[Bug 1744318] Re: changelogs.ubuntu.com should be using HTTPS

Brian Murray brian at ubuntu.com
Thu Oct 3 16:49:33 UTC 2019 

Hello TJ, or anyone else affected,

Accepted ubuntu-release-upgrader into xenial-proposed. The package will
build now and be available at https://launchpad.net/ubuntu/+source
/ubuntu-release-upgrader/1:16.04.27 in a few hours, and then in the
-proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.  Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested and change the tag from
verification-needed-xenial to verification-done-xenial. If it does not
fix the bug for you, please add a comment stating that, and change the
tag to verification-failed-xenial. In either case, without details of
your testing we will not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance for helping!

N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.

** Changed in: ubuntu-release-upgrader (Ubuntu Xenial)
       Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to update-manager in Ubuntu.
https://bugs.launchpad.net/bugs/1744318

Title:
  changelogs.ubuntu.com should be using HTTPS

Status in ubuntu-release-upgrader package in Ubuntu:
  Fix Released
Status in update-manager package in Ubuntu:
  Fix Released
Status in ubuntu-release-upgrader source package in Xenial:
  Fix Committed
Status in update-manager source package in Xenial:
  Fix Committed
Status in ubuntu-release-upgrader source package in Bionic:
  Fix Released
Status in update-manager source package in Bionic:
  Fix Released

Bug description:
  [Impact]
  Although the packages listed in meta-release files on changelogs.ubuntu.com are signature-checked there doesn't appear to be any way to verify the meta-release files are valid so a man-in-the-middle could maliciously supply an alternate meta-release.

  meta-release files should be signed with the archive GPG key and/or
  delivered over HTTPS.

  [Test case]
  Block port 80 access to changelogs.ubuntu.com and check that do-release-upgrade still works

  [Regression potential]
  This breaks any clients behind a proxy where HTTPS (CONNECT on the proxy) is not allowed.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-release-upgrader/+bug/1744318/+subscriptions

More information about the foundations-bugs mailing list