|
|
Subscribe / Log in / New account

python-virtualenv: insecure software download

Package(s):python-virtualenv CVE #(s):CVE-2013-5123
Created:April 22, 2015 Updated:April 22, 2015
Description: From the Red Hat bugzilla:

The mirroring support (-M, --use-mirrors) was implemented without any sort of authenticity checks and is downloaded over plaintext HTTP. Further more by default it will dynamically discover the list of available mirrors by querying a DNS entry and extrapolating from that data. It does not attempt to use any sort of method of securing this querying of the DNS like DNSSEC. Software packages are downloaded over these insecure links, unpacked, and then typically the setup.py python file inside of them is executed.

Alerts:
Mageia MGASA-2015-0180 python-pip 2015-05-03
Fedora FEDORA-2015-6006 python-virtualenv 2015-04-21
Fedora FEDORA-2015-5974 python-virtualenv 2015-04-21
to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds