| Summary: | <dev-python/pip-7.0.0: insecure software download with mirroring support | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | python |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1066692 | ||
| Whiteboard: | B3 [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
commit 015c1f58eed5da83e9b4602b91fb34f898c8a3a6 Author: Justin Lecher <jlec@gentoo.org> Date: Mon Nov 23 10:54:42 2015 +0100 dev-python/pip: Drop vulnerable versions for CVE-2014-8991 and CVE-2013-5123 Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=529954 Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=501752 Package-Manager: portage-2.2.25 Signed-off-by: Justin Lecher <jlec@gentoo.org> https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=015c1f58eed5da83e9b4602b91fb34f898c8a3a6 @security Tree is clean again This issue was fixed in version 1.5: https://pip.pypa.io/en/latest/news/ 1.5 (2014-01-01) BACKWARD INCOMPATIBLE pip no longer supports the --use-mirrors, -M, and --mirrors flags. The mirroring support has been removed. In order to use a mirror specify it as the primary index with -i or --index-url, or as an additional index with --extra-index-url. (PR #1098, CVE-2013-5123) GLSA Vote: No |
From ${URL} : The mirroring support (-M, --use-mirrors) was implemented without any sort of authenticity checks and is downloaded over plaintext HTTP. Further more by default it will dynamically discover the list of available mirrors by querying a DNS entry and extrapolating from that data. It does not attempt to use any sort of method of securing this querying of the DNS like DNSSEC. Software packages are downloaded over these insecure links, unpacked, and then typically the setup.py python file inside of them is executed. It's a pretty long thread originating here: http://www.openwall.com/lists/oss-security/2013/08/21/18 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.