Ubuntu

Insecure Ubuntu repos pose risk to all non-APT users

Bug #1779524 reported by Yarwin Kolff
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu
Invalid
Undecided
Unassigned

Bug Description

 affects ubuntu

Ubuntu has improperly configured their TLS. So improper that everything BUT
their downloads are secured with TLS.

This poses a serious risk to all non-APT users (majority of the people on
this planet), as the checksums and ISO files are exposed over HTTP, and can
be modified by MITM attackers, ISPs, and basically any node in the route.

Please see my proof of concept here: https://twitter.com/yungtravla/status/
1013275701078683648

*Problem identified on 30/06/2018 by Yarwin Kolff*

Tags: bot-comment
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. It seems that your bug report is not filed about a specific source package though, rather it is just filed against Ubuntu in general. It is important that bug reports be filed about source packages so that people interested in the package can find the bugs about it. You can find some hints about determining what package your bug might be about at https://wiki.ubuntu.com/Bugs/FindRightPackage. You might also ask for help in the #ubuntu-bugs irc channel on Freenode.

To change the source package that this bug is filed about visit https://bugs.launchpad.net/ubuntu/+bug/1779524/+editstatus and add the package name in the text box next to the word Package.

[This is an automated message. I apologize if it reached you inappropriately; please just reply to this message indicating so.]

tags: added: bot-comment
Revision history for this message
Yarwin Kolff (yungtravla) wrote :

In response to Launchpad's message: "Thank you for taking the time to report this bug and helping to make
Ubuntu better. It seems that your bug report is not filed about a
specific source package though, rather it is just filed against Ubuntu
in general. It is important that bug reports be filed about source
packages so that people interested in the package can find the bugs
about it."

Please be advised that this bug affects all Ubuntu distributions, not just one single package.

I stress that you watch the PoC (Proof of Concept) which I included in my first report.

I will include it here once again:
https://twitter.com/yungtravla/status/1013275701078683648

Revision history for this message
Paul White (paulw2u) wrote :

We are sorry that we do not always have the capacity to review all reported bugs in a timely manner. You reported this issue some time ago and there have been many changes in Ubuntu since that time.

Bug reports raised against the Ubuntu project seldom get the attention that is expected as the intention is that all bug reports are raised against specific packages.

However, the matter that you raised (admittedly some time ago now) requires more discussion, which is best done on an appropriate mailing list to which the appropriate Ubuntu developers *will* be subscribed.

http://www.ubuntu.com/support/community/mailinglists or https://lists.ubuntu.com/ might be a good start for determining which mailing list to use if this matter is still an issue.

I'm closing this as 'Invalid' as this is not the place in which to raise such issues and no response after more than three years confirms that.

Changed in ubuntu:
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.