By the way, this patch replaced a regexp with json.loads():
http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/quantal/software-
properties/quantal/revision/77
That was good, because a regexp could have been vulnerable to some sort
of xss/injection sort of problem. But, the patch mistakenly left the
following no-longer-true comment in place:
# we ask for a JSON structure from lp_page, we could use
# simplejson, but the format is simple enough for the regexp
That comment should be removed.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1016643
Title:
add-apt-repository downloads gpg key in an insecure fashion
To manage notifications about this bug go to:
https://bugs.launchpad.net/gnupg/+bug/1016643/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
