From ${URL} : The way certificate check was implemented to fix CVE-2013-2073 was incorrect (check was done on "probe" connection, but not the actual connection used to transfer data). This should now be fixed in 0.10 (I can't confirm atm), which switches to use urllib3 with proper certificate checks. https://github.com/transifex/transifex-client/issues/42 https://github.com/transifex/transifex-client/commit/6d69d61 @maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
CVE-2013-7110 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7110): Transifex command-line client before 0.10 does not validate X.509 certificates for data transfer connections, which allows man-in-the-middle attackers to spoof a Transifex server via an arbitrary certificate. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-2073.
GLSA vote: no.
GLSA vote: no. Closing as [noglsa]
