Package: dillo Version: 0.8.6-3 Severity: grave Justification: user security hole Tags: security
dillo silently accepts expired https certificates, an example can be seen at https://i.broke.the.internet.and.all.i.got.was.this.t-shirt.phreedom.org/ Considering this, i suspect dillo likely also doesnt do other checks on the certificate, but I did not test this as i dont have a collection of such certificates. And accepting expired certifcates alone is already a security issue. -- System Information: Debian Release: lenny/sid APT prefers unstable Architecture: i386 (i686) Kernel: Linux 2.6 Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) ii libssl0.9.8 0.9.8g-10 SSL shared libraries -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB I hate to see young programmers poisoned by the kind of thinking Ulrich Drepper puts forward since it is simply too narrow -- Roman Shaposhnik
signature.asc
Description: Digital signature
