{"id":"PYSEC-2014-115","details":"The urlopen function in pym/portage/util/_urlopen.py in Gentoo Portage 2.1.12, when using HTTPS, does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and modify binary package lists via a crafted certificate.","modified":"2025-10-09T05:21:02.298971Z","published":"2014-09-29T22:55:00Z","withdrawn":"2024-11-22T04:37:05Z","references":[{"type":"EVIDENCE","url":"http://openwall.com/lists/oss-security/2013/05/15/5"},{"type":"WEB","url":"http://www.securityfocus.com/bid/59878"},{"type":"WEB","url":"http://openwall.com/lists/oss-security/2013/05/16/3"},{"type":"FIX","url":"https://bugs.gentoo.org/show_bug.cgi?id=469888"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/201507-16"},{"type":"WEB","url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/84315"}],"affected":[{"package":{"name":"portage","ecosystem":"PyPI","purl":"pkg:pypi/portage"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["3.0.18","3.0.19","3.0.20","3.0.21","3.0.22","3.0.23","3.0.24","3.0.25","3.0.26","3.0.27","3.0.28","3.0.29","3.0.30","3.0.31","3.0.32","3.0.33","3.0.34","3.0.35","3.0.36","3.0.37","3.0.38","3.0.38.1","3.0.39","3.0.40","3.0.41","3.0.42","3.0.43","3.0.44","3.0.45","3.0.45.1","3.0.45.2","3.0.45.3","3.0.46","3.0.47","3.0.48","3.0.48.1","3.0.49","3.0.50","3.0.51","3.0.52","3.0.54","3.0.55","3.0.56","3.0.57","3.0.58","3.0.59","3.0.60","3.0.61","3.0.62","3.0.63","3.0.64","3.0.65","3.0.66","3.0.66.1","3.0.67","3.0.68","3.0.69","3.0.69.1"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/portage/PYSEC-2014-115.yaml"}}],"schema_version":"1.7.3"}