Package: apt-listbugs Version: 1:2.5.1 Severity: important apt-listbugs uses insecure http port 80 by default. It can easily be moved to https via port 443, although additional hardening against tampering should be verified later to prevent mitm attacks.
lib/aptlistbugs/logic.rb appears to validate https endpoints properly, but not sure about lib/aptlistbugs/debian/btssoap.rb from testing against https://untrusted-root.badssl.com Here are the two relevant diffs to move to https as default. Tested and appears to work fine. $ diff lib/aptlistbugs/logic.rb.orig lib/aptlistbugs/logic.rb 97c97 < @port = 80 --- > @port = 443 866c866 < tmp.puts "\n <td><a href=\"http://bugs.debian.org/#{bug.bug_number}\";>##{bug.bug_number}</a></td>" --- > tmp.puts "\n <td><a > href=\"https://bugs.debian.org/#{bug.bug_number}\";>##{bug.bug_number}</a></td>" 917c917 < maker.channel.link = "http://bugs.debian.org/"; --- > maker.channel.link = "https://bugs.debian.org/"; 926c926 < item.link = "http://bugs.debian.org/#{bug.bug_number}"; --- > item.link = "https://bugs.debian.org/#{bug.bug_number}"; 942c942 < url = "http://bugs.debian.org/#{id}"; --- > url = "https://bugs.debian.org/#{id}"; $ diff lib/aptlistbugs/debian/btssoap.rb.orig lib/aptlistbugs/debian/btssoap.rb 26,27c26,27 < def initialize(host = "bugs.debian.org", port = 80) < @server="http://#{host}:#{port}/cgi-bin/soap.cgi"; --- > def initialize(host = "bugs.debian.org", port = 443) > @server="https://#{host}:#{port}/cgi-bin/soap.cgi"; ---- Sent using Guerrillamail.com Block or report abuse: https://www.guerrillamail.com//abuse/?a=UlR2CAQUY7YAjx369HsdexXJA8WC1Q%3D%3D
