Bugzilla – Bug 864406
VUL-1: CVE-2013-5123: python-pip: Insecure Software Download
Last modified: 2022-11-17 14:47:20 UTC
CVE-2013-5123 The mirroring support (-M, --use-mirrors) was implemented without any sort of authenticity checks and is downloaded over plaintext HTTP. Further more by default it will dynamically discover the list of available mirrors by querying a DNS entry and extrapolating from that data. It does not attempt to use any sort of method of securing this querying of the DNS like DNSSEC. Software packages are downloaded over these insecure links, unpacked, and then typically the setup.py python file inside of them is executed. References: http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-5123.html http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5123
bugbot adjusting priority
Affected packages: SLE-11-SP3: python-pip SLE-11-SP3-PRODUCTS: python-pip
reassign to opensuse maintainer as Sascha left
Hi Matej, we are still missing the submission for SUSE:SLE-11-SP3:Update:Teradata/python-pip. Could you provide it?
Patch is from https://github.com/pypa/pip/pull/1098
Submitted at https://build.suse.de/request/show/273158
Thank you, we can now close this bug.
Ricardo is right, I would suggest WONTFIX for this on SUSE:SLE-11-SP3:Update:Teradata/python-pip.
yes, the system python 2 stack is not TLS 1.2 capable on SLE11. so no need to fix it I would sqay.
Done.