Insecure Ubuntu repos pose risk to all non-APT users
Bug #1779524 reported by
Yarwin Kolff
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu |
Invalid
|
Undecided
|
Unassigned |
Bug Description
affects ubuntu
Ubuntu has improperly configured their TLS. So improper that everything BUT
their downloads are secured with TLS.
This poses a serious risk to all non-APT users (majority of the people on
this planet), as the checksums and ISO files are exposed over HTTP, and can
be modified by MITM attackers, ISPs, and basically any node in the route.
Please see my proof of concept here: https:/
1013275701078683648
*Problem identified on 30/06/2018 by Yarwin Kolff*
To post a comment you must log in.
Thank you for taking the time to report this bug and helping to make Ubuntu better. It seems that your bug report is not filed about a specific source package though, rather it is just filed against Ubuntu in general. It is important that bug reports be filed about source packages so that people interested in the package can find the bugs about it. You can find some hints about determining what package your bug might be about at https:/ /wiki.ubuntu. com/Bugs/ FindRightPackag e. You might also ask for help in the #ubuntu-bugs irc channel on Freenode.
To change the source package that this bug is filed about visit https:/ /bugs.launchpad .net/ubuntu/ +bug/1779524/ +editstatus and add the package name in the text box next to the word Package.
[This is an automated message. I apologize if it reached you inappropriately; please just reply to this message indicating so.]