- -- Kurt Seifried Red Hat Security Response Team (SRT) PGP:
0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993


@Kurt can you reject CVE-2013-4266,

I had assumed you weren't going to assign one so I contacted
cve-assign@mitre and they assigned CVE-2013-5123


Ack,I deserved that =) Please REJECT CVE-2013-4266, use CVE-2013-5123
instead.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQIcBAEBAgAGBQJSFSN9AAoJEBYNRVNeJnmTXr0P/2sg0b4pj9GvOOeuyJWZTcRK
qN5ZVhLttna0RkyjsxXMsDOCvEFyHV3UsjYhXh+W/qbkmtUlUUNam8J3O09SNRS1
2HieU8NRAHO3PoXTUFsOUAMbX9kBGAdrXrGowLpWDN0Xe+h1fe1nwdzMclXsHjIe
uiieM+rlLXXCUf8sUGqdYoqN6yFp9Lq/WrVevUiQbWwF3ICNhQbP3JwPd6OXn4uG
UETjH4bHkmNecS/TubcwbRCeCct9DnxcxvqUenfbgCZamfDEGqhxoDGg2YWdGTIs
UqcdjIegJD79k+DYQd7BZ10O3KgoRv3Imneb/Xknk3d6jzb2RG/Ou5URvP97Q7NE
40HZysvV/kSAx0JrJbaYBcl2OhDWzMwKvW+TaWmjlf88LGN1p8BAho7hY4esr8/r
D1p9QApTI4Z+PwPgbXdcb8S80i4ne5e/mFos3e1V4RjuJImgFp7jvU7m1dbeB+X9
kb0k0XcovDSN10TtDiaJEKPSrCuG4OPxN/u1SfttOOkrpVQjgv2F1OS5xFSCtnas
wNR+BFYQmlhT9u3OWJlx9d1TiQsc+lNlwWUqV4tLG48S0lLMFKgAL3QG6sdmOsUh
MsSJ1Hh91ru7mr4W0XXFIHgEQ3CcnM15DE4kC0tqn49EgH1IBmunS7dZGUplYWto
JnGLAa05rii4Tex4G08P
=+jrH
-----END PGP SIGNATURE-----

Current thread:

Re: CVE Request: Insecure Software Download in pip, (continued)
- - - Re: CVE Request: Insecure Software Download in pip Kurt Seifried (Jul 29)
    - Re: CVE Request: Insecure Software Download in pip Donald Stufft (Jul 30)
    - Re: CVE Request: Insecure Software Download in pip Kurt Seifried (Jul 31)
    - Re: CVE Request: Insecure Software Download in pip Donald Stufft (Jul 31)
    - Re: CVE Request: Insecure Software Download in pip Raphael Geissert (Jul 31)
    - Re: CVE Request: Insecure Software Download in pip Donald Stufft (Jul 31)
    - Re: CVE Request: Insecure Software Download in pip Donald Stufft (Aug 03)
    - Re: CVE Request: Insecure Software Download in pip Donald Stufft (Aug 07)
    - Re: CVE Request: Insecure Software Download in pip Kurt Seifried (Aug 21)
    - Re: CVE Request: Insecure Software Download in pip Donald Stufft (Aug 21)
    - Re: CVE Request: Insecure Software Download in pip Kurt Seifried (Aug 21)