CVE-2013-2100
Gentoo Portage < 2.1.12.2 - Man-in-the-Middle Attack via Unverified X.509 Certificates
Title source: llmDescription
The urlopen function in pym/portage/util/_urlopen.py in Gentoo Portage 2.1.12, when using HTTPS, does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and modify binary package lists via a crafted certificate.
References (6)
Core 6
Core References
Mailing List mailing-list
x_refsource_mlist
http://openwall.com/lists/oss-security/2013/05/16/3
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/201507-16
Patch x_refsource_confirm
https://bugs.gentoo.org/show_bug.cgi?id=469888
Exploit mailing-list
x_refsource_mlist
http://openwall.com/lists/oss-security/2013/05/15/5
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/59878
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/84315
Scores
EPSS
0.0047
EPSS Percentile
64.8%
Details
CWE
CWE-310
Status
published
Products (2)
gentoo/portage
2.1.12
pypi/portage
0 - 2.1.12.2PyPI
Published
Sep 29, 2014
Tracked Since
Feb 18, 2026