[manjaro-security] [ASA-202005-5] qutebrowser: certificate verification bypass

Morten Linderud foxboron at archlinux.org
Mon May 11 20:10:44 CEST 2020


Arch Linux Security Advisory ASA-202005-5
=========================================

Severity: Low
Date    : 2020-05-07
CVE-ID  : CVE-2020-11054
Package : qutebrowser
Type    : certificate verification bypass
Remote  : Yes
Link    : https://security.archlinux.org/AVG-1152

Summary
=======

The package qutebrowser before version 1.11.1-1 is vulnerable to
certificate verification bypass.

Resolution
==========

Upgrade to 1.11.1-1.

# pacman -Syu "qutebrowser>=1.11.1-1"

The problem has been fixed upstream in version 1.11.1.

Workaround
==========

* Treat any host with a certificate exception as insecure, ignoring the
URL color

* Or set content.ssl_strict to True (instead of 'ask'), preventing
certificate exceptions in the configuration

Description
===========

In qutebrowser before version 1.11.1 there is an issue where after a
certificate error was overridden by the user, qutebrowser displays the
URL as yellow (colors.statusbar.url.warn.fg). However, when the
affected website was subsequently loaded again, the URL was mistakenly
displayed as green (colors.statusbar.url.success_https). While the user
already has seen a certificate error prompt at this point (or set
content.ssl_strict to false which is not recommended), this could still
provide a false sense of security.

Impact
======

The user might think the webpage is secure, when in reality it has an
invalid certificate.

References
==========

https://github.com/qutebrowser/qutebrowser/commit/6821c236f9ae23adf21d46ce0d56768ac8d0c467
https://github.com/qutebrowser/qutebrowser/commit/556fe81b3146e5cd2e77df9d8ce57aebbbd72eac
https://github.com/qutebrowser/qutebrowser/security/advisories/GHSA-4rcq-jv2f-898j
https://security.archlinux.org/CVE-2020-11054
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.manjaro.org/pipermail/manjaro-security/attachments/20200511/fe32c13d/attachment.sig>


More information about the manjaro-security mailing list