Communication with store.juju.ubuntu.com is not authenticated
Bug #992447 reported by
Clint Byrum
This bug affects 3 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
pyjuju |
Fix Released
|
Critical
|
Clint Byrum | ||
0.5 |
Fix Released
|
Critical
|
Clint Byrum | ||
juju (Ubuntu) |
Fix Released
|
Critical
|
Clint Byrum | ||
Oneiric |
Won't Fix
|
Undecided
|
Unassigned | ||
Precise |
Fix Released
|
Medium
|
Steve Beattie | ||
Quantal |
Fix Released
|
Critical
|
Clint Byrum |
Bug Description
twisted.web.client is used, getPage and downloadPage specifically, to talk to the backend charm store.
This is not authenticated at all, so a man in the middle between agent and charm store could cause an agent to download a trojaned charm.
Related branches
lp:~clint-fewbar/pyjuju/fix-ssl-for-charm-store
- Juju Engineering: Pending requested
-
Diff: 109 lines (+20/-8)3 files modifiedjuju/charm/repository.py (+5/-2)
juju/charm/tests/test_repository.py (+10/-4)
juju/control/tests/test_upgrade_charm.py (+5/-2)
Changed in juju: | |
status: | New → In Progress |
assignee: | nobody → Clint Byrum (clint-fewbar) |
Changed in juju: | |
milestone: | none → honolulu |
Changed in juju (Ubuntu Oneiric): | |
status: | New → Won't Fix |
Changed in juju (Ubuntu Precise): | |
status: | New → In Progress |
assignee: | nobody → Clint Byrum (clint-fewbar) |
Changed in juju (Ubuntu Quantal): | |
status: | New → In Progress |
assignee: | nobody → Clint Byrum (clint-fewbar) |
Changed in juju (Ubuntu Quantal): | |
status: | In Progress → Fix Released |
Changed in juju (Ubuntu Precise): | |
importance: | Undecided → Medium |
Changed in juju: | |
status: | In Progress → Fix Committed |
Changed in juju (Ubuntu Quantal): | |
milestone: | none → ubuntu-12.10 |
Changed in juju (Ubuntu Quantal): | |
milestone: | ubuntu-12.10 → ubuntu-12.10-beta-2 |
importance: | Undecided → High |
Changed in juju (Ubuntu Quantal): | |
importance: | High → Critical |
Changed in juju: | |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
[tap,tap] This issue seems rather serious, and yet has received no response yet. I hope we'll be a bit more responsive to future security bugs.