https://bugs.kde.org/show_bug.cgi?id=403526
Bug ID: 403526
Summary: Can't change repository to https - security bug
Product: muon
Version: 5.8.0
Platform: Neon Packages
OS: Linux
Status: REPORTED
Severity: critical
Priority: NOR
Component: muon
Assignee: echidna...@kubuntu.org
Reporter: drajdo...@aol.com
CC: silh...@gmail.com
Target Milestone: ---
SUMMARY
Security issue (not on the list of bug type?)
Cannot change repository to https.
There is a current issue with man in middle attacks on apt. Conecting to a
https server reduces this attack for some cases, mainly ISP code injection.
STEPS TO REPRODUCE
In Muon software centre in Kubuntu 18.10
1. open settings
2. open configure software sources - put password in
3. click on Download from
4. Note : repeat with sudo nano /etc/apt/sources.list
edited sources to point to a https server
e.g. deb https://mirror.one.com/ubuntu/ cosmic main restricted
check in a terminal $ sudo apt update to show a https connection has been made.
Now check to find Download from no longer recognises that repository sources
is set.
If you select a repository with https,
there is a protocol - dropdown, but is always set to http. and you can't type
https
OBSERVED RESULT
In muon GUI - Be able to set https in Download from, or default to https, but
fall back to http.
EXPECTED RESULT
Download from dropdown should show https, and when selected should filter the
repository list to https compatible servers
SOFTWARE/OS VERSIONS
Windows:
MacOS:
Linux/KDE Plasma: Linux (x86_64) release 4.18.0-13-generic
(available in About System)
KDE Plasma Version: 5.13.5
KDE Frameworks Version: 5.50.0
Qt Version: 5.11.1
ADDITIONAL INFORMATION
--
You are receiving this mail because:
You are watching all bug changes.
