Canonical Juju

  1. Bug #1320312
  2. Activity log

Activity log for bug #1320312

Date Who What changed Old value New value Message
2014-05-16 17:38:53 dann frazier bug added bug
2014-05-16 19:55:47 Curtis Hovey juju-core: status New Triaged
2014-05-16 19:55:51 Curtis Hovey juju-core: importance Undecided Medium
2014-05-16 19:55:59 Curtis Hovey tags metadata security
2015-07-23 17:08:02 Curtis Hovey information type Private Security Public Security
2015-07-23 17:09:24 Curtis Hovey description When juju is fetching simple streams metadata for images and tools, it appears to look for a signed file (.sjson) first, and falls back to an unsigned one (.json). This process seems susceptible to man-in-the-middle attacks. An attacker could intercept juju's request for a .sjson file and return a 404, then return a malicious .json file on the fallback request. When juju is fetching simple streams metadata for images and tools, it appears to look for a signed file (.sjson) first, and falls back to an unsigned one (.json). This process seems susceptible to man-in-the-middle attacks. An attacker could intercept juju's request for a .sjson file and return a 404, then return a malicious .json file on the fallback request. Juju metadata could support signing of personal streams, and or users could configure Juju to accept a key they trust.
2015-07-23 17:12:13 Curtis Hovey tags metadata security improvement metadata security
2015-07-23 17:12:19 Curtis Hovey tags improvement metadata security improvement metadata security simplestreams
2016-03-07 14:22:00 Curtis Hovey juju-core: milestone 2.0-beta2
2016-03-07 14:22:05 Curtis Hovey juju-core: status Triaged Fix Committed
2016-03-10 21:19:28 Curtis Hovey juju-core: status Fix Committed Fix Released
2016-08-23 01:20:09 Canonical Juju QA Bot affects juju-core juju
2016-08-23 01:20:09 Canonical Juju QA Bot juju: milestone 2.0-beta2
2016-08-23 01:20:11 Canonical Juju QA Bot juju: milestone 2.0-beta2