*** This bug is a security vulnerability *** Public security bug reported:
Reading https://pip.pypa.io/en/latest/news.html it seems that the following CVEs are unpatched in the version of python-pip available for 12.04: CVE-2013-1629, CVE-2013-1888, CVE-2013-5123. (CVE-2014-8991 pertains to pip 1.3 to 1.5.6.) In particular, CVE-2013-1629 is a worry. Unpatched pip retrieves code insecurely from PyPI and without package verification, so is susceptible to man-in-the-middle attacks (https://cve.mitre.org/cgi- bin/cvename.cgi?name=CVE-2013-1629). This was fixed in February 2013 (https://github.com/pypa/pip/pull/791/files) but is still unpatched in 12.04; last update for the current version was December 2011. ** Affects: python-pip (Ubuntu) Importance: Undecided Status: New ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1418592 Title: Unpatched CVEs in 12.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-pip/+bug/1418592/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
