Re: CVE Request: Insecure Software Download in pip

[Donald Stufft <donald () stufft io>]

On Aug 21, 2013, at 4:19 PM, Kurt Seifried <kseifried () redhat com> wrote:

> Signed PGP part
> On 08/07/2013 11:23 AM, Donald Stufft wrote:
> > On Jul 31, 2013, at 4:11 AM, Kurt Seifried <kseifried () redhat com 
> > <mailto:kseifried () redhat com>> wrote:
> >
> > > Ok I have no info on that CVE, is it embargoed? I can't find it
> > > in google after a quick search. I need to see that one before I
> > > can assign anything. As for the reserved thing:
> >
> > This CVE has been fixed, and it is for the issue where pip prior to
> > 1.3 did not download from the central repository using TLS
> >
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1629
> >
> > So back to the question of mirroring, possible to get a CVE for
> > that now? :)
> >
> > ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B
> > 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
>
> Ack sorry catching up. Please use CVE-2013-4266  for the insecure
> mirroring stuff. Can you post the Python bug URL for this again? thanks.
>
> - -- 
> Kurt Seifried Red Hat Security Response Team (SRT)
> PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

@Kurt can you reject CVE-2013-4266,

I had assumed you weren't going to assign one so I contacted cve-assign@mitre and they assigned CVE-2013-5123
-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail