Package: python-virtualenv Version: 1.7.1.2-2 Severity: serious Tags: security Justification: security
Hello, It seems as if python-virtualenv embeds a copy of pip[0], and there is a security issue with python-pip noted as CVE-2013-1629 which affects squeeze and wheezy (it appears fixed in sid and jessie). This issue currently is marked as 'reserved' by Mitre, but it is clearly defined on the internet[1],[2]. Please coordinate with the debian security team to update this package as soon as possible to resolve this issue. Please reference this CVE and bug number in any changelog dealing with this problem. Micah 0. This is in violation of debian policy '4.13 Convenience copies of code' and should be fixed to depend on the version of python-pip in the archive. 1.http://www.reddit.com/r/Python/comments/17rfh7/warning_dont_use_pip_in_an_untrusted_network_a/ 2. https://github.com/TheTorProject/ooni-backend/pull/1#discussion_r4084881 -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.8-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
