It was reported  that FreeCAD downloads and executes code (e.g. ArchCommands.py) from the
network, from https. This uses urllib2, which does not check https
certificates. The files that are downloaded occur when attempting to
activate non-present module features, such as via opening a DXF file.
This can allow Man-in-the-Middle attack, leading to code execution.
Upstream patch is at .
Created freecad tracking bugs for this issue:
Affects: fedora-20 [bug 1154609]
Affects: epel-6 [bug 1154610]
This has been fixed upstream for release 0.15 but the fix is not easily ported to the current 0.14 release. Can we call this "fixed"?
0.15 has been updated for rawhide and f22. Due to a library conflict f20 and f21 cannot be updated to 0.15.
freecad-0.15-4.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.