| 2016-08-27 09:16:31 |
xtsbdu3reyrbrmroezob |
bug |
|
|
added bug |
| 2016-08-27 09:46:11 |
Seth Arnold |
information type |
Private Security |
Public Security |
|
| 2016-08-27 09:46:15 |
Seth Arnold |
ubuntu-geoip (Ubuntu): status |
New |
Incomplete |
|
| 2016-08-27 10:12:46 |
xtsbdu3reyrbrmroezob |
bug watch added |
|
https://trac.torproject.org/projects/tor/ticket/6314 |
|
| 2016-08-31 03:59:10 |
Haw Loeung |
bug |
|
|
added subscriber Haw Loeung |
| 2017-10-12 06:08:18 |
Gianfranco Costamagna |
ubuntu-geoip (Ubuntu): status |
Incomplete |
New |
|
| 2017-10-12 06:08:34 |
Gianfranco Costamagna |
bug |
|
|
added subscriber Ubuntu Security Team |
| 2017-10-12 06:09:52 |
Gianfranco Costamagna |
bug |
|
|
added subscriber LocutusOfBorg |
| 2017-10-12 11:19:02 |
Marc Deslauriers |
ubuntu-geoip (Ubuntu): status |
New |
Confirmed |
|
| 2017-10-12 11:19:05 |
Marc Deslauriers |
ubuntu-geoip (Ubuntu): importance |
Undecided |
Wishlist |
|
| 2018-02-23 15:41:30 |
Jeremy Bícha |
bug |
|
|
added subscriber Jeremy Bicha |
| 2018-02-23 15:58:17 |
Jeremy Bícha |
nominated for series |
|
Ubuntu Artful |
|
| 2018-02-23 15:58:17 |
Jeremy Bícha |
bug task added |
|
ubuntu-geoip (Ubuntu Artful) |
|
| 2018-02-23 15:58:17 |
Jeremy Bícha |
nominated for series |
|
Ubuntu Trusty |
|
| 2018-02-23 15:58:17 |
Jeremy Bícha |
bug task added |
|
ubuntu-geoip (Ubuntu Trusty) |
|
| 2018-02-23 15:58:17 |
Jeremy Bícha |
nominated for series |
|
Ubuntu Xenial |
|
| 2018-02-23 15:58:17 |
Jeremy Bícha |
bug task added |
|
ubuntu-geoip (Ubuntu Xenial) |
|
| 2018-02-23 15:58:26 |
Jeremy Bícha |
ubuntu-geoip (Ubuntu): importance |
Wishlist |
Low |
|
| 2018-02-23 15:58:30 |
Jeremy Bícha |
ubuntu-geoip (Ubuntu Trusty): importance |
Undecided |
Low |
|
| 2018-02-23 15:58:34 |
Jeremy Bícha |
ubuntu-geoip (Ubuntu Trusty): status |
New |
Triaged |
|
| 2018-02-23 15:58:38 |
Jeremy Bícha |
ubuntu-geoip (Ubuntu): status |
Confirmed |
Fix Committed |
|
| 2018-02-23 15:58:41 |
Jeremy Bícha |
ubuntu-geoip (Ubuntu Xenial): importance |
Undecided |
Low |
|
| 2018-02-23 15:58:45 |
Jeremy Bícha |
ubuntu-geoip (Ubuntu Xenial): status |
New |
Triaged |
|
| 2018-02-23 15:58:48 |
Jeremy Bícha |
ubuntu-geoip (Ubuntu Artful): importance |
Undecided |
Low |
|
| 2018-02-23 15:58:52 |
Jeremy Bícha |
ubuntu-geoip (Ubuntu Artful): status |
New |
Triaged |
|
| 2018-02-23 16:01:24 |
Jeremy Bícha |
description |
geoip.ubuntu.com does not utilize HTTPS and leaks unencrypted over HTTP. This can potentially be utilized by nation state adversaries to compromise user privacy. This service is called multiple times per day by the OS in order to track users.
$ nc -zv geoip.ubuntu.com 80
Connection to geoip.ubuntu.com 80 port [tcp/http] succeeded!
$ nc -zv -w 3 geoip.ubuntu.com 443
nc: connect to geoip.ubuntu.com port 443 (tcp) timed out |
Impact
------
It's better to use https where we can. There were concerns about location leakage for users using a proxy (such as Tor).
Test Case
---------
Regression Potential
--------------------
As long as Canonical maintains https://geoip.ubuntu.com, things should be fine here. Minimal fix.
Original Bug Report
-------------------
geoip.ubuntu.com does not utilize HTTPS and leaks unencrypted over HTTP. This can potentially be utilized by nation state adversaries to compromise user privacy. This service is called multiple times per day by the OS in order to track users.
$ nc -zv geoip.ubuntu.com 80
Connection to geoip.ubuntu.com 80 port [tcp/http] succeeded!
$ nc -zv -w 3 geoip.ubuntu.com 443
nc: connect to geoip.ubuntu.com port 443 (tcp) timed out |
|
| 2018-02-23 19:59:06 |
Launchpad Janitor |
ubuntu-geoip (Ubuntu): status |
Fix Committed |
Fix Released |
|
| 2018-03-16 20:03:46 |
Jim Campbell |
attachment added |
|
One-line fix and associated changelog https://bugs.launchpad.net/ubuntu/+source/ubuntu-geoip/+bug/1617535/+attachment/5081720/+files/ubuntu_geoip_url_https_artful.patch |
|
| 2018-03-16 20:06:47 |
Jim Campbell |
attachment added |
|
One-line fix and associated changelog - Xenial https://bugs.launchpad.net/ubuntu/+source/ubuntu-geoip/+bug/1617535/+attachment/5081721/+files/ubuntu_geoip_url_https_xenial.patch |
|
| 2018-03-16 20:07:55 |
Jim Campbell |
attachment added |
|
One-line fix and associated changelog - Trusty https://bugs.launchpad.net/ubuntu/+source/ubuntu-geoip/+bug/1617535/+attachment/5081722/+files/ubuntu_geoip_url_https_trusty.patch |
|
| 2018-03-16 20:08:38 |
Jim Campbell |
bug |
|
|
added subscriber Ubuntu Sponsors Team |
| 2018-03-16 20:25:33 |
Jim Campbell |
bug |
|
|
added subscriber Jim Campbell |
| 2018-04-15 04:49:29 |
Simon Quigley |
removed subscriber Ubuntu Sponsors Team |
|
|
|
| 2019-01-16 20:46:23 |
Sebastien Bacher |
ubuntu-geoip (Ubuntu Artful): status |
Triaged |
Won't Fix |
|
| 2019-01-17 10:01:58 |
Sebastien Bacher |
ubuntu-geoip (Ubuntu Xenial): status |
Triaged |
Fix Committed |
|
| 2019-01-17 10:02:39 |
Sebastien Bacher |
description |
Impact
------
It's better to use https where we can. There were concerns about location leakage for users using a proxy (such as Tor).
Test Case
---------
Regression Potential
--------------------
As long as Canonical maintains https://geoip.ubuntu.com, things should be fine here. Minimal fix.
Original Bug Report
-------------------
geoip.ubuntu.com does not utilize HTTPS and leaks unencrypted over HTTP. This can potentially be utilized by nation state adversaries to compromise user privacy. This service is called multiple times per day by the OS in order to track users.
$ nc -zv geoip.ubuntu.com 80
Connection to geoip.ubuntu.com 80 port [tcp/http] succeeded!
$ nc -zv -w 3 geoip.ubuntu.com 443
nc: connect to geoip.ubuntu.com port 443 (tcp) timed out |
Impact
------
It's better to use https where we can. There were concerns about location leakage for users using a proxy (such as Tor).
Test Case
---------
1) Install patches / patched package
2) Confirm that the 'geoip url' is set to a correct 'https' value, and that this value is set as the default:
`$ gsettings get com.ubuntu.geoip geoip-url` should display `https://geoip.ubuntu.com/lookup`
`$ gsettings reset com.ubuntu.geoip geoip-url && gsettings get com.ubuntu.geoip geoip-url` should continue to display `https://geoip.ubuntu.com/lookup` (this will confirm that the `https` value is set as the default.
3) Confirm that the the correct location is being retrieved by the Ubuntu geoip service:
apt install geoclue-examples
and then geoclue-test-gui
. . . should show correct location information.
Regression Potential
--------------------
As long as Canonical maintains https://geoip.ubuntu.com, things should be fine here. Minimal fix.
Original Bug Report
-------------------
geoip.ubuntu.com does not utilize HTTPS and leaks unencrypted over HTTP. This can potentially be utilized by nation state adversaries to compromise user privacy. This service is called multiple times per day by the OS in order to track users.
$ nc -zv geoip.ubuntu.com 80
Connection to geoip.ubuntu.com 80 port [tcp/http] succeeded!
$ nc -zv -w 3 geoip.ubuntu.com 443
nc: connect to geoip.ubuntu.com port 443 (tcp) timed out |
|
| 2019-01-22 22:11:38 |
Brian Murray |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2019-01-22 22:11:42 |
Brian Murray |
bug |
|
|
added subscriber SRU Verification |
| 2019-01-22 22:11:49 |
Brian Murray |
tags |
|
verification-needed verification-needed-xenial |
|
| 2019-01-24 13:16:15 |
Sebastien Bacher |
tags |
verification-needed verification-needed-xenial |
verification-done verification-done-xenial |
|
| 2019-01-30 18:10:48 |
Launchpad Janitor |
ubuntu-geoip (Ubuntu Xenial): status |
Fix Committed |
Fix Released |
|
| 2019-01-30 18:10:55 |
Brian Murray |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
