Linux Security
    Linux Security
    Linux Security

    ArchLinux: 202005-5: qutebrowser: certificate verification bypass

    Date
    154
    Posted By
    The package qutebrowser before version 1.11.1-1 is vulnerable to certificate verification bypass.
    Arch Linux Security Advisory ASA-202005-5
    =========================================
    
    Severity: Low
    Date    : 2020-05-07
    CVE-ID  : CVE-2020-11054
    Package : qutebrowser
    Type    : certificate verification bypass
    Remote  : Yes
    Link    : https://security.archlinux.org/AVG-1152
    
    Summary
    =======
    
    The package qutebrowser before version 1.11.1-1 is vulnerable to
    certificate verification bypass.
    
    Resolution
    ==========
    
    Upgrade to 1.11.1-1.
    
    # pacman -Syu "qutebrowser>=1.11.1-1"
    
    The problem has been fixed upstream in version 1.11.1.
    
    Workaround
    ==========
    
    * Treat any host with a certificate exception as insecure, ignoring the
    URL color
    
    * Or set content.ssl_strict to True (instead of 'ask'), preventing
    certificate exceptions in the configuration
    
    Description
    ===========
    
    In qutebrowser before version 1.11.1 there is an issue where after a
    certificate error was overridden by the user, qutebrowser displays the
    URL as yellow (colors.statusbar.url.warn.fg). However, when the
    affected website was subsequently loaded again, the URL was mistakenly
    displayed as green (colors.statusbar.url.success_https). While the user
    already has seen a certificate error prompt at this point (or set
    content.ssl_strict to false which is not recommended), this could still
    provide a false sense of security.
    
    Impact
    ======
    
    The user might think the webpage is secure, when in reality it has an
    invalid certificate.
    
    References
    ==========
    
    https://github.com/qutebrowser/qutebrowser/commit/6821c236f9ae23adf21d46ce0d56768ac8d0c467
    https://github.com/qutebrowser/qutebrowser/commit/556fe81b3146e5cd2e77df9d8ce57aebbbd72eac
    https://github.com/qutebrowser/qutebrowser/security/advisories/GHSA-4rcq-jv2f-898j
    https://security.archlinux.org/CVE-2020-11054
    

    Advisories

    LinuxSecurity Poll

    How are you contributing to Open Source?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 4 answer(s).
    /main-polls/37-how-are-you-contributing-to-open-source?task=poll.vote&format=json
    37
    radio
    [{"id":"127","title":"I'm involved with the development of an open-source project(s).","votes":"1","type":"x","order":"1","pct":100,"resources":[]},{"id":"128","title":"I've reported vulnerabilities I've discovered in open-source code.","votes":"0","type":"x","order":"2","pct":0,"resources":[]},{"id":"129","title":"I've provided developers with feedback on their projects.","votes":"0","type":"x","order":"3","pct":0,"resources":[]},{"id":"130","title":"I've helped another community member get started contributing to Open Source.","votes":"0","type":"x","order":"4","pct":0,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350


    VIEW MORE POLLS

    bottom 200

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.