cobbler-ubuntu-import does not check gpg signatures
Bug #974460 reported by
Scott Moser
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
cobbler (Ubuntu) |
Fix Released
|
High
|
Scott Moser | ||
Oneiric |
Fix Released
|
High
|
Unassigned | ||
Precise |
Fix Released
|
High
|
Scott Moser |
Bug Description
cobbler-
Ie, someone could Man in the Middle the download.
The right way tot check is like this:
$ url=http://
$ wget $url -O MD5SUMS
$ wget $url.gpg -O MD5SUMS.gpg
$ gpg --keyring=
Related branches
CVE References
Changed in cobbler (Ubuntu Precise): | |
importance: | Undecided → High |
Changed in cobbler (Ubuntu Precise): | |
status: | New → In Progress |
assignee: | nobody → Scott Moser (smoser) |
summary: |
- cobbler-import-isos does not check gpg signatures + cobbler-ubuntu-import does not check gpg signatures |
description: | updated |
Changed in cobbler (Ubuntu Oneiric): | |
status: | New → Fix Released |
importance: | Undecided → High |
visibility: | private → public |
To post a comment you must log in.
This bug was fixed in the package cobbler - 2.2.2-0ubuntu32
---------------
cobbler (2.2.2-0ubuntu32) precise; urgency=low
* replace static list of Ubuntu release names with dependency on
distro-info in cobbler and and python-distro-info in python-cobbler
(LP: #949442)
* check signature of MD5SUMS.gpg against ubuntu-keyring, and verify
that downloaded content matches expected (LP: #974460)
-- Scott Moser <email address hidden> Mon, 09 Apr 2012 22:08:22 -0400