[Bug 1189042] Re: Shipped distutils enforces insecure uploads to PyPI
Marc Deslauriers
marc.deslauriers at canonical.com
Wed Jun 12 18:15:49 UTC 2013
** Changed in: python-defaults (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to python-defaults in Ubuntu.
https://bugs.launchpad.net/bugs/1189042
Title:
Shipped distutils enforces insecure uploads to PyPI
Status in “python-defaults” package in Ubuntu:
Confirmed
Bug description:
`distutils` module which comes with Python distribution provides way for people to upload their Python packages to PyPI catalog. The URL shipped with distutils uses insecure HTTP access method, which allows harvesting PyPI passwords through sniffing
over insecure networks (such as public WiFi spots) to be used for malicious uploads.
Changing URL to HTTPS scheme will enable encryption and will protect
PyPI from passive attacks. Checking HTTPS certificates to protect from
active MITM attack is not the scope of this issue.
The CVE number for this issue is assigned, but not disclosed -
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1754 And it is
open way for too long - http://bugs.python.org/issue12226 - the fix
for the issue is available, patch is working and should be applied in
Ubuntu.
ProblemType: Bug
DistroRelease: Ubuntu 13.04
Package: python 2.7.4-0ubuntu1
ProcVersionSignature: Ubuntu 3.8.0-23.34-generic 3.8.11
Uname: Linux 3.8.0-23-generic i686
NonfreeKernelModules: nvidia
ApportVersion: 2.9.2-0ubuntu8.1
Architecture: i386
Date: Sun Jun 9 00:18:41 2013
InstallationDate: Installed on 2012-03-12 (453 days ago)
InstallationMedia: Ubuntu 12.04 LTS "Precise Pangolin" - Beta i386 (20120301)
MarkForUpload: True
SourcePackage: python-defaults
UpgradeStatus: Upgraded to raring on 2013-04-20 (49 days ago)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-defaults/+bug/1189042/+subscriptions
More information about the foundations-bugs
mailing list