From ${URL} : Pythons Restskit[1][2][3][4] does not properly validate TLS (see https://github.com/benoitc/restkit/issues/140). It appears to simply use ssl.wrap_socket from the standard library, which does not do any validation by default. This can be verified by doing: >>> from restkit import request >>> r = request("https://tv.eurosport.com/") >>> r.body_string() '<HTML><HEAD>...' Can a CVE be assigned for this? [1] https://github.com/benoitc/restkit [2] https://pypi.python.org/pypi/restkit [3] http://restkit.readthedocs.org/en/latest/ [4] https://benoitc.github.io/restkit/index.html @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
From: https://security-tracker.debian.org/tracker/CVE-2015-2674 bug still open and no sign from upstream
there are only 2 packages left which require restkit for testing on Python 2: dev-python/wsgiproxy2 dev-python/pyquery of which both projects actually dropped restkit usage some releases ago and the deps seem to be only a leftover now. My plan would be to: 1. version bump wsgiproxy2 to 0.4.5 without the restkit dep and stabilize in 30 days, drop old versions 2. rev-bump of pyquery and stabilize in 30 days, drop old versions 3. last-rite restkit since deps on restkit in wsgiproxy2 and pyquery are actually leftovers and unused, we could also drop them without rev-bump. CC'ing Python team for decision
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d4fce0fe207f668359330bc6471b4edcc9bf65e3 commit d4fce0fe207f668359330bc6471b4edcc9bf65e3 Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2019-08-17 17:23:16 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2019-08-17 17:23:44 +0000 profiles/package.mask: mask dev-python/restkit Bug: https://bugs.gentoo.org/544228 Signed-off-by: Aaron Bauman <bman@gentoo.org> profiles/package.mask | 5 +++++ 1 file changed, 5 insertions(+)
reverted due to being a test dep for a couple of packages.
This package is now maintainer-needed.
Does this still have any revdeps? It seems not to me. If that's the case, can we kill this?
(In reply to Sam James (sec padawan) from comment #6) > Does this still have any revdeps? It seems not to me. > > If that's the case, can we kill this? Yes, unfortunately, it does have some packages which depend on it for tests. * These packages depend on dev-python/restkit: dev-python/pyquery-1.4.1 (python_targets_python2_7 ? dev-python/restkit[python_targets_python2_7(-)?,-python_single_target_python2_7(-)]) dev-python/wsgiproxy2-0.4.6 (python_targets_python2_7 ? dev-python/restkit[python_targets_python2_7(-)?,-python_single_target_python2_7(-)])
Ok, it turns out that all revdeps have dropped restkit support before the current Gentoo versions, and nobody updated the deps in ebuild.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=288b4f318d94fe1a7c553a575afa5ba4b47739b4 commit 288b4f318d94fe1a7c553a575afa5ba4b47739b4 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2020-05-18 10:55:12 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2020-05-18 10:57:05 +0000 package.mask: Last rite dev-python/restkit Bug: https://bugs.gentoo.org/544228 Signed-off-by: Michał Górny <mgorny@gentoo.org> profiles/package.mask | 6 ++++++ 1 file changed, 6 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=157b2f4a82f1caa549c77eb070a1f2eae0c69811 commit 157b2f4a82f1caa549c77eb070a1f2eae0c69811 Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2020-06-20 04:48:01 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2020-06-20 04:48:01 +0000 dev-python/restkit: drop last-rited pkg Bug: https://bugs.gentoo.org/544228 Signed-off-by: Aaron Bauman <bman@gentoo.org> dev-python/restkit/Manifest | 1 - dev-python/restkit/files/setup.patch | 23 -------------- dev-python/restkit/metadata.xml | 12 ------- dev-python/restkit/restkit-4.2.2.ebuild | 55 --------------------------------- profiles/package.mask | 6 ---- 5 files changed, 97 deletions(-)