*** This bug is a security vulnerability ***
Public security bug reported:
The AMI to use for spawning machines is determined by querying
uec-images.ubuntu.com. A malicious attacker could use a DNS spoof attack
to cause the 'bootstrap' to spawn their compromised AMI instead of the
official Ubuntu AMI's. Also the URL has been chagned from 'uec-images'
to 'cloud-images' upstream, as the UEC product is now just 'Ubuntu Cloud'.
** Affects: juju
Importance: High
Assignee: Clint Byrum (clint-fewbar)
Status: In Progress
** Affects: juju (Ubuntu)
Importance: High
Status: Triaged
** Branch linked: lp:~clint-fewbar/juju/fix-cloud-images-url
** Changed in: juju
Status: New => In Progress
** Changed in: juju
Milestone: None => honolulu
** Changed in: juju
Assignee: (unassigned) => Clint Byrum (clint-fewbar)
** This bug has been flagged as a security vulnerability
** Also affects: juju (Ubuntu)
Importance: Undecided
Status: New
** Changed in: juju (Ubuntu)
Status: New => Triaged
** Changed in: juju
Importance: Undecided => High
** Changed in: juju (Ubuntu)
Importance: Undecided => High
** Changed in: juju
Milestone: honolulu => florence
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to juju in Ubuntu.
https://bugs.launchpad.net/bugs/965507
Title:
Juju uses http to contact uec-images.ubuntu.com
To manage notifications about this bug go to:
https://bugs.launchpad.net/juju/+bug/965507/+subscriptions
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
