Your message dated Fri, 12 Sep 2025 10:30:19 +0200
with message-id <[email protected]>
and subject line iceweasel has been superseded by firefox-esr
has caused the Debian Bug report #627552,
regarding iceweasel doesn't (re)validate certificates when loading HTTPS page
from cache (CVE-2011-0082)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
627552: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=627552
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: iceweasel
Version: 4.0.1-2
Severity: important
Tags: security
It looks like when Iceweasel loads an HTTPS page from cache, it doesn't
verify if its certificate is (still) valid. Here's how to reproduce this
bug:
1. Try to visit https://kitenet.net/. Iceweasel (correctly) displays
scary warning about the untrusted connection. Click "I Understand The
Risks", click "Add Exception", uncheck "Permanently store this
exception", click "Confirm Security Exception". Iceweasel shows contents
of the page.
2. Close the browser. The kitenet.net's certificate should be no longer
consider valid past this point.
3. Start Iceweasel again. Try to visit https://kitenet.net/. The browser
happily shows contents of the page (presumably loaded from cache), even
though its certificate is not valid anymore.
4. For added fun, try to refresh the page. Iceweasel displays scary
warning about the untrusted connection. Click "I Understand The Risks",
click "Add Exception". The browser says that "This site provides valid,
verified identification" and doesn't allow you to confirm security
exception. So it turns out the certificate is both valid and invalid at
the same time...
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Kernel: Linux 2.6.38-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages iceweasel depends on:
ii debianutils 4 Miscellaneous utilities specific t
ii fontconfig 2.8.0-2.2 generic font configuration library
ii libc6 2.13-4 Embedded GNU C Library: Shared lib
ii libgcc1 1:4.6.0-7 GCC support library
ii libgdk-pixbuf2.0-0 2.23.3-3 GDK Pixbuf library
ii libglib2.0-0 2.28.6-2 GLib library of C routines
ii libgtk2.0-0 2.24.4-3 The GTK+ graphical user interface
ii libnspr4-0d 4.8.7-2 NetScape Portable Runtime Library
ii libstdc++6 4.6.0-7 The GNU Standard C++ Library v3
ii procps 1:3.2.8-10 /proc file system utilities
ii xulrunner-2.0 2.0.1-2 XUL + XPCOM application runner
Versions of packages xulrunner-2.0 depends on:
ii libasound2 1.0.23-4 shared library for ALSA applicatio
ii libatk1.0-0 2.0.0-1 The ATK accessibility toolkit
ii libbz2-1.0 1.0.5-6 high-quality block-sorting file co
ii libc6 2.13-4 Embedded GNU C Library: Shared lib
ii libcairo2 1.10.2-6 The Cairo 2D vector graphics libra
ii libdbus-1-3 1.5.0-2 simple interprocess messaging syst
ii libevent-1.4-2 1.4.13-stable-1 An asynchronous event notification
ii libfontconfig1 2.8.0-2.2 generic font configuration library
ii libfreetype6 2.4.4-1 FreeType 2 font engine, shared lib
ii libgcc1 1:4.6.0-7 GCC support library
ii libgdk-pixbuf2.0 2.23.3-3 GDK Pixbuf library
ii libglib2.0-0 2.28.6-2 GLib library of C routines
ii libgtk2.0-0 2.24.4-3 The GTK+ graphical user interface
ii libhunspell-1.2- 1.3.1-1 spell checker and morphological an
ii libjpeg62 6b1-1 The Independent JPEG Group's JPEG
ii libmozjs4d 2.0.1-2 The Mozilla SpiderMonkey JavaScrip
ii libnspr4-0d 4.8.7-2 NetScape Portable Runtime Library
ii libnss3-1d 3.12.9.with.ckbi.1.82-1 Network Security Service libraries
ii libpango1.0-0 1.28.3-6 Layout and rendering of internatio
ii libpixman-1-0 0.21.8-1 pixel-manipulation library for X a
ii libreadline6 6.2-2 GNU readline and history libraries
ii libsqlite3-0 3.7.6.2-1 SQLite 3 shared library
ii libstartup-notif 0.12-1 library for program launch feedbac
ii libstdc++6 4.6.0-7 The GNU Standard C++ Library v3
ii libvpx0 0.9.6-1 VP8 video codec (shared library)
ii libx11-6 2:1.4.3-1 X11 client-side library
ii libxext6 2:1.3.0-1 X11 miscellaneous extension librar
ii libxrender1 1:0.9.6-1 X Rendering Extension client libra
ii libxt6 1:1.1.1-1 X11 toolkit intrinsics library
ii zlib1g 1:1.2.5.dfsg-1 compression library - runtime
--
Jakub Wilk
--- End Message ---
--- Begin Message ---
Version: 115.12.0esr-1+rm
src:iceweasel has been superseded by src:firefox-esr in version
45.0esr-1 in March 2016. Transitional packages to ease upgrades were
provided in the wheezy, jessie, stretch and buster releases. The
transitional packages have been removed finally before the bullseye
release in August 2021.
After regular security support for buster ended in August 2022 and LTS
support ended in June 2024, I'm closing the remaining bug reports now.
Andreas
--- End Message ---
