Date: Thu, 12 Mar 2015 11:03:32 -0400 From: Donald Stufft <donald@...fft.io> To: oss-security@...ts.openwall.com, Assign a CVE Identifier <cve-assign@...re.org> Subject: Assign a CVE for Python's restkit Please Pythons Restskit does not properly validate TLS (see https://github.com/benoitc/restkit/issues/140). It appears to simply use ssl.wrap_socket from the standard library, which does not do any validation by default. This can be verified by doing: >>> from restkit import request >>> r = request("https://tv.eurosport.com/") >>> r.body_string() '<HTML><HEAD>...' Can a CVE be assigned for this?  https://github.com/benoitc/restkit  https://pypi.python.org/pypi/restkit  http://restkit.readthedocs.org/en/latest/  https://benoitc.github.io/restkit/index.html --- Donald Stufft PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ