Clint Byrum
2012-Aug-24 00:40 UTC
[Secure-testing-team] Bug#685728: juju: Communication with store.juju.ubuntu.com is not authenticated
Package: juju Version: 0.5.1+bzr563-0juju2~quantal1 Severity: grave Tags: security patch upstream Justification: user security hole This problem with juju has been fixed in upstream trunk and so can be considered "disclosed". When using juju with the built in "charm store" at store.juju.ubuntu.com, the SSL certificate is not verified. This could lead to a man in the middle attack where an attacker could have trojaned "charms" installed instead of the official charms. -- System Information: Debian Release: wheezy/sid APT prefers quantal-updates APT policy: (500, ''quantal-updates''), (500, ''quantal-security''), (500, ''quantal''), (400, ''precise-proposed'') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.5.0-10-generic (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages juju depends on: ii openssh-client 1:6.0p1-2ubuntu1 ii python 2.7.3-0ubuntu5 ii python-oauth 1.0.1-3build1 ii python-twisted 12.0.0-1ubuntu1 ii python-txaws 0.2.3-1ubuntu1 ii python-txzookeeper 0.9.5-1 ii python-yaml 3.10-4 ii python2.7 2.7.3-0ubuntu4 ii tmux 1.6-2 Versions of packages juju recommends: ii byobu 5.21-0ubuntu1 ii python-pydot 1.0.2-1 Versions of packages juju suggests: ii apt-cacher-ng 0.7.7-1ubuntu1 ii libvirt-bin 0.9.13-0ubuntu7 ii lxc 0.8.0~rc1-4ubuntu24 ii zookeeper 3.3.6+dfsg-0ubuntu1 -- no debconf information -------------- next part -------------- A non-text attachment was scrubbed... Name: upstream-565.patch Type: text/x-diff Size: 4545 bytes Desc: not available URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20120823/74dd742b/attachment.patch>