[Python-modules-team] Bug#710164: CVE-2013-1629: Man in the middle possibility
Micah Anderson
micah at debian.org
Tue May 28 17:02:00 UTC 2013
Package: python-virtualenv
Version: 1.7.1.2-2
Severity: serious
Tags: security
Justification: security
Hello,
It seems as if python-virtualenv embeds a copy of pip[0], and there is
a security issue with python-pip noted as CVE-2013-1629 which affects
squeeze and wheezy (it appears fixed in sid and jessie). This issue
currently is marked as 'reserved' by Mitre, but it is clearly defined
on the internet[1],[2].
Please coordinate with the debian security team to update this package
as soon as possible to resolve this issue. Please reference this CVE
and bug number in any changelog dealing with this problem.
Micah
0. This is in violation of debian policy '4.13 Convenience copies of
code' and should be fixed to depend on the version of python-pip in
the archive.
1.http://www.reddit.com/r/Python/comments/17rfh7/warning_dont_use_pip_in_an_untrusted_network_a/
2. https://github.com/TheTorProject/ooni-backend/pull/1#discussion_r4084881
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.8-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
More information about the Python-modules-team
mailing list