Unpatched CVEs in 12.04

Bug #1418592 reported by Steven Maude on 2015-02-05
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
python-pip (Ubuntu)
Undecided
Unassigned

Bug Description

Reading https://pip.pypa.io/en/latest/news.html it seems that the following CVEs are unpatched in the version of python-pip available for 12.04: CVE-2013-1629, CVE-2013-1888, CVE-2013-5123. (CVE-2014-8991 pertains to pip 1.3 to 1.5.6.)

In particular, CVE-2013-1629 is a worry. Unpatched pip retrieves code insecurely from PyPI and without package verification, so is susceptible to man-in-the-middle attacks (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1629).

This was fixed in February 2013 (https://github.com/pypa/pip/pull/791/files) but is still unpatched in 12.04; last update for the current version was December 2011.

information type: Private Security → Public Security
Seth Arnold (seth-arnold) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Changed in python-pip (Ubuntu):
status: New → Incomplete
Launchpad Janitor (janitor) wrote :

[Expired for python-pip (Ubuntu) because there has been no activity for 60 days.]

Changed in python-pip (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers