[Secure-testing-team] Bug#685728: juju: Communication with store.juju.ubuntu.com is not authenticated
Clint Byrum
clint at ubuntu.com
Fri Aug 24 00:40:13 UTC 2012
Package: juju
Version: 0.5.1+bzr563-0juju2~quantal1
Severity: grave
Tags: security patch upstream
Justification: user security hole
This problem with juju has been fixed in upstream trunk and so can be
considered "disclosed".
When using juju with the built in "charm store" at store.juju.ubuntu.com,
the SSL certificate is not verified. This could lead to a man in the
middle attack where an attacker could have trojaned "charms" installed
instead of the official charms.
-- System Information:
Debian Release: wheezy/sid
APT prefers quantal-updates
APT policy: (500, 'quantal-updates'), (500, 'quantal-security'), (500, 'quantal'), (400, 'precise-proposed')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.5.0-10-generic (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages juju depends on:
ii openssh-client 1:6.0p1-2ubuntu1
ii python 2.7.3-0ubuntu5
ii python-oauth 1.0.1-3build1
ii python-twisted 12.0.0-1ubuntu1
ii python-txaws 0.2.3-1ubuntu1
ii python-txzookeeper 0.9.5-1
ii python-yaml 3.10-4
ii python2.7 2.7.3-0ubuntu4
ii tmux 1.6-2
Versions of packages juju recommends:
ii byobu 5.21-0ubuntu1
ii python-pydot 1.0.2-1
Versions of packages juju suggests:
ii apt-cacher-ng 0.7.7-1ubuntu1
ii libvirt-bin 0.9.13-0ubuntu7
ii lxc 0.8.0~rc1-4ubuntu24
ii zookeeper 3.3.6+dfsg-0ubuntu1
-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: upstream-565.patch
Type: text/x-diff
Size: 4545 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20120823/74dd742b/attachment.patch>
More information about the Secure-testing-team
mailing list