> This means a man-in-the-middle can gain root access, just by inserting their > own version of one of the packages into this network traffic, because updates > run as root. They can first obtain the public 1024 bit key from the PPA, then > spend as long as they want working out the private key, then sign their false > updates with the real private key. > > A bug that allows complete compromise of most Ubuntu machines without > requiring any user involvement is a very serious bug. Why hasn't this even > been assigned to anyone, nearly 2 years after it was reported?
I suppose people will be wondering why it wasn't fixed once a Snowden- style leak drops showing that this vulnerability was exploited for years. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1461834 Title: 1024-bit signing keys should be deprecated To manage notifications about this bug go to: https://bugs.launchpad.net/launchpad/+bug/1461834/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
