Summary: | dev-python/restkit: does not properly validate TLS (CVE-2015-2674) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | dev-zero, maintainer-needed, mgorny, python, treecleaner |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2015/03/12/9 | ||
Whiteboard: | B3 [noglsa cve] | ||
Package list: | Runtime testing required: | --- | |
Deadline: | 2020-06-17 |
Description
Agostino Sarubbo
2015-03-23 14:09:47 UTC
From: https://security-tracker.debian.org/tracker/CVE-2015-2674 bug still open and no sign from upstream there are only 2 packages left which require restkit for testing on Python 2: dev-python/wsgiproxy2 dev-python/pyquery of which both projects actually dropped restkit usage some releases ago and the deps seem to be only a leftover now. My plan would be to: 1. version bump wsgiproxy2 to 0.4.5 without the restkit dep and stabilize in 30 days, drop old versions 2. rev-bump of pyquery and stabilize in 30 days, drop old versions 3. last-rite restkit since deps on restkit in wsgiproxy2 and pyquery are actually leftovers and unused, we could also drop them without rev-bump. CC'ing Python team for decision The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d4fce0fe207f668359330bc6471b4edcc9bf65e3 commit d4fce0fe207f668359330bc6471b4edcc9bf65e3 Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2019-08-17 17:23:16 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2019-08-17 17:23:44 +0000 profiles/package.mask: mask dev-python/restkit Bug: https://bugs.gentoo.org/544228 Signed-off-by: Aaron Bauman <bman@gentoo.org> profiles/package.mask | 5 +++++ 1 file changed, 5 insertions(+) reverted due to being a test dep for a couple of packages. This package is now maintainer-needed. Does this still have any revdeps? It seems not to me. If that's the case, can we kill this? (In reply to Sam James (sec padawan) from comment #6) > Does this still have any revdeps? It seems not to me. > > If that's the case, can we kill this? Yes, unfortunately, it does have some packages which depend on it for tests. * These packages depend on dev-python/restkit: dev-python/pyquery-1.4.1 (python_targets_python2_7 ? dev-python/restkit[python_targets_python2_7(-)?,-python_single_target_python2_7(-)]) dev-python/wsgiproxy2-0.4.6 (python_targets_python2_7 ? dev-python/restkit[python_targets_python2_7(-)?,-python_single_target_python2_7(-)]) Ok, it turns out that all revdeps have dropped restkit support before the current Gentoo versions, and nobody updated the deps in ebuild. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=288b4f318d94fe1a7c553a575afa5ba4b47739b4 commit 288b4f318d94fe1a7c553a575afa5ba4b47739b4 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2020-05-18 10:55:12 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2020-05-18 10:57:05 +0000 package.mask: Last rite dev-python/restkit Bug: https://bugs.gentoo.org/544228 Signed-off-by: Michał Górny <mgorny@gentoo.org> profiles/package.mask | 6 ++++++ 1 file changed, 6 insertions(+) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=157b2f4a82f1caa549c77eb070a1f2eae0c69811 commit 157b2f4a82f1caa549c77eb070a1f2eae0c69811 Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2020-06-20 04:48:01 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2020-06-20 04:48:01 +0000 dev-python/restkit: drop last-rited pkg Bug: https://bugs.gentoo.org/544228 Signed-off-by: Aaron Bauman <bman@gentoo.org> dev-python/restkit/Manifest | 1 - dev-python/restkit/files/setup.patch | 23 -------------- dev-python/restkit/metadata.xml | 12 ------- dev-python/restkit/restkit-4.2.2.ebuild | 55 --------------------------------- profiles/package.mask | 6 ---- 5 files changed, 97 deletions(-) |