I don't think it was safe decision to link the security of Ubuntu base OS to curl running as root every 12 hours via motd-news just to display Ads for products and not important security messages like suggested in the original ticket (1637800).
Just imagine the consequence of https://motd.ubuntu.com being compromised starts to redirect to a TFTP URL and send private memory contents from root account every 12 hours or if curl has a new vulnerability such as buffer overflow discovered automatically by Google's OSS-Fuzz and not yet patched within 30 days by curl maintainers or by Ubuntu Security Team. https://curl.haxx.se/docs/CVE-2017-1000100.html A malicious HTTP(S) server could redirect a vulnerable libcurl-using client to a crafted TFTP URL (if the client hasn't restricted which protocols it allows redirects to) and trick it to send private memory contents to a remote server over UDP. https://bugs.chromium.org/p/oss- fuzz/issues/list?q=curl&can=1&sort=-reported ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-1000100 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to base-files in Ubuntu. https://bugs.launchpad.net/bugs/1867424 Title: motd-news transmitting private hardware data without consent or knowledge in background Status in base-files package in Ubuntu: Confirmed Bug description: In package base-files there is a script /etc/update-motd.d/50-motd- news that harvests private hardware data from the machine and transmits it in the background every day. There is no notice, no consent, no nothing. This should be by default disabled until there is informed consent. This solution is simple: 1. Change ENABLED=1 to ENABLED=0 in the file /etc/default/motd-news and 2. Place a comment in the file disclosing the fact that the 50-motd-news script will harvest private hardware data and upload it to motd.ubuntu.com daily if the end-user enables it. Creating databases that maps ip address to specify hardware is a threat to both privacy and security. If an adversary knows the specific hardware and the ip address for that hardware their ability to successfully attack it is greatly increased. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
