ubuntuone-couch doesn't do certificate validation
Bug #882049 reported by
Marc Deslauriers
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ubuntuone-couch (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Natty |
Fix Released
|
Undecided
|
Unassigned | ||
Oneiric |
Fix Released
|
Undecided
|
Marc Deslauriers | ||
Precise |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
ubuntuone-couch uses python-httplib2, but python-httplib2 before 0.7.0 doesn't perform any server certificate validation at all.
To make matters worse, ubuntuone-couch in Oneiric _actually disabled cert validation_ with the no-ssl-
This results in a trivial man in the middle attack that can obtain or alter sensitive information.
Related branches
Changed in ubuntuone-couch (Ubuntu): | |
status: | New → Confirmed |
Changed in ubuntuone-couch (Ubuntu Natty): | |
status: | New → Fix Released |
Changed in ubuntuone-couch (Ubuntu Precise): | |
status: | Confirmed → Fix Released |
Changed in ubuntuone-couch (Ubuntu Oneiric): | |
status: | New → Confirmed |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
visibility: | private → public |
To post a comment you must log in.
python-httplib was updated in all releases: http:// www.ubuntu. com/usn/ usn-1375- 1/
We still need to push a ubuntuone-couch update for oneiric to re-enable cert validation.