** Description changed: - Although the packages listed in meta-release files on - changelogs.ubuntu.com are signature-checked there doesn't appear to be - any way to verify the meta-release files are valid so a man-in-the- - middle could maliciously supply an alternate meta-release. + [Impact] + Although the packages listed in meta-release files on changelogs.ubuntu.com are signature-checked there doesn't appear to be any way to verify the meta-release files are valid so a man-in-the-middle could maliciously supply an alternate meta-release. meta-release files should be signed with the archive GPG key and/or delivered over HTTPS. + + [Test case] + Block port 80 access to changelogs.ubuntu.com and check that do-release-upgrade still works + + [Regression potential] + This breaks any clients behind a proxy where HTTPS is not allowed.
** Description changed: [Impact] Although the packages listed in meta-release files on changelogs.ubuntu.com are signature-checked there doesn't appear to be any way to verify the meta-release files are valid so a man-in-the-middle could maliciously supply an alternate meta-release. meta-release files should be signed with the archive GPG key and/or delivered over HTTPS. [Test case] Block port 80 access to changelogs.ubuntu.com and check that do-release-upgrade still works [Regression potential] - This breaks any clients behind a proxy where HTTPS is not allowed. + This breaks any clients behind a proxy where HTTPS (CONNECT on the proxy) is not allowed. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1744318 Title: changelogs.ubuntu.com should be using HTTPS To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-release-upgrader/+bug/1744318/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
