oss-sec mailing list archives

Assign a CVE for Python's restkit Please

From: Donald Stufft <donald () stufft io>
Date: Thu, 12 Mar 2015 11:03:32 -0400

Pythons Restskit[1][2][3][4] does not properly validate TLS
(see https://github.com/benoitc/restkit/issues/140). It appears to simply use
ssl.wrap_socket from the standard library, which does not do any validation
by default. This can be verified by doing:

    >>> from restkit import request
    >>> r = request("https://tv.eurosport.com/";)
    >>> r.body_string()
    '<HTML><HEAD>...'

Can a CVE be assigned for this?


[1] https://github.com/benoitc/restkit
[2] https://pypi.python.org/pypi/restkit
[3] http://restkit.readthedocs.org/en/latest/
[4] https://benoitc.github.io/restkit/index.html

---
Donald Stufft
PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

Current thread:

Assign a CVE for Python's restkit Please Donald Stufft (Mar 12)
- Re: Assign a CVE for Python's restkit Please Donald Stufft (Mar 22)
- Re: Assign a CVE for Python's restkit Please cve-assign (Mar 23)