Bug#710164: marked as done (CVE-2013-1629: Man in the middle possibility)

Wed, 14 Aug 2013 22:36:42 -0700 

Your message dated Thu, 15 Aug 2013 07:32:55 +0200
with message-id 
<CAMcKhMR43qniwN4CpWkY_Dz=GFOhL0O0c5YDCW+_K2Qbk9=m...@mail.gmail.com>
and subject line 
has caused the Debian Bug report #710164,
regarding CVE-2013-1629: Man in the middle possibility
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
710164: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=710164
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: python-virtualenv
Version: 1.7.1.2-2
Severity: serious
Tags: security
Justification: security

Hello,

It seems as if python-virtualenv embeds a copy of pip[0], and there is
a security issue with python-pip noted as CVE-2013-1629 which affects
squeeze and wheezy (it appears fixed in sid and jessie). This issue
currently is marked as 'reserved' by Mitre, but it is clearly defined
on the internet[1],[2].

Please coordinate with the debian security team to update this package
as soon as possible to resolve this issue. Please reference this CVE
and bug number in any changelog dealing with this problem.

Micah


0. This is in violation of debian policy '4.13 Convenience copies of
code' and should be fixed to depend on the version of python-pip in
the archive.

1.http://www.reddit.com/r/Python/comments/17rfh7/warning_dont_use_pip_in_an_untrusted_network_a/
2. https://github.com/TheTorProject/ooni-backend/pull/1#discussion_r4084881

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.8-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

--- End Message ---
--- Begin Message --- 
Version: 1.9.1-1

The embedded copy of pip in virtualenv 1.9 and up is new enough that
it contains the fix for this vulnerability.
-- 
mithrandi, i Ainil en-Balandor, a faer Ambar

--- End Message ---

Reply via email to