CVE-2013-2100

Gentoo Portage < 2.1.12.2 - Cryptographic Issue

Title source: rule

Description

The urlopen function in pym/portage/util/_urlopen.py in Gentoo Portage 2.1.12, when using HTTPS, does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and modify binary package lists via a crafted certificate.

References (6)

[Exploit] http://openwall.com/lists/oss-security/2013/05/15/5

[Patch] https://bugs.gentoo.org/show_bug.cgi?id=469888

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/84315

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/59878

[Third Party Advisory] https://security.gentoo.org/glsa/201507-16

[Mailing List] http://openwall.com/lists/oss-security/2013/05/16/3

Scores

EPSS 0.0056

EPSS Percentile 67.8%

Classification

CWE

CWE-310

Status draft

Affected Products (2)

gentoo/portage

pypi/portage < 2.1.12.2PyPI

Timeline

Published Sep 29, 2014

Tracked Since Feb 18, 2026