changelogs.ubuntu.com should be using HTTPS
Bug #1744318 reported by
TJ
This bug affects 3 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ubuntu-release-upgrader (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Xenial |
Fix Released
|
Medium
|
Unassigned | ||
Bionic |
Fix Released
|
High
|
Unassigned | ||
update-manager (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Xenial |
Fix Released
|
Medium
|
Unassigned | ||
Bionic |
Fix Released
|
High
|
Unassigned |
Bug Description
[Impact]
Although the packages listed in meta-release files on changelogs.
meta-release files should be signed with the archive GPG key and/or delivered over HTTPS.
[Test case]
Block port 80 access to changelogs.
[Regression potential]
This breaks any clients behind a proxy where HTTPS (CONNECT on the proxy) is not allowed.
Related branches
information type: | Public → Public Security |
tags: | added: rls-bb-incoming |
Changed in update-manager (Ubuntu Bionic): | |
assignee: | Steve Langasek (vorlon) → nobody |
importance: | Undecided → High |
status: | New → Triaged |
tags: | removed: rls-bb-incoming |
tags: | added: id-5a733ec9244ad5f76d9cf9c8 |
Changed in ubuntu-release-upgrader (Ubuntu Bionic): | |
status: | New → Fix Committed |
Changed in update-manager (Ubuntu Bionic): | |
status: | Triaged → In Progress |
status: | In Progress → Fix Committed |
Changed in ubuntu-release-upgrader (Ubuntu Bionic): | |
importance: | Undecided → High |
tags: | added: id-5ce6d6855257155f211b5d3f |
description: | updated |
description: | updated |
Changed in ubuntu-release-upgrader (Ubuntu Xenial): | |
status: | New → In Progress |
importance: | Undecided → Medium |
Changed in update-manager (Ubuntu Xenial): | |
importance: | Undecided → Medium |
status: | New → In Progress |
To post a comment you must log in.
1) probably needs an RT to https-ify the subdomain
2) probably needs an RT/trello planning for inline gpg signed meta-releases
3) probably needs a trello planning for code changes to use the inline gpg signed meta-releases and/or https