Shipped distutils enforces insecure uploads to PyPI
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
python-defaults (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
`distutils` module which comes with Python distribution provides way for people to upload their Python packages to PyPI catalog. The URL shipped with distutils uses insecure HTTP access method, which allows harvesting PyPI passwords through sniffing
over insecure networks (such as public WiFi spots) to be used for malicious uploads.
Changing URL to HTTPS scheme will enable encryption and will protect PyPI from passive attacks. Checking HTTPS certificates to protect from active MITM attack is not the scope of this issue.
The CVE number for this issue is assigned, but not disclosed - http://
ProblemType: Bug
DistroRelease: Ubuntu 13.04
Package: python 2.7.4-0ubuntu1
ProcVersionSign
Uname: Linux 3.8.0-23-generic i686
NonfreeKernelMo
ApportVersion: 2.9.2-0ubuntu8.1
Architecture: i386
Date: Sun Jun 9 00:18:41 2013
InstallationDate: Installed on 2012-03-12 (453 days ago)
InstallationMedia: Ubuntu 12.04 LTS "Precise Pangolin" - Beta i386 (20120301)
MarkForUpload: True
SourcePackage: python-defaults
UpgradeStatus: Upgraded to raring on 2013-04-20 (49 days ago)
CVE References
Changed in python-defaults (Ubuntu): | |
status: | New → Confirmed |