Date: Sun, 22 Mar 2015 14:26:23 -0400 From: Donald Stufft <donald@...fft.io> To: oss-security@...ts.openwall.com Cc: Assign a CVE Identifier <cve-assign@...re.org> Subject: Re: Assign a CVE for Python's restkit Please > On Mar 12, 2015, at 11:03 AM, Donald Stufft <donald@...fft.io> wrote: > > Pythons Restskit does not properly validate TLS > (see https://github.com/benoitc/restkit/issues/140). It appears to simply use > ssl.wrap_socket from the standard library, which does not do any validation > by default. This can be verified by doing: > >>>> from restkit import request >>>> r = request("https://tv.eurosport.com/") >>>> r.body_string() > '<HTML><HEAD>...' > > Can a CVE be assigned for this? > > >  https://github.com/benoitc/restkit >  https://pypi.python.org/pypi/restkit >  http://restkit.readthedocs.org/en/latest/ >  https://benoitc.github.io/restkit/index.html > > --- > Donald Stufft > PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA > Ping? --- Donald Stufft PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA Download attachment "signature.asc" of type "application/pgp-signature" (802 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.