Arch Linux: ASA-202005-5 Low: Qutebrowser Certificate Bypass

Arch Linux Security Advisory ASA-202005-5
========================================
Severity: Low
Date    : 2020-05-07
CVE-ID  : CVE-2020-11054
Package : qutebrowser
Type    : certificate verification bypass
Remote  : Yes
Link    : https://security.archlinux.org/AVG-1152

Summary
======
The package qutebrowser before version 1.11.1-1 is vulnerable to
certificate verification bypass.

Resolution
=========
Upgrade to 1.11.1-1.

# pacman -Syu "qutebrowser>=1.11.1-1"

The problem has been fixed upstream in version 1.11.1.

Workaround
=========
* Treat any host with a certificate exception as insecure, ignoring the
URL color

* Or set content.ssl_strict to True (instead of 'ask'), preventing
certificate exceptions in the configuration

Description
==========
In qutebrowser before version 1.11.1 there is an issue where after a
certificate error was overridden by the user, qutebrowser displays the
URL as yellow (colors.statusbar.url.warn.fg). However, when the
affected website was subsequently loaded again, the URL was mistakenly
displayed as green (colors.statusbar.url.success_https). While the user
already has seen a certificate error prompt at this point (or set
content.ssl_strict to false which is not recommended), this could still
provide a false sense of security.

Impact
=====
The user might think the webpage is secure, when in reality it has an
invalid certificate.

References
=========
https://github.com/qutebrowser/qutebrowser/commit/6821c236f9ae23adf21d46ce0d56768ac8d0c467
https://github.com/qutebrowser/qutebrowser/commit/556fe81b3146e5cd2e77df9d8ce57aebbbd72eac
https://github.com/qutebrowser/qutebrowser/security/advisories/GHSA-4rcq-jv2f-898j
https://security.archlinux.org/CVE-2020-11054