* A description of the proposed changes, with sufficient detail to estimate their potential impact on the distribution
When connecting to the key information server, to check whether a GPG software-signing key should be trusted, 0install asks Python to check that the server has a valid HTTPS certificate. However, Python's certificate validator does not check that the certificate presented is for the site requested. Therefore, an attacker with a valid X.509 certificate for another site can impersonate the key information server. 0install 1.6 contains a fix for this (doing the validation itself). * A rationale for the exception, explaining the benefit of the change A release should not go out with a known security flaw. * Any additional information which would be helpful in considering the decision The changes between 1.4.1 and 1.6 are quite minor (mostly bug-fixes). A PPA package of 1.6 for precise is here: https://launchpad.net/~talex5/+archive/0install This PPA is a direct import from Debian (it does not contain the patch for bug #953756). I will upload a patch for that once the sync is done. Thanks, -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/964415 Title: Please sync from Debian to get security fix To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/zeroinstall-injector/+bug/964415/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs