It was reported [1] that FreeCAD downloads and executes code (e.g. ArchCommands.py) from the network, from https. This uses urllib2, which does not check https certificates. The files that are downloaded occur when attempting to activate non-present module features, such as via opening a DXF file. This can allow Man-in-the-Middle attack, leading to code execution. Upstream patch is at [2]. [1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=764814 [2]: https://github.com/FreeCAD/FreeCAD_sf_master/commit/bd1bbff874f5e5a86f4308aa2f840cbd64a77b77
Created freecad tracking bugs for this issue: Affects: fedora-20 [bug 1154609] Affects: epel-6 [bug 1154610]
This has been fixed upstream for release 0.15 but the fix is not easily ported to the current 0.14 release. Can we call this "fixed"?
0.15 has been updated for rawhide and f22. Due to a library conflict f20 and f21 cannot be updated to 0.15.
freecad-0.15-4.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.