Bug 864406 (CVE-2013-5123) - VUL-1: CVE-2013-5123: python-pip: Insecure Software Download
Summary: VUL-1: CVE-2013-5123: python-pip: Insecure Software Download
Status: RESOLVED FIXED
Alias: CVE-2013-5123
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/96259/
Whiteboard: CVSSv3.1:SUSE:CVE-2013-5123:5.9:(AV:...
Keywords:
Depends on: 1204777
Blocks:
  Show dependency treegraph
 
Reported: 2014-02-18 14:08 UTC by Victor Pereira
Modified: 2022-11-17 14:47 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2014-02-18 14:08:12 UTC
CVE-2013-5123

The mirroring support (-M, --use-mirrors) was implemented without
any sort of authenticity checks and is downloaded over plaintext
HTTP. Further more by default it will dynamically discover the list of
available mirrors by querying a DNS entry and extrapolating from that
data. It does not attempt to use any sort of method of securing this
querying of the DNS like DNSSEC. Software packages are downloaded over
these insecure links, unpacked, and then typically the setup.py python
file inside of them is executed.

References:
http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-5123.html
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5123
Comment 1 Swamp Workflow Management 2014-02-18 23:00:30 UTC
bugbot adjusting priority
Comment 2 SMASH SMASH 2014-02-19 10:25:18 UTC
Affected packages:

SLE-11-SP3: python-pip
SLE-11-SP3-PRODUCTS: python-pip
Comment 4 Marcus Meissner 2014-09-05 09:37:50 UTC
reassign to opensuse maintainer as Sascha left
Comment 5 Gianluca Gabrielli 2022-03-04 17:52:35 UTC
Hi Matej,

we are still missing the submission for SUSE:SLE-11-SP3:Update:Teradata/python-pip. Could you provide it?
Comment 6 Matej Cepl 2022-05-27 14:19:22 UTC
Patch is from https://github.com/pypa/pip/pull/1098
Comment 7 Matej Cepl 2022-08-18 13:57:23 UTC
Submitted at https://build.suse.de/request/show/273158
Comment 8 Gianluca Gabrielli 2022-08-23 07:14:47 UTC
Thank you, we can now close this bug.
Comment 10 Matej Cepl 2022-11-16 23:29:27 UTC
Ricardo is right, I would suggest WONTFIX for this on SUSE:SLE-11-SP3:Update:Teradata/python-pip.
Comment 11 Marcus Meissner 2022-11-17 10:06:52 UTC
yes, the system python 2 stack is not TLS 1.2 capable on SLE11.

so no need to fix it I would sqay.
Comment 12 Gabriele Sonnu 2022-11-17 14:47:20 UTC
Done.