[Secure-testing-team] Bug#710163: CVE-2013-1629: Man in the middle possibility
Micah Anderson
micah at debian.org
Tue May 28 16:56:17 UTC 2013
Package: python-pip
Version: 1.1-3
Severity: serious
Tags: security
Justification: security
Hello,
It appears as if python-pip in Debian (all versions supported) suffers
from CVE-2013-1629. This CVE appears to still be "reserved", but is
clearly described in a few places on the internet[0],[1].
A new version uploaded to sid would solve this problem there, but to
backport these issues to wheezy and squeeze may be a bit difficult.
Thanks,
micah
0. http://www.reddit.com/r/Python/comments/17rfh7/warning_dont_use_pip_in_an_untrusted_network_a/
1. https://github.com/TheTorProject/ooni-backend/pull/1#discussion_r4084881
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.8-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages python-pip depends on:
ii python 2.7.3-5
ii python-pkg-resources 0.6.37-1
ii python-setuptools 0.6.37-1
ii python2.6 2.6.8-2
Versions of packages python-pip recommends:
ii build-essential 11.6
pn python-dev-all <none>
python-pip suggests no packages.
-- no debconf information
More information about the Secure-testing-team
mailing list