launchpad-reviewers team mailing list archive
-
launchpad-reviewers team
-
Mailing list archive
-
Message #11172
[Bug 1039513] [NEW] maas-import-pxe-files should cryptographically verify what it downloads
*** This bug is a security vulnerability ***
Private security bug reported:
Currently, maas-import-pxe-files uses HTTP to download its files,
including pxelinux.0 and netboot kernel image and initrd. In theory,
somebody could intercept this and inject a malicious payload.
maas-import-ephemerals avoids this by using HTTPS, but:
1) This prevents (easy) caching
2) archive.ubuntu.com doesn't appear to support HTTPS
3) The files we need are indirectly signed, so if we just try to verify what is there we'll end up with the same race condition that apt faces in bug 972077
** Affects: maas
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of MAAS
Maintainers, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1039513
Title:
maas-import-pxe-files should cryptographically verify what it
downloads
Status in MAAS:
New
Bug description:
Currently, maas-import-pxe-files uses HTTP to download its files,
including pxelinux.0 and netboot kernel image and initrd. In theory,
somebody could intercept this and inject a malicious payload.
maas-import-ephemerals avoids this by using HTTPS, but:
1) This prevents (easy) caching
2) archive.ubuntu.com doesn't appear to support HTTPS
3) The files we need are indirectly signed, so if we just try to verify what is there we'll end up with the same race condition that apt faces in bug 972077
To manage notifications about this bug go to:
https://bugs.launchpad.net/maas/+bug/1039513/+subscriptions
Follow ups
References