cobbler-ubuntu-import does not check gpg signatures
Bug #974460 reported by
Scott Moser
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| cobbler (Ubuntu) |
Fix Released
|
High
|
Scott Moser | ||
| Oneiric |
Fix Released
|
High
|
Unassigned | ||
| Precise |
Fix Released
|
High
|
Scott Moser | ||
Bug Description
cobbler-
Ie, someone could Man in the Middle the download.
The right way tot check is like this:
$ url=http://
$ wget $url -O MD5SUMS
$ wget $url.gpg -O MD5SUMS.gpg
$ gpg --keyring=
Related branches
CVE References
| Changed in cobbler (Ubuntu Precise): | |
| importance: | Undecided → High |
| Changed in cobbler (Ubuntu Precise): | |
| status: | New → In Progress |
| assignee: | nobody → Scott Moser (smoser) |
Revision history for this message
| Launchpad Janitor (janitor) wrote | #1 |
| Changed in cobbler (Ubuntu Precise): | |
| status: | In Progress → Fix Released |
| summary: |
- cobbler-import-isos does not check gpg signatures + cobbler-ubuntu-import does not check gpg signatures |
| description: | updated |
| Changed in cobbler (Ubuntu Oneiric): | |
| status: | New → Fix Released |
| importance: | Undecided → High |
| visibility: | private → public |
Revision history for this message
| Marc Deslauriers (mdeslaur) wrote | #2 |
Revision history for this message
| Marc Deslauriers (mdeslaur) wrote | #3 |
To post a comment you must log in.
This bug was fixed in the package cobbler - 2.2.2-0ubuntu32
---------------
cobbler (2.2.2-0ubuntu32) precise; urgency=low
* replace static list of Ubuntu release names with dependency on
distro-info in cobbler and and python-distro-info in python-cobbler
(LP: #949442)
* check signature of MD5SUMS.gpg against ubuntu-keyring, and verify
that downloaded content matches expected (LP: #974460)
-- Scott Moser <email address hidden> Mon, 09 Apr 2012 22:08:22 -0400