Processed: Re: Bug#745835: lynx-cur: certificate revocation is not checked

[Debian Bug Tracking System]

Processing control commands:

> tag -1 - moreinfo + upstream
Bug #745835 [lynx-cur] lynx-cur: certificate revocation is not checked
Removed tag(s) moreinfo.
Bug #745835 [lynx-cur] lynx-cur: certificate revocation is not checked
Added tag(s) upstream.
> severity -1 important
Bug #745835 [lynx-cur] lynx-cur: certificate revocation is not checked
Severity set to 'important' from 'serious'

-- 
745835: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=745835
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems


--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#745835: lynx-cur: certificate revocation is not checked

[Axel Beckert]

Control: tag -1 - moreinfo + upstream
Control: severity -1 important

Hi Vincent,

Vincent Lefevre wrote:
> On 2015-04-27 14:49:15 +0200, Axel Beckert wrote:
> > Vincent Lefevre wrote:
> > > This problem still occurs. For a new testcase URL:
> > > 
> > >   lynx https://www.vinc17.net:4434/
> > > 
> > > does not give an error, contrary to Firefox.
> > 
> > JFTR: Works "fine" (i.e. without revocation warning) in Chromium
> > (42.0.2311.90-2), too. But I don't see such a bug report at
> > https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=chromium-browser
> 
> Chromium is just crap and its maintainers do not care. See my bug
> report here (which is a part of the problem):
> 
>   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=745646
> 
> The bug was closed without being fixed.

Depends likely on the point of view.

> > Can you please elaborate over which methods you expect lynx to check
> > the revocation or over which methods it can be checked, i.e. CRL or
> > OCSP?
> 
> CRL might be OK if Debian has a way to get a complete CRLset.
> But I haven't seen one.
> 
> So, OCSP (possibly OCSP must-staple) should really be implemented.

So this is basically an upstream feature request.

I don't think a feature request which you yourself phrase with
"should" validates RC-severity, even if it's a security related
feature. Hence downgrading the severity to "important".

Regards, Axel
-- 
 ,''`.  |  Axel Beckert , http://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-|  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#745835: [pkg-lynx-maint] Bug#745835: lynx-cur: certificate revocation is not checked

[Vincent Lefevre]

Hi,

On 2015-04-27 14:49:15 +0200, Axel Beckert wrote:
> Vincent Lefevre wrote:
> > This problem still occurs. For a new testcase URL:
> > 
> >   lynx https://www.vinc17.net:4434/
> > 
> > does not give an error, contrary to Firefox.
> 
> JFTR: Works "fine" (i.e. without revocation warning) in Chromium
> (42.0.2311.90-2), too. But I don't see such a bug report at
> https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=chromium-browser

Chromium is just crap and its maintainers do not care. See my bug
report here (which is a part of the problem):

  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=745646

The bug was closed without being fixed.

> Can you please elaborate over which methods you expect lynx to check
> the revocation or over which methods it can be checked, i.e. CRL or
> OCSP?

CRL might be OK if Debian has a way to get a complete CRLset.
But I haven't seen one.

So, OCSP (possibly OCSP must-staple) should really be implemented.

-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Processed: Re: [pkg-lynx-maint] Bug#745835: lynx-cur: certificate revocation is not checked

[Debian Bug Tracking System]

Processing control commands:

> tag -1 + moreinfo
Bug #745835 [lynx-cur] lynx-cur: certificate revocation is not checked
Added tag(s) moreinfo.

-- 
745835: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=745835
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems


--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#745835: [pkg-lynx-maint] Bug#745835: lynx-cur: certificate revocation is not checked

[Axel Beckert]

Control: tag -1 + moreinfo

Hi,

Vincent Lefevre wrote:
> This problem still occurs. For a new testcase URL:
> 
>   lynx https://www.vinc17.net:4434/
> 
> does not give an error, contrary to Firefox.

JFTR: Works "fine" (i.e. without revocation warning) in Chromium
(42.0.2311.90-2), too. But I don't see such a bug report at
https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=chromium-browser

Can you please elaborate over which methods you expect lynx to check
the revocation or over which methods it can be checked, i.e. CRL or
OCSP?

Regards, Axel
-- 
 ,''`.  |  Axel Beckert , http://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-|  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#745835: lynx-cur: certificate revocation is not checked

[Vincent Lefevre]

Control: severity -1 serious

Setting same severity as bug 752610 (which is also about certificate
checking).

-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#745835: lynx-cur: certificate revocation is not checked

[Vincent Lefevre]

Control: unmerge -1
Control: reopen -1
Control: found -1 2.8.9dev5-2

This problem still occurs. For a new testcase URL:

  lynx https://www.vinc17.net:4434/

does not give an error, contrary to Firefox.

-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Processed: Re: Bug#745835: lynx-cur: certificate revocation is not checked

[Debian Bug Tracking System]

Processing control commands:

> severity -1 grave
Bug #745835 [lynx-cur] lynx-cur: certificate revocation is not checked
Severity set to 'grave' from 'important'

-- 
745835: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=745835
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems


--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Processed: Re: Bug#745835: lynx-cur: certificate revocation is not checked

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> severity 745835 important
Bug #745835 [lynx-cur] lynx-cur: certificate revocation is not checked
Severity set to 'important' from 'grave'
> --
Stopping processing here.

Please contact me if you need assistance.
-- 
745835: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=745835
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems


--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#745835: lynx-cur: certificate revocation is not checked

[Thomas Dickey]

On Fri, Apr 25, 2014 at 07:41:31PM +0200, Vincent Lefevre wrote:
> Package: lynx-cur
> Version: 2.8.8pre5-1
> Severity: grave

In

https://www.debian.org/Bugs/Developer#severities

the closest description is "important".  (This couldn't allow a breakin
to the users's account which would be the justification for "grave").

By the way, the same issue applies to elinks, links2 and w3m

-- 
Thomas E. Dickey 
http://invisible-island.net
ftp://invisible-island.net


signature.asc
Description: Digital signature

Bug#745835: lynx-cur: certificate revocation is not checked

[Vincent Lefevre]

Package: lynx-cur
Version: 2.8.8pre5-1
Severity: grave
Tags: security
Justification: user security hole

Certificate revocation is not checked: lynx opens

  https://www.cloudflarechallenge.com/

without any warning or error, contrary to Firefox (and to Chromium
when the CRLSet is up-to-date).

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.11-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages lynx-cur depends on:
ii  libbsd0   0.6.0-2
ii  libbz2-1.01.0.6-5
ii  libc6 2.18-4
ii  libgcrypt11   1.5.3-4
ii  libgnutls26   2.12.23-14
ii  libidn11  1.28-2
ii  libncursesw5  5.9+20140118-1
ii  libtinfo5 5.9+20140118-1
ii  zlib1g1:1.2.8.dfsg-1

Versions of packages lynx-cur recommends:
ii  mime-support  3.54

lynx-cur suggests no packages.

-- debconf information:
  lynx-cur/defaulturl: http://www.vinc17.org/
  lynx-cur/etc_lynx.cfg:


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org