ubuntuone-couch doesn't do certificate validation

Bug #882049 reported by Marc Deslauriers on 2011-10-26
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ubuntuone-couch (Ubuntu)
Undecided
Unassigned
Natty
Undecided
Unassigned
Oneiric
Undecided
Marc Deslauriers
Precise
Undecided
Unassigned

Bug Description

ubuntuone-couch uses python-httplib2, but python-httplib2 before 0.7.0 doesn't perform any server certificate validation at all.

To make matters worse, ubuntuone-couch in Oneiric _actually disabled cert validation_ with the no-ssl-validation.patch patch.

This results in a trivial man in the middle attack that can obtain or alter sensitive information.

Changed in ubuntuone-couch (Ubuntu):
status: New → Confirmed
Marc Deslauriers (mdeslaur) wrote :

python-httplib was updated in all releases: http://www.ubuntu.com/usn/usn-1375-1/

We still need to push a ubuntuone-couch update for oneiric to re-enable cert validation.

Changed in ubuntuone-couch (Ubuntu Natty):
status: New → Fix Released
Changed in ubuntuone-couch (Ubuntu Precise):
status: Confirmed → Fix Released
Changed in ubuntuone-couch (Ubuntu Oneiric):
status: New → Confirmed
assignee: nobody → Marc Deslauriers (mdeslaur)
visibility: private → public
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntuone-couch - 0.3.0-0ubuntu2.1

---------------
ubuntuone-couch (0.3.0-0ubuntu2.1) oneiric-security; urgency=low

  * SECURITY UPDATE: Re-enable ssl certificate validation (LP: #882049)
    - debian/patches/no-ssl-validation.patch: removed
    - debian/patches/dynamic-timeout.patch: updated
 -- Marc Deslauriers <email address hidden> Thu, 01 Mar 2012 08:08:50 -0500

Changed in ubuntuone-couch (Ubuntu Oneiric):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers