ubuntuone-couch doesn't do certificate validation
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | ubuntuone-couch (Ubuntu) |
Undecided
|
Unassigned | ||
| | Natty |
Undecided
|
Unassigned | ||
| | Oneiric |
Undecided
|
Marc Deslauriers | ||
| | Precise |
Undecided
|
Unassigned | ||
Bug Description
ubuntuone-couch uses python-httplib2, but python-httplib2 before 0.7.0 doesn't perform any server certificate validation at all.
To make matters worse, ubuntuone-couch in Oneiric _actually disabled cert validation_ with the no-ssl-
This results in a trivial man in the middle attack that can obtain or alter sensitive information.
Related branches
| Changed in ubuntuone-couch (Ubuntu): | |
| status: | New → Confirmed |
| Marc Deslauriers (mdeslaur) wrote : | #1 |
| Changed in ubuntuone-couch (Ubuntu Natty): | |
| status: | New → Fix Released |
| Changed in ubuntuone-couch (Ubuntu Precise): | |
| status: | Confirmed → Fix Released |
| Changed in ubuntuone-couch (Ubuntu Oneiric): | |
| status: | New → Confirmed |
| assignee: | nobody → Marc Deslauriers (mdeslaur) |
| visibility: | private → public |
| Launchpad Janitor (janitor) wrote : | #2 |
This bug was fixed in the package ubuntuone-couch - 0.3.0-0ubuntu2.1
---------------
ubuntuone-couch (0.3.0-0ubuntu2.1) oneiric-security; urgency=low
* SECURITY UPDATE: Re-enable ssl certificate validation (LP: #882049)
- debian/
- debian/
-- Marc Deslauriers <email address hidden> Thu, 01 Mar 2012 08:08:50 -0500
| Changed in ubuntuone-couch (Ubuntu Oneiric): | |
| status: | Confirmed → Fix Released |
python-httplib was updated in all releases: http://
We still need to push a ubuntuone-couch update for oneiric to re-enable cert validation.