Your message dated Tue, 19 Mar 2019 10:19:12 +0000
with message-id <[email protected]>
and subject line Re: Bug#702976: epiphany-browser: domainname not checked on
https
has caused the Debian Bug report #702976,
regarding epiphany-browser: domainname not checked on https
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
702976: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702976
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: epiphany-browser
Version: 3.4.2-2.1
Severity: critical
Tags: security
Justification: breaks unrelated software
Hi.
Marking this as critical/breask-unrealted-software, as it may allow
attackers to spoof people into downloading forged software/etc.
It seems that epiphany does at least not check the domainname correctly
when connection to a site via https.
For example, when I go to:
https://physik.lmu.de/~mitterer/
it redirects me automatically to
https://homepages.physik.uni-muenchen.de/~mitterer/
without any complaining.
The certificate presented by that server, is however only issued
for the CN homepages.physik.uni-muenchen.de.
That means that an attacker can easily redirect me to a site with
a valid cert, which is under his control.
Cheers,
Chris.
-- System Information:
Debian Release: 7.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.8-trunk-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_DE.UTF-8, LC_CTYPE=en_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages epiphany-browser depends on:
ii dbus-x11 1.6.8-1
ii epiphany-browser-data 3.4.2-2.1
ii gnome-icon-theme 3.4.0-2
ii gsettings-desktop-schemas 3.4.2-3
ii iso-codes 3.41-1
ii libavahi-client3 0.6.31-2
ii libavahi-common3 0.6.31-2
ii libavahi-gobject0 0.6.31-2
ii libc6 2.13-38
ii libcairo2 1.12.2-3
ii libgdk-pixbuf2.0-0 2.26.1-1
ii libgirepository-1.0-1 1.32.1-1
ii libglib2.0-0 2.33.12+really2.32.4-5
ii libgnome-keyring0 3.4.1-1
ii libgtk-3-0 3.4.2-6
ii libice6 2:1.0.8-2
ii libnotify4 0.7.5-2
ii libnspr4 2:4.9.5-1
ii libnspr4-0d 2:4.9.5-1
ii libnss3 2:3.14.2-1
ii libnss3-1d 2:3.14.2-1
ii libpango1.0-0 1.30.0-1
ii libseed-gtk3-0 3.2.0-2
ii libsm6 2:1.2.1-2
ii libsoup-gnome2.4-1 2.38.1-2
ii libsoup2.4-1 2.38.1-2
ii libsqlite3-0 3.7.15.2-1
ii libwebkitgtk-3.0-0 1.8.1-3.4
ii libx11-6 2:1.5.0-1
ii libxml2 2.8.0+dfsg1-7+nmu1
ii libxslt1.1 1.1.26-14
Versions of packages epiphany-browser recommends:
ii ca-certificates 20130119
ii evince 3.4.0-3.1
ii yelp 3.4.2-1+b1
Versions of packages epiphany-browser suggests:
ii epiphany-extensions 3.4.0-2
-- no debconf information
--- End Message ---
--- Begin Message ---
Version: 3.14.1-1
On Fri, 05 May 2017 at 17:30:55 -0500, [email protected] wrote:
> FWIW I fixed this upstream three years ago. I know Wheezy was affected, but
> the version of Epiphany in Jessie should be fine.
>
> (That said, I don't recommend using the version of Epiphany in Stretch, let
> alone Jessie.)
Closing as fixed in the version in jessie, thanks.
I've confirmed that the version of epiphany-browser proposed for
Debian 10 'buster' does the right thing:
This Connection is Not Secure
This does not look like the real
https://foobar.hosted.pseudorandom.co.uk. Attackers might be trying
to steal or alter information going to or from this site.
▼ Technical information
This website presented identification that belongs to a different website.
Regards,
smcv
--- End Message ---
