[manjaro-security] [ASA-202005-5] qutebrowser: certificate verification bypass

Morten Linderud foxboron at archlinux.org
Mon May 11 20:10:44 CEST 2020

Arch Linux Security Advisory ASA-202005-5

Severity: Low
Date    : 2020-05-07
CVE-ID  : CVE-2020-11054
Package : qutebrowser
Type    : certificate verification bypass
Remote  : Yes
Link    : https://security.archlinux.org/AVG-1152


The package qutebrowser before version 1.11.1-1 is vulnerable to
certificate verification bypass.


Upgrade to 1.11.1-1.

# pacman -Syu "qutebrowser>=1.11.1-1"

The problem has been fixed upstream in version 1.11.1.


* Treat any host with a certificate exception as insecure, ignoring the
URL color

* Or set content.ssl_strict to True (instead of 'ask'), preventing
certificate exceptions in the configuration


In qutebrowser before version 1.11.1 there is an issue where after a
certificate error was overridden by the user, qutebrowser displays the
URL as yellow (colors.statusbar.url.warn.fg). However, when the
affected website was subsequently loaded again, the URL was mistakenly
displayed as green (colors.statusbar.url.success_https). While the user
already has seen a certificate error prompt at this point (or set
content.ssl_strict to false which is not recommended), this could still
provide a false sense of security.


The user might think the webpage is secure, when in reality it has an
invalid certificate.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.manjaro.org/pipermail/manjaro-security/attachments/20200511/fe32c13d/attachment.sig>

More information about the manjaro-security mailing list