I don't think it was safe decision to link the security of Ubuntu base OS to curl running as root every 12 hours via motd-news just to display Ads for products and not important security messages like suggested in the original ticket (1637800).
Just imagine the consequence of https://motd.ubuntu.com being compromised starts to redirect to a TFTP URL and send private memory contents from root account every 12 hours or if curl has a new vulnerability such as buffer overflow discovered automatically by Google's OSS-Fuzz and not yet patched within 30 days by curl maintainers or by Ubuntu Security Team. https://curl.haxx.se/docs/CVE-2017-1000100.html A malicious HTTP(S) server could redirect a vulnerable libcurl-using client to a crafted TFTP URL (if the client hasn't restricted which protocols it allows redirects to) and trick it to send private memory contents to a remote server over UDP. https://bugs.chromium.org/p/oss- fuzz/issues/list?q=curl&can=1&sort=-reported ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-1000100 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1867424 Title: motd-news transmitting private hardware data without consent or knowledge in background To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
