Man-in-the-Middle Vulnerability in Gentoo Portage Package Manager
CVE-2013-2100

Currently unrated

Key Information:

Vendor: Gentoo
Status: Portage
Vendor: CVE Published:; 29 September 2014

What is CVE-2013-2100?

The URL open function in Gentoo Portage version 2.1.12 has a critical flaw when utilizing HTTPS, failing to verify X.509 certificates from SSL servers. This vulnerability exposes users to man-in-the-middle attacks, where malicious actors can spoof server identities, potentially altering binary package lists using specially crafted certificates. Ensuring proper SSL certificate verification is essential to mitigate these risks and maintain the integrity of package installations.

References

http://openwall.com/lists/oss-security/2013/05/16/3

mailing-listx_refsource_MLIST

https://security.gentoo.org/glsa/201507-16

vendor-advisoryx_refsource_GENTOO

https://bugs.gentoo.org/show_bug.cgi?id=469888

x_refsource_CONFIRM

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 29, 2014
Vulnerability Reserved
Feb 19, 2013