'Re: [oss-security] CVE Request: Insecure Software Download in pip'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE Request: Insecure Software Download in pip
From:       Donald Stufft <donald () stufft ! io>
Date:       2013-07-31 9:11:41
Message-ID: F309E96C-9148-49FD-A2BF-4FD7460F9D6C () stufft ! io
[Download RAW message or body]

On Jul 31, 2013, at 4:33 AM, Raphael Geissert <geissert@debian.org> wrote:

> On 31 July 2013 10:11, Kurt Seifried <kseifried@redhat.com> wrote:
> > On 07/30/2013 12:44 PM, Donald Stufft wrote:
> > > There was a CVE for pip not verifying TLS,
> > > https://access.redhat.com/security/cve/CVE-2013-1629 However that
> > > says it was RESERVED so I'm not sure how to make that unreserved?
> > > I've not done much with requesting CVEs before.
> > 
> > Ok I have no info on that CVE, is it embargoed? I can't find it in
> > google after a quick search. I need to see that one before I can
> > assign anything.
> 
> From the bugzilla info: "source=debian", and looking at our tracker:
> https://security-tracker.debian.org/tracker/CVE-2013-1629 points to:
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=710163
> 
> I don't know who assigned the id, however.
> 
> Cheers,
> -- 
> Raphael Geissert - Debian Developer
> www.debian.org - get.debian.net

Ha, Awesome. This CVE is some sort of ghost ;)

Debian bug links to https://security-tracker.debian.org/tracker/CVE-2013-1629

Which links to.. This conversation in oss-sec, NVD which says it doesn't exist, The RedHat \
Bugzilla, Gentoo which says it doesn't exist, Ubuntu which says it does but doesn't give any \
more info other than linking to the page on Mitre that just says the reserved bit.

A google search turns up \
http://www.reddit.com/r/Python/comments/17rfh7/warning_dont_use_pip_in_an_untrusted_network_a/c8ay4xt \
but it's unclear if that person requested the CVE or not.

So uh how do we figure it out? Can I as a pip developer contact Mitre and release data for it?

-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA


["signature.asc" (signature.asc)]

-----BEGIN PGP SIGNATURE-----

iQIcBAEBAgAGBQJR+NTNAAoJEG48vOkzctz6DqkP/i3CD34mWjDipCnFWXa/u5aa
amR3DWs+c5qSzjPHq68psQ0NuWg2vhdXrONUiFWianxOjiUyST4Hjqkf03WTus6o
ODvOja+bbX/Lah0r+WlmtdfUGHpZzcGpxshUcQF08jlDs4THhY8biCVdtfsszrlZ
c8PjaHEG2yvGDwsfpy85e60K8oy6GVqcG5U9IEe6UeH+/4LJVgUstGjA9z5WKI6O
rmuWTPWj9TPSHY+Qwta94irAfj3nZe5QFFuegyehslod6oG/OjId+pxW8cOXKGdE
vot/osdhbQg5iMngqmSX3zlvwWrggCgzq966bklzfofoRGvUeLHu26umDaOjA+TW
sEY0hTajIhIb0aYoQV3fCdKgl06K41uhvUiz119Cglv7zOPl6TCYOws8FYnPxdoZ
8uTqEKLq9i4JrTF0mrMlsrlJJfNHZkNT51KAKhHlMZmKbiJF+jhlNaReAi19LUpc
4Nsym7fQb4XRrdWYzWvDd20widc/J4TkAIGaQf0scziuZ/JL9bod/mhIAgd+sUa2
MggMdrfq4o339zMcBOb8JgzE0Y+tq5j/94VGivICcuOvnxOTcUM9jwu1MBGBrLjX
bZZacfSbokqL2sgYway2zNXM4YuMg1kFWeDvzixlbLq1USLHEqvMnuFFWIXXFljv
FfEjSoutuUdxufnJ2skq
=qHDf
-----END PGP SIGNATURE-----


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic