Hello xtsbdu3reyrbrmroezob, or anyone else affected, Accepted ubuntu-geoip into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu- geoip/1.0.2+14.04.20131125-0ubuntu2.16.04.1 in a few hours, and then in the -proposed repository.
Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Tags added: verification-needed verification-needed-xenial -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to ubuntu-geoip in Ubuntu. https://bugs.launchpad.net/bugs/1617535 Title: geoip.ubuntu.com does not utilize HTTPS Status in ubuntu-geoip package in Ubuntu: Fix Released Status in ubuntu-geoip source package in Trusty: Triaged Status in ubuntu-geoip source package in Xenial: Fix Committed Status in ubuntu-geoip source package in Artful: Won't Fix Bug description: Impact ------ It's better to use https where we can. There were concerns about location leakage for users using a proxy (such as Tor). Test Case --------- 1) Install patches / patched package 2) Confirm that the 'geoip url' is set to a correct 'https' value, and that this value is set as the default: `$ gsettings get com.ubuntu.geoip geoip-url` should display `https://geoip.ubuntu.com/lookup` `$ gsettings reset com.ubuntu.geoip geoip-url && gsettings get com.ubuntu.geoip geoip-url` should continue to display `https://geoip.ubuntu.com/lookup` (this will confirm that the `https` value is set as the default. 3) Confirm that the the correct location is being retrieved by the Ubuntu geoip service: apt install geoclue-examples and then geoclue-test-gui . . . should show correct location information. Regression Potential -------------------- As long as Canonical maintains https://geoip.ubuntu.com, things should be fine here. Minimal fix. Original Bug Report ------------------- geoip.ubuntu.com does not utilize HTTPS and leaks unencrypted over HTTP. This can potentially be utilized by nation state adversaries to compromise user privacy. This service is called multiple times per day by the OS in order to track users. $ nc -zv geoip.ubuntu.com 80 Connection to geoip.ubuntu.com 80 port [tcp/http] succeeded! $ nc -zv -w 3 geoip.ubuntu.com 443 nc: connect to geoip.ubuntu.com port 443 (tcp) timed out To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-geoip/+bug/1617535/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
