Arch Linux Security Advisory ASA-202005-5
========================================
Severity: Low
Date    : 2020-05-07
CVE-ID  : CVE-2020-11054
Package : qutebrowser
Type    : certificate verification bypass
Remote  : Yes
Link    : https://security.archlinux.org/AVG-1152

Summary
======
The package qutebrowser before version 1.11.1-1 is vulnerable to
certificate verification bypass.

Resolution
=========
Upgrade to 1.11.1-1.

# pacman -Syu "qutebrowser>=1.11.1-1"

The problem has been fixed upstream in version 1.11.1.

Workaround
=========
* Treat any host with a certificate exception as insecure, ignoring the
URL color

* Or set content.ssl_strict to True (instead of 'ask'), preventing
certificate exceptions in the configuration

Description
==========
In qutebrowser before version 1.11.1 there is an issue where after a
certificate error was overridden by the user, qutebrowser displays the
URL as yellow (colors.statusbar.url.warn.fg). However, when the
affected website was subsequently loaded again, the URL was mistakenly
displayed as green (colors.statusbar.url.success_https). While the user
already has seen a certificate error prompt at this point (or set
content.ssl_strict to false which is not recommended), this could still
provide a false sense of security.

Impact
=====
The user might think the webpage is secure, when in reality it has an
invalid certificate.

References
=========
https://github.com/qutebrowser/qutebrowser/commit/6821c236f9ae23adf21d46ce0d56768ac8d0c467
https://github.com/qutebrowser/qutebrowser/commit/556fe81b3146e5cd2e77df9d8ce57aebbbd72eac
https://github.com/qutebrowser/qutebrowser/security/advisories/GHSA-4rcq-jv2f-898j
https://security.archlinux.org/CVE-2020-11054

ArchLinux: 202005-5: qutebrowser: certificate verification bypass

May 11, 2020

Summary

In qutebrowser before version 1.11.1 there is an issue where after a certificate error was overridden by the user, qutebrowser displays the URL as yellow (colors.statusbar.url.warn.fg). However, when the affected website was subsequently loaded again, the URL was mistakenly displayed as green (colors.statusbar.url.success_https). While the user already has seen a certificate error prompt at this point (or set content.ssl_strict to false which is not recommended), this could still provide a false sense of security.

Resolution

Upgrade to 1.11.1-1. # pacman -Syu "qutebrowser>=1.11.1-1"
The problem has been fixed upstream in version 1.11.1.

References

https://github.com/qutebrowser/qutebrowser/commit/6821c236f9ae23adf21d46ce0d56768ac8d0c467 https://github.com/qutebrowser/qutebrowser/commit/556fe81b3146e5cd2e77df9d8ce57aebbbd72eac https://github.com/qutebrowser/qutebrowser/security/advisories/GHSA-4rcq-jv2f-898j https://security.archlinux.org/CVE-2020-11054

Severity
Package : qutebrowser
Type : certificate verification bypass
Remote : Yes
Link : https://security.archlinux.org/AVG-1152

Workaround

* Treat any host with a certificate exception as insecure, ignoring theURL color* Or set content.ssl_strict to True (instead of 'ask'), preventingcertificate exceptions in the configuration

Related News

23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved