Ubuntu
python-pip package

Unpatched CVEs in 12.04

Bug #1418592 reported by Steven Maude
270
This bug affects 5 people
Affects Status Importance Assigned to Milestone
python-pip (Ubuntu)
Expired
Undecided
Unassigned

Bug Description

Reading https://pip.pypa.io/en/latest/news.html it seems that the following CVEs are unpatched in the version of python-pip available for 12.04: CVE-2013-1629, CVE-2013-1888, CVE-2013-5123. (CVE-2014-8991 pertains to pip 1.3 to 1.5.6.)

In particular, CVE-2013-1629 is a worry. Unpatched pip retrieves code insecurely from PyPI and without package verification, so is susceptible to man-in-the-middle attacks (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1629).

This was fixed in February 2013 (https://github.com/pypa/pip/pull/791/files) but is still unpatched in 12.04; last update for the current version was December 2011.

Steven Maude (stevenmaude)
information type: Private Security → Public Security
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Changed in python-pip (Ubuntu):
status: New → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for python-pip (Ubuntu) because there has been no activity for 60 days.]

Changed in python-pip (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.