Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 544228 (CVE-2015-2674) - dev-python/restkit: does not properly validate TLS
Summary: dev-python/restkit: does not properly validate TLS
Alias: CVE-2015-2674
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [upstream]
Depends on:
Reported: 2015-03-23 14:09 UTC by Agostino Sarubbo
Modified: 2019-08-17 20:02 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-03-23 14:09:47 UTC
From ${URL} :

Pythons Restskit[1][2][3][4] does not properly validate TLS
(see It appears to simply use
ssl.wrap_socket from the standard library, which does not do any validation
by default. This can be verified by doing:

    >>> from restkit import request
    >>> r = request("")
    >>> r.body_string()

Can a CVE be assigned for this?


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Christopher Díaz Riveros gentoo-dev Security 2017-07-06 18:19:14 UTC

bug still open and no sign from upstream
Comment 2 Tiziano Müller gentoo-dev 2018-11-27 13:09:29 UTC
there are only 2 packages left which require restkit for testing on Python 2:


of which both projects actually dropped restkit usage some releases ago and the deps seem to be only a leftover now.

My plan would be to:

1. version bump wsgiproxy2 to 0.4.5 without the restkit dep and stabilize in 30 days, drop old versions
2. rev-bump of pyquery and stabilize in 30 days, drop old versions
3. last-rite restkit

since deps on restkit in wsgiproxy2 and pyquery are actually leftovers and unused, we could also drop them without rev-bump.
CC'ing Python team for decision
Comment 3 Larry the Git Cow gentoo-dev 2019-08-17 17:23:52 UTC
The bug has been referenced in the following commit(s):

commit d4fce0fe207f668359330bc6471b4edcc9bf65e3
Author:     Aaron Bauman <>
AuthorDate: 2019-08-17 17:23:16 +0000
Commit:     Aaron Bauman <>
CommitDate: 2019-08-17 17:23:44 +0000

    profiles/package.mask: mask dev-python/restkit
    Signed-off-by: Aaron Bauman <>

 profiles/package.mask | 5 +++++
 1 file changed, 5 insertions(+)
Comment 4 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-08-17 20:02:11 UTC
reverted due to being a test dep for a couple of packages.