Hello there, I've never particularly engaged the Linux Distro, much less the Ubuntu, packaging process so forgive me if I'm doing this wrong.
I'm a pip maintainer and I would like to get this fixed in Ubuntu. I see that saucy has pip 1.4.1, raring has 1.3.1, quantal has 1.1, precise has 1.0, and lucid has 0.3.1. This means that the fix is already in place for saucy and raring but that using pip in quantal, precise, and lucid essentially allows someone in the position to MITM traffic to execute arbitrary Python code (ref CVE-2013-1629). So I'm not sure what the options are for fixing this, easiest from my point of view is to upgrade any version of pip pre 1.3 to at least pip 1.3 so that it gets TLS verification and folks are safer when using pip. Is this an option? ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2013-1629 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1015477 Title: pip does not verify SSL certificates To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-pip/+bug/1015477/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
