*** This bug is a security vulnerability *** Public security bug reported:
The AMI to use for spawning machines is determined by querying uec-images.ubuntu.com. A malicious attacker could use a DNS spoof attack to cause the 'bootstrap' to spawn their compromised AMI instead of the official Ubuntu AMI's. Also the URL has been chagned from 'uec-images' to 'cloud-images' upstream, as the UEC product is now just 'Ubuntu Cloud'. ** Affects: juju Importance: High Assignee: Clint Byrum (clint-fewbar) Status: In Progress ** Affects: juju (Ubuntu) Importance: High Status: Triaged ** Branch linked: lp:~clint-fewbar/juju/fix-cloud-images-url ** Changed in: juju Status: New => In Progress ** Changed in: juju Milestone: None => honolulu ** Changed in: juju Assignee: (unassigned) => Clint Byrum (clint-fewbar) ** This bug has been flagged as a security vulnerability ** Also affects: juju (Ubuntu) Importance: Undecided Status: New ** Changed in: juju (Ubuntu) Status: New => Triaged ** Changed in: juju Importance: Undecided => High ** Changed in: juju (Ubuntu) Importance: Undecided => High ** Changed in: juju Milestone: honolulu => florence -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to juju in Ubuntu. https://bugs.launchpad.net/bugs/965507 Title: Juju uses http to contact uec-images.ubuntu.com To manage notifications about this bug go to: https://bugs.launchpad.net/juju/+bug/965507/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs