Date: Tue, 27 Mar 2012 12:46:48 -0600 From: Kurt Seifried <kseifried@...hat.com> To: Vincent Danen <vdanen@...hat.com> CC: oss-security@...ts.openwall.com, "Steven M. Christey" <coley@...us.mitre.org> Subject: Re: CVE request: distutils creates ~/.pypirc insecurely On 03/27/2012 10:19 AM, Vincent Danen wrote: > * [2012-03-27 09:59:46 -0600] Kurt Seifried wrote: > >> On 03/27/2012 08:15 AM, Vincent Danen wrote: >>> Standard flaw where a file that contains a username and password is >>> written with insecure permissions. This only affects python 2.6 and >>> higher. >>> >>> Could a CVE name be assigned to this flaw? I don't think one has been >>> already. >>> >>> References: >>> >>> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=650555 >>> https://bugzilla.redhat.com/show_bug.cgi?id=758905 >>> http://bugs.python.org/issue13512 >>> http://bugs.python.org/file23824/pypirc-secure.diff >>> >>> Thanks. >>> >> >> Please use CVE-2012-1587 for this issue. > > Sorry, I probably should have been more explicit on when it was reported > (this is an older flaw). It was reported (and public) in 2011. > My bad, please reject CVE-2012-1587. Please use CVE-2011-4944 for this issue, it has the correct year. -- Kurt Seifried Red Hat Security Response Team (SRT)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ