pyjuju

Juju uses http to contact uec-images.ubuntu.com

Bug #965507 reported by Clint Byrum on 2012-03-26

258

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
pyjuju	Fix Released	High	Clint Byrum	pyjuju florence
juju (Ubuntu)	Fix Released	High	Unassigned	Ubuntu ubuntu-12.04
Precise	Fix Released	High	Unassigned	Ubuntu ubuntu-12.04

Bug Description

The AMI to use for spawning machines is determined by querying
uec-images.ubuntu.com. A malicious attacker could use a DNS spoof attack
to cause the 'bootstrap' to spawn their compromised AMI instead of the
official Ubuntu AMI's. Also the URL has been chagned from 'uec-images'
to 'cloud-images' upstream, as the UEC product is now just 'Ubuntu Cloud'.

Related branches

lp://qastaging/~clint-fewbar/pyjuju/fix-cloud-images-url

Merged into lp://qastaging/pyjuju at revision 497

Juju Engineering: Pending requested 2012-03-26

lp://qastaging/ubuntu/precise/juju

Clint Byrum (clint-fewbar) on 2012-03-26

Changed in juju:
assignee:	nobody → Clint Byrum (clint-fewbar)
milestone:	none → honolulu
status:	New → In Progress
security vulnerability:	no → yes
Changed in juju (Ubuntu):
status:	New → Triaged
Changed in juju:
importance:	Undecided → High
Changed in juju (Ubuntu):
importance:	Undecided → High
Changed in juju:
milestone:	honolulu → florence

Revision history for this message

Clint Byrum (clint-fewbar) wrote on 2012-03-26:

So, changing to an https url only solves the problem halfway. It turns out twisted's web client does not verify certs. That is also a problem for the backend charm store (https://store.juju.ubuntu.com). I am expanding this bug then, to include that url as well and clarifying the title to represent the true nature of the problem.

txaws includes twisted code to verify the certs on Ubuntu systems, so I will add that. This may mean that the client breaks on other systems such as OS X since OS X will not have its CA certificates in /etc/ssl.

Kapil Thangavelu (hazmat) on 2012-03-26

Changed in juju:
status:	In Progress → Fix Released

Revision history for this message

Clint Byrum (clint-fewbar) wrote on 2012-03-27: Re: [Bug 965507] Re: Juju uses http to contact uec-images.ubuntu.com

Excerpts from Clint Byrum's message of Mon Mar 26 21:18:45 UTC 2012:
> So, changing to an https url only solves the problem halfway. It turns
> out twisted's web client does not verify certs. That is also a problem
> for the backend charm store (https://store.juju.ubuntu.com). I am
> expanding this bug then, to include that url as well and clarifying the
> title to represent the true nature of the problem.
>
> txaws includes twisted code to verify the certs on Ubuntu systems, so I
> will add that. This may mean that the client breaks on other systems
> such as OS X since OS X will not have its CA certificates in /etc/ssl.

FYI, the bug for verifying certs is bug #781949

Clint Byrum (clint-fewbar) on 2012-03-29

Changed in juju (Ubuntu Precise):
milestone:	none → ubuntu-12.04
status:	Triaged → Fix Committed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2012-03-30:

This bug was fixed in the package juju - 0.5+bzr504-0ubuntu1

---------------
juju (0.5+bzr504-0ubuntu1) precise; urgency=low

  * New upstream snapshot (LP: #962507 LP: #953258 LP: #965507).
  * d/control: Depend and Build-Depend on python-oauth for MaaS.
  * d/control: Drop dummy ensemble package and make breaks/replaces
    broader to force removal of any ensemble package. (LP: #954492)
  * d/control: Move lxc, libvirt-bin, and zookeeper to Suggests to
    reduce the amount of packages installed on every node unecessarily
    and also avoid conflicting when deploying into a libvirt-bin
    default network VM (LP: #962389)
  * d/rules: skip test suite when nocheck is set.
  * d/rules: remove redundant dh_clean call
  * d/juju.install: remove usr, with only one binary package this is
    not necessary anymore and causes dh_install to fail because no
    files are installed to debian/tmp anymore.
  * d/rules,d/control,d/manpages,d/juju.manpages: Generate basic
    manpage from online help. (LP: #966611)
  * d/patches/no-write-sample-on-help.patch: Added so --help can be
    safely run without a writable home dir on buildds. (LP: #957682)
-- Clint Byrum <email address hidden> Fri, 30 Mar 2012 15:28:16 -0700

Changed in juju (Ubuntu Precise):
status:	Fix Committed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.