Package: konqueror Version: 4:3.5.9.dfsg.1-6 Severity: important
As the md5 digest is broken enough [1], to verify a certificate a different digest should be displayed. Iceweasel also shows SHA1, this is what I think is best. Needless to say: This is a security issue with konqueror. How to see the problem: a) Try to go to https://debian.org/ (and make sure that you have not accepted the certifiacte or ca.debian.org before) b) You get a question if you want to accept the certificate, press details. c) The KDE-SSL-Information Konqueror window comes up. Now you can only see the MD5-Digest. Expectation: At least the SHA1-Digest should be shown in a detail. Note: the dialog might come from a different KDE packages, but the security problem comes up with konqueror being used as a webbrowser, thus I believe this is the right package to report against first. [1] http://www.win.tue.nl/hashclash/rogue-ca/ -- System Information: Debian Release: 5.0.1 APT prefers proposed-updates APT policy: (500, 'proposed-updates'), (500, 'stable') Architecture: powerpc (ppc) Kernel: Linux 2.6.26-1-powerpc Locale: lang=de...@euro, lc_ctype=de...@euro (charmap=ISO-8859-15) Shell: /bin/sh linked to /bin/bash Versions of packages konqueror depends on: ii kcontrol 4:3.5.9.dfsg.1-6 control center for KDE ii kdebase-kio-plug 4:3.5.9.dfsg.1-6 core I/O slaves for KDE ii kdelibs4c2a 4:3.5.10.dfsg.1-0lenny1 core libraries and binaries for al ii kdesktop 4:3.5.9.dfsg.1-6 miscellaneous binaries and files f ii kfind 4:3.5.9.dfsg.1-6 file-find utility for KDE ii libc6 2.7-18 GNU C Library: Shared libraries ii libgcc1 1:4.3.2-1.1 GCC support library ii libkonq4 4:3.5.9.dfsg.1-6 core libraries for Konqueror ii libqt3-mt 3:3.3.8b-5 Qt GUI Library (Threaded runtime v ii libstdc++6 4.3.2-1.1 The GNU Standard C++ Library v3 ii libx11-6 2:1.1.5-2 X11 client-side library konqueror recommends no packages. Versions of packages konqueror suggests: ii gij-4.1 4.1.1-20 The GNU Java bytecode interpreter ii khelpcente 4:4.0.0.really.3.5.9.dfsg.1-6 help center for KDE ii konq-plugi 4:3.5.9-2 plugins for Konqueror, the KDE fil ii ksvg 4:3.5.9-3 SVG viewer for KDE pn libgcj7-aw <none> (no description available) pn libjessie- <none> (no description available) -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org