oss-sec mailing list archives

Re: Assign a CVE for Python's restkit Please

From: Donald Stufft <donald () stufft io>
Date: Sun, 22 Mar 2015 14:26:23 -0400

On Mar 12, 2015, at 11:03 AM, Donald Stufft <donald () stufft io> wrote:

Pythons Restskit[1][2][3][4] does not properly validate TLS
(see https://github.com/benoitc/restkit/issues/140). It appears to simply use
ssl.wrap_socket from the standard library, which does not do any validation
by default. This can be verified by doing:

from restkit import request
r = request("https://tv.eurosport.com/";)
r.body_string()

   '<HTML><HEAD>...'

Can a CVE be assigned for this?


[1] https://github.com/benoitc/restkit
[2] https://pypi.python.org/pypi/restkit
[3] http://restkit.readthedocs.org/en/latest/
[4] https://benoitc.github.io/restkit/index.html

---
Donald Stufft
PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA


Ping?

---
Donald Stufft
PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

Current thread:

Assign a CVE for Python's restkit Please Donald Stufft (Mar 12)
- Re: Assign a CVE for Python's restkit Please Donald Stufft (Mar 22)
- Re: Assign a CVE for Python's restkit Please cve-assign (Mar 23)