[Bug 1617535] Re: geoip.ubuntu.com does not utilize HTTPS

2018-05-03 Thread Jim Campbell
Might anyone be able to clarify what kinds of additional test cases (if any) are needed? If so, I would appreciate it. I'm making an attempt to be helpful in fixing this bug, but am a bit new to Canonical's internal processes in terms of what they expect to test / resolve these kinds of bugs. Any

[Bug 1617535] Re: geoip.ubuntu.com does not utilize HTTPS

2018-04-18 Thread Jim Campbell
Adding test case here: 1) Install patches / patched package 2) Confirm that the 'geoip url' is set to a correct 'https' value, and that this value is set as the default: `$ gsettings get com.ubuntu.geoip geoip-url` should display `https://geoip.ubuntu.com/lookup` `$ gsettings reset

[Bug 1617535] Re: geoip.ubuntu.com does not utilize HTTPS

2018-04-14 Thread Simon Quigley
Unsubscribing the Ubuntu Sponsors Team for now, due to Sebastien's comment that more work needs to be done. Please resubscribe the Sponsors Team once adequate tests have been added. Thank you. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to

[Bug 1617535] Re: geoip.ubuntu.com does not utilize HTTPS

2018-04-04 Thread Sebastien Bacher
There is still a need to figure out a testcase here before the SRU can be uploaded -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1617535 Title: geoip.ubuntu.com does not utilize HTTPS To manage

[Bug 1617535] Re: geoip.ubuntu.com does not utilize HTTPS

2018-03-16 Thread Jim Campbell
Include associated patch to fix this for Trusty. Please update package after associated packages for Artful and Xenial. ** Patch added: "One-line fix and associated changelog - Trusty"

[Bug 1617535] Re: geoip.ubuntu.com does not utilize HTTPS

2018-03-16 Thread Jim Campbell
Include patch to set https geoip url for Xenial. Package should be updated after the related Artful package, but before the associated Trusty package. ** Patch added: "One-line fix and associated changelog - Xenial"

[Bug 1617535] Re: geoip.ubuntu.com does not utilize HTTPS

2018-03-16 Thread Jim Campbell
Include associated patch for Artful. This package should be updated before packages for Trusty and Xenial, although I'm attaching all three patches at more or less the same time. ** Patch added: "One-line fix and associated changelog"

[Bug 1617535] Re: geoip.ubuntu.com does not utilize HTTPS

2018-02-23 Thread Launchpad Bug Tracker
This bug was fixed in the package ubuntu-geoip - 1.0.2+18.04.20180223-0ubuntu1 --- ubuntu-geoip (1.0.2+18.04.20180223-0ubuntu1) bionic; urgency=medium * Use https for geoip.ubuntu.com (LP: #1617535) -- Jeremy Bicha Fri, 23 Feb 2018 17:23:36 + ** Changed

[Bug 1617535] Re: geoip.ubuntu.com does not utilize HTTPS

2018-02-23 Thread Jeremy Bicha
** Also affects: ubuntu-geoip (Ubuntu Artful) Importance: Undecided Status: New ** Also affects: ubuntu-geoip (Ubuntu Trusty) Importance: Undecided Status: New ** Also affects: ubuntu-geoip (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in:

[Bug 1617535] Re: geoip.ubuntu.com does not utilize HTTPS

2018-02-23 Thread Jim Campbell
It appears as though the servers may have been updated to also serve this over https (previously, https didn't work at the Ubuntu geoip url), but the default value for desktops is to use the http value, and the defaults should be updated Current values: $ gsettings reset com.ubuntu.geoip

[Bug 1617535] Re: geoip.ubuntu.com does not utilize HTTPS

2017-10-31 Thread Jim Campbell
Using the: $ gsettings set com.ubuntu.geoip geoip-url https://freegeoip.net/xml/ Appears to work well enough after initial testing. 1) $ gsettings set com.canonical.indicator.datetime show-auto-detected-location true shows my correct location 2) apt install geoclue-examples and then

[Bug 1617535] Re: geoip.ubuntu.com does not utilize HTTPS

2017-10-30 Thread Jim Campbell
To reset the value to the ubuntu default: gsettings reset com.ubuntu.geoip geoip-url -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1617535 Title: geoip.ubuntu.com does not utilize HTTPS To manage

[Bug 1617535] Re: geoip.ubuntu.com does not utilize HTTPS

2017-10-30 Thread Jim Campbell
You can update to an alternate provider via: gsettings set com.ubuntu.geoip geoip-url https://freegeoip.net/xml/ and verify the setting via: gsettings get com.ubuntu.geoip geoip-url but I have not done extensive testing to see if this breaks anything. Assistance on this would be appreciated.

[Bug 1617535] Re: geoip.ubuntu.com does not utilize HTTPS

2017-10-12 Thread Marc Deslauriers
** Changed in: ubuntu-geoip (Ubuntu) Status: New => Confirmed ** Changed in: ubuntu-geoip (Ubuntu) Importance: Undecided => Wishlist -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1617535

[Bug 1617535] Re: geoip.ubuntu.com does not utilize HTTPS

2017-10-12 Thread LocutusOfBorg
I subscribed security team, it is unlikely that they get such messages if not subscribed :) ** Changed in: ubuntu-geoip (Ubuntu) Status: Incomplete => New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu.

[Bug 1617535] Re: geoip.ubuntu.com does not utilize HTTPS

2017-09-26 Thread xtsbdu3reyrbrmroezob
@jim no the ubuntu security team also did not respond regarding this issue. unfortunately, it is actually being abused by the great firewall of china to spy on ubuntu users within the border of china. from what we can tell, the ubuntu security team does not take nation state level issues very

[Bug 1617535] Re: geoip.ubuntu.com does not utilize HTTPS

2017-09-26 Thread Jim Campbell
Any update to this bug? Seems that it would be adviseable to make the change to https for any services possible. The less unencrypted traffic over the web, the better. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu.

[Bug 1617535] Re: geoip.ubuntu.com does not utilize HTTPS

2016-08-27 Thread Kristian Erik Hermansen
Your SSH support bad crypto: arcfour arcfour128 arcfour256 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1617535 Title: geoip.ubuntu.com does not utilize HTTPS To manage notifications about this

[Bug 1617535] Re: geoip.ubuntu.com does not utilize HTTPS

2016-08-27 Thread Kristian Erik Hermansen
Your SSH support bad CBC mode: 3des-cbc aes128-cbc aes192-cbc aes256-cbc blowfish-cbc cast128-cbc rijndael-...@lysator.liu.se -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1617535

[Bug 1617535] Re: geoip.ubuntu.com does not utilize HTTPS

2016-08-27 Thread Kristian Erik Hermansen
Your SSH support weak MAC: hmac-md5 hmac-md5-96 hmac-md5-96-...@openssh.com hmac-md5-...@openssh.com hmac-sha1-96 hmac-sha1-96-...@openssh.com -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu.

[Bug 1617535] Re: geoip.ubuntu.com does not utilize HTTPS

2016-08-27 Thread Kristian Erik Hermansen
You're leaked inode number: 2261065 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1617535 Title: geoip.ubuntu.com does not utilize HTTPS To manage notifications about this bug go to:

[Bug 1617535] Re: geoip.ubuntu.com does not utilize HTTPS

2016-08-27 Thread Kristian Erik Hermansen
You're SSH also appears exposed to Internet and vulnerable to Logjam, which is exploitable by NSA. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1617535 Title: geoip.ubuntu.com does not utilize

[Bug 1617535] Re: geoip.ubuntu.com does not utilize HTTPS

2016-08-27 Thread Kristian Erik Hermansen
So, also, ummm yeah, you're also running and end-of-life and insecure version of ubuntu there too dude. ubuntu 13.04 (saucy) is NOT getting any security updates. Should someone exploit it remotely to make that point? ;) Ubuntu 13.10 EOL was July 2014. -- You received this bug notification

[Bug 1617535] Re: geoip.ubuntu.com does not utilize HTTPS

2016-08-27 Thread Kristian Erik Hermansen
Exactly. Say I am the NSA and you are connected to Tor. I know your EMAIL user agent like Thunderbird is leaking data in your mail header, like Time Zone data. I know you are connected to Tor and that I want to associate your IP to your email. I fiddle your Time Zone response data to something

[Bug 1617535] Re: geoip.ubuntu.com does not utilize HTTPS

2016-08-27 Thread Seth Arnold
Can you elaborate on what an adversary might do with this connection? The name itself will be leaked via DNS requests regardless of TLS use. The name itself may be leaked via SNI headers in a hypothetical HTTPS connection. I'm not yet familiar with the data actually transferred once connected,

[Bug 1617535] Re: geoip.ubuntu.com does not utilize HTTPS

2016-08-27 Thread Seth Arnold
** Information type changed from Private Security to Public Security ** Changed in: ubuntu-geoip (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1617535