Debian Bug report logs -
#710163
CVE-2013-1629: Man in the middle possibility
Reported by: Micah Anderson <micah@debian.org>
Date: Tue, 28 May 2013 16:57:06 UTC
Severity: serious
Tags: security
Found in version python-pip/1.1-3
Fixed in version python-pip/1.3.1-1
Done: Stefano Rivera <stefanor@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>:
Bug#710163; Package python-pip.
(Tue, 28 May 2013 16:57:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Micah Anderson <micah@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>.
(Tue, 28 May 2013 16:57:10 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: python-pip
Version: 1.1-3
Severity: serious
Tags: security
Justification: security
Hello,
It appears as if python-pip in Debian (all versions supported) suffers
from CVE-2013-1629. This CVE appears to still be "reserved", but is
clearly described in a few places on the internet[0],[1].
A new version uploaded to sid would solve this problem there, but to
backport these issues to wheezy and squeeze may be a bit difficult.
Thanks,
micah
0. http://www.reddit.com/r/Python/comments/17rfh7/warning_dont_use_pip_in_an_untrusted_network_a/
1. https://github.com/TheTorProject/ooni-backend/pull/1#discussion_r4084881
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.8-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages python-pip depends on:
ii python 2.7.3-5
ii python-pkg-resources 0.6.37-1
ii python-setuptools 0.6.37-1
ii python2.6 2.6.8-2
Versions of packages python-pip recommends:
ii build-essential 11.6
pn python-dev-all <none>
python-pip suggests no packages.
-- no debconf information
Added tag(s) pending.
Request was from stefanor@users.alioth.debian.org
to control@bugs.debian.org.
(Sun, 02 Jun 2013 11:03:23 GMT) (full text, mbox, link).
Reply sent
to Stefano Rivera <stefanor@debian.org>:
You have taken responsibility.
(Tue, 25 Jun 2013 22:21:26 GMT) (full text, mbox, link).
Notification sent
to Micah Anderson <micah@debian.org>:
Bug acknowledged by developer.
(Tue, 25 Jun 2013 22:21:26 GMT) (full text, mbox, link).
Message #12 received at 710163-close@bugs.debian.org (full text, mbox, reply):
Source: python-pip
Source-Version: 1.3.1-1
We believe that the bug you reported is fixed in the latest version of
python-pip, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 710163@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Stefano Rivera <stefanor@debian.org> (supplier of updated python-pip package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 25 Jun 2013 23:43:45 +0200
Source: python-pip
Binary: python-pip python3-pip
Architecture: source all
Version: 1.3.1-1
Distribution: unstable
Urgency: low
Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
Changed-By: Stefano Rivera <stefanor@debian.org>
Description:
python-pip - alternative Python package installer
python3-pip - alternative Python package installer - Python 3 version of the pa
Closes: 679196 680150 692384 710134 710163
Changes:
python-pip (1.3.1-1) unstable; urgency=low
.
[ Stefano Rivera ]
* Team upload.
* New upstream release.
- pip now performs SSL certificate validation.
CVE-2013-1629 (Closes: #710163)
* Refresh patches.
* Drop test_urlparse_uses_fragment.patch - superseded upstream.
* Switch debian/watch to use https.
* Updated Homepage.
* Install the upstream changelog (Closes: #710134)
* debian/copyright:
- Update authors and years.
- The pip license is Expat.
- Reformat as valid machine-readable copyright format 1.0.
- Add pip/cacert.pem.
* debian/patches/system-ca-certificates.patch: Use the CA bundle provided by
ca-certificates.
* debian/patches/no-python-specific-scripts.patch: Drop pip-X.Y scripts, and
simply provide pip2 and pip3. (Closes: #679196, #680150)
.
[ Jakub Wilk ]
* Use canonical URIs for Vcs-* fields.
.
[ Dmitrijs Ledkovs ]
* Build depend on python3-all, fixes FTBFS against multiple supported
python3 versions (Closes: #692384).
Checksums-Sha1:
c1a79ed8683f27fe5742f69c0dbe8d7446f96417 2165 python-pip_1.3.1-1.dsc
9c70d314e5dea6f41415af814056b0f63c3ffd14 247594 python-pip_1.3.1.orig.tar.gz
25b90bf6c969bdbd038b504ae2bcc1dd2a98469b 7628 python-pip_1.3.1-1.debian.tar.gz
3d8e41401619fe355c726b9bdb897e1f31dac3dc 114176 python-pip_1.3.1-1_all.deb
f512ce887382f5d622e2d91086bd4a2f81cad3ce 98788 python3-pip_1.3.1-1_all.deb
Checksums-Sha256:
56b3d708b107f0373d80ba790476dc8a3d80955380f3dab0c30da6791ac72a95 2165 python-pip_1.3.1-1.dsc
145eaa5d1ea1b062663da1f3a97780d7edea4c63c68a37c463b1deedf7bb4957 247594 python-pip_1.3.1.orig.tar.gz
54935c7ef448452dc00284c9e97054145dde654c7ccd28691f7085520ef14a8b 7628 python-pip_1.3.1-1.debian.tar.gz
b94a63e712a1dd075b518ad64292f9dd8a82c857a1457b91ad049b8968b256e9 114176 python-pip_1.3.1-1_all.deb
d4947b8ca0e423aede8f08ba96700fa491e88d3b73bc1a5d97470c620bea846a 98788 python3-pip_1.3.1-1_all.deb
Files:
aed18530dee575c5274fccd860f20755 2165 python optional python-pip_1.3.1-1.dsc
cbb27a191cebc58997c4da8513863153 247594 python optional python-pip_1.3.1.orig.tar.gz
9c5a15d3d85f4c7deff898ac04d1164a 7628 python optional python-pip_1.3.1-1.debian.tar.gz
10b13f35251cb69e04edf3682ea0deb4 114176 python optional python-pip_1.3.1-1_all.deb
353c0b219710df6aa8b8cca94baa38a8 98788 python optional python3-pip_1.3.1-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCgAGBQJRyhDzAAoJEACQ/CG1zRrMgKsP/RqIMmDs04Jn3qyVCvRY/pyF
0j5VegxJGTkG8o3bH7Ofy6h/ZfyI6oP/jz2dP0DpiYep09t+lnoIhI8ttqFMJi47
otr7zFGAJtEvm1FpM62k6s3udgbZ/L4NWUgvkaBmAYSgKQxQkbbFpEmBsNdgMy+s
ksLb50M3mTd58ekz8psPQg0W7zuYwoJbXFWHfuVJAxD5Ib1i81mmELS0r1hImVSl
qZtuZ3WNyn+aiOTyha4Fyenqo6lzEgC5q8OKzTmEtU2lf8T+HWRhFuiUQGpLwKcO
vUt2rCr1LWh6eYjjuKbnIxRs/6YFprUfZoJPvqP1XkO4QYG6dPmHZlgedDvSQ7bE
tyto7CB4tQvDqg5KbV/+8kwP6WC66uH56mC3XO78oTLZCeGJ8omOlhjbWkq6zEs9
Bhl5+Vh46pF2TbO2bVdCj7eBgaUAO53zcbUFrh4dQjENhx/KEFDwK35d2mjpvsdW
Vb3nigHdSyD+vrOcJP2Qtxwaizm86ycnlw0eVfMxIUiWQrBHMTrL0nV3MaE/DUBy
3p/FnsdAqAcENAVZUF9IC+eGoKU2fVG9qu7KjMS7EFHiZ5zsziP42rQ+Gix7R0w5
dQ0hCUYG37G7XBGy8mFA09IRTaQSHdHPX4u5wcJqm6KdXdnddCWaMz7MZYcK7ARw
47kraoZwrICqu6Rt8hrr
=pNYk
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 26 Apr 2015 07:46:22 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:51:57 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon