We're marking this issue as "Fix Released" for LXC due to the removal of all those scripts from the standard LXC distribution, instead relying on distrobuilder for our users to generate custom LXC images (which can then be consumed by the lxc-local template).
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1661447 Title: Arbitrary code execution in centos template Status in lxc package in Ubuntu: Fix Released Bug description: All the RPM's which get installed in an lxc-centos container are downloaded insecurely over http and then installed with yum --nogpgcheck. A man in the middle attacker, web proxy admin, or whoever can use this to install arbitrary code in to the container which will then get executed as root. The GPG keys should probably be shipped as part of the package where they are covered by the root of trust for the host distro. Or at the very least, https should be used to fetch the RPMs. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1661447/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp