pyjuju

Communication with store.juju.ubuntu.com is not authenticated

Bug #992447 reported by Clint Byrum on 2012-05-01

272

This bug affects 3 people

	Status	Importance	Assigned to	Milestone
pyjuju	Fix Released	Critical	Clint Byrum	pyjuju 0.6 "honolulu"
0.5	Fix Released	Critical	Clint Byrum	pyjuju 0.5.2
juju (Ubuntu)	Fix Released	Critical	Clint Byrum	Ubuntu ubuntu-12.10-beta-2
Oneiric	Won't Fix	Undecided	Unassigned
Precise	Fix Released	Medium	Steve Beattie
Quantal	Fix Released	Critical	Clint Byrum	Ubuntu ubuntu-12.10-beta-2

Bug Description

twisted.web.client is used, getPage and downloadPage specifically, to talk to the backend charm store.

This is not authenticated at all, so a man in the middle between agent and charm store could cause an agent to download a trojaned charm.

Related branches

lp:~clint-fewbar/pyjuju/fix-ssl-for-charm-store

Merged into lp:pyjuju at revision 565

Juju Engineering: Pending requested 2012-08-06

lp:ubuntu/precise-security/juju

lp:pyjuju/0.5

Revision history for this message

Clint Byrum (clint-fewbar) wrote on 2012-07-24:

[tap,tap] This issue seems rather serious, and yet has received no response yet. I hope we'll be a bit more responsive to future security bugs.

Revision history for this message

Kapil Thangavelu (hazmat) wrote on 2012-07-24: Re: [Bug 992447] Re: Communication with store.juju.ubuntu.com is not authenticated

noted, in future the team will have more resources for proper maintenance.
jim could you have a look at this (will also ping on irc).

On Tue, Jul 24, 2012 at 7:43 AM, Clint Byrum <email address hidden> wrote:

> [tap,tap] This issue seems rather serious, and yet has received no
> response yet. I hope we'll be a bit more responsive to future security
> bugs.
>
> --
> You received this bug notification because you are a member of juju
> hackers, which is subscribed to the bug report.
> https://bugs.launchpad.net/bugs/992447
>
> Title:
> Communication with store.juju.ubuntu.com is not authenticated
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/juju/+bug/992447/+subscriptions
>

Clint Byrum (clint-fewbar) on 2012-08-06

Changed in juju:
status:	New → In Progress
assignee:	nobody → Clint Byrum (clint-fewbar)

Clint Byrum (clint-fewbar) on 2012-08-06

Changed in juju:
milestone:	none → honolulu

Clint Byrum (clint-fewbar) on 2012-08-24

Changed in juju (Ubuntu Oneiric):
status:	New → Won't Fix
Changed in juju (Ubuntu Precise):
status:	New → In Progress
assignee:	nobody → Clint Byrum (clint-fewbar)
Changed in juju (Ubuntu Quantal):
status:	New → In Progress
assignee:	nobody → Clint Byrum (clint-fewbar)

Revision history for this message

Clint Byrum (clint-fewbar) wrote on 2012-08-24:

juju-precise-security-update.debdiff Edit (9.2 KiB, text/plain)

Attached is an update for precise. It contains fixes for all known security issues in juju on precise. Quantal should receive the latest version of Juju shortly which will bring it up to date with this patch.

Changed in juju (Ubuntu Precise):
status:	In Progress → Confirmed

Revision history for this message

Clint Byrum (clint-fewbar) wrote on 2012-08-24:

Testing: I installed the packages and changed /etc/hosts to have store.juju.ubuntu.com point to 127.0.0.1 which was running a snake-oil certificate apache. OpenSSL error was the result, which is the desired result.

Revision history for this message

Clint Byrum (clint-fewbar) wrote on 2012-08-24:

Making public since the commits have landed in juju's trunk.

visibility:

private → public

Clint Byrum (clint-fewbar) on 2012-08-27

Changed in juju (Ubuntu Quantal):
status:	In Progress → Fix Released
Changed in juju (Ubuntu Precise):
importance:	Undecided → Medium

Clint Byrum (clint-fewbar) on 2012-08-27

Changed in juju:
status:	In Progress → Fix Committed

Revision history for this message

Steve Beattie (sbeattie) wrote on 2012-08-29:

Clint,

Thanks, debdiff looks good. I'll push this out today.

Changed in juju (Ubuntu Precise):
status:	Confirmed → In Progress
assignee:	Clint Byrum (clint-fewbar) → Steve Beattie (sbeattie)

Revision history for this message

Launchpad Janitor (janitor) wrote on 2012-08-29:

This bug was fixed in the package juju - 0.5+bzr531-0ubuntu1.3

---------------
juju (0.5+bzr531-0ubuntu1.3) precise-security; urgency=low

  * SECURITY UPDATE: d/p/upstream-543.patch: Disable password authentication
    on LXC containers created in the local provider. (LP: #1016428)
  * SECURITY UPDATE: d/p/upstream-564.patch: Fix example mysql charm to
    not expose root mysql password to all users. (LP: #1040165)
  * SECURITY UPDATE: d/p/upstream-565.patch: Verify charm store hostname
    matches hostname on SSL certificate. (LP: #992447)
-- Clint Byrum <email address hidden> Thu, 23 Aug 2012 17:12:26 -0700

Changed in juju (Ubuntu Precise):
status:	In Progress → Fix Released

Revision history for this message

Steve Beattie (sbeattie) wrote on 2012-08-30:

Clint,

FYI, I slightly modified the patch headers to make them DEP-3 compliant (added Subject: lines with brief descriptions of the issues they address).

Unsubscribing ubuntu-security-sponsors since there is no more open tasks for that team to undertake.

Thanks!

Antonio Rosales (arosales) on 2012-09-21

Changed in juju (Ubuntu Quantal):
milestone:	none → ubuntu-12.10

Antonio Rosales (arosales) on 2012-09-21

Changed in juju (Ubuntu Quantal):
milestone:	ubuntu-12.10 → ubuntu-12.10-beta-2
importance:	Undecided → High

Antonio Rosales (arosales) on 2012-09-21

Changed in juju (Ubuntu Quantal):
importance:	High → Critical

Clint Byrum (clint-fewbar) on 2012-10-09

Changed in juju:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

juju-precise-security-update.debdiff Edit

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.