[Pkg-chromium-maint] Bug#807785: chromium: caches certificate chains

brian m. carlson sandals at crustytoothpaste.net
Sun Dec 13 00:29:56 UTC 2015 

Package: chromium
Version: 47.0.2526.73-1
Severity: normal

Chromium can cache certificate chains, which results in some sites that
actually have up-to-date certificates being listed as having invalid
SHA-1 certificates.  While this may be a valid optimization, it should
follow the "as if" rule: the behavior must be exactly as if Chromium
actually validated the entire chain every time.

I encountered this with https://securityheaders.io/.  It caused me and
the maintainer of that site headaches trying to figure out why it was
broken.  Please fix Chromium not to cache certificate chains unless it
can do so correctly every time.

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.2.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=es_US.UTF-8, LC_CTYPE=es_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages chromium depends on:
ii  libasound2            1.0.29-1
ii  libatk1.0-0           2.18.0-1
ii  libavcodec-ffmpeg56   7:2.8.3-1
ii  libavformat-ffmpeg56  7:2.8.3-1
ii  libavutil-ffmpeg54    7:2.8.3-1
ii  libc6                 2.21-4
ii  libcairo2             1.14.4-1
ii  libcups2              2.1.2-1
ii  libdbus-1-3           1.10.6-1
ii  libexpat1             2.1.0-7
ii  libfontconfig1        2.11.0-6.3
ii  libfreetype6          2.6.1-0.1
ii  libgcc1               1:5.3.1-3
ii  libgdk-pixbuf2.0-0    2.32.2-1
ii  libglib2.0-0          2.46.2-1
ii  libgnome-keyring0     3.12.0-1+b1
ii  libgtk2.0-0           2.24.28-1
ii  libjpeg62-turbo       1:1.4.1-2
ii  libnspr4              2:4.11-1
ii  libnspr4-0d           2:4.11-1
ii  libnss3               2:3.21-1
ii  libnss3-1d            2:3.21-1
ii  libpango-1.0-0        1.38.1-1
ii  libpangocairo-1.0-0   1.38.1-1
ii  libpci3               1:3.3.1-1
ii  libspeechd2           0.8-7
ii  libsrtp0              1.4.5~20130609~dfsg-1.1
ii  libstdc++6            5.3.1-3
ii  libx11-6              2:1.6.3-1
ii  libxcomposite1        1:0.4.4-1
ii  libxcursor1           1:1.1.14-1+b1
ii  libxdamage1           1:1.1.4-2+b1
ii  libxext6              2:1.3.3-1
ii  libxfixes3            1:5.0.1-2+b2
ii  libxi6                2:1.7.5-1
ii  libxml2               2.9.2+zdfsg1-4
ii  libxrandr2            2:1.5.0-1
ii  libxrender1           1:0.9.9-2
ii  libxslt1.1            1.1.28-2.1
ii  libxss1               1:1.2.2-1
ii  libxtst6              2:1.2.2-1+b1
ii  x11-utils             7.7+3
ii  xdg-utils             1.1.1-1

chromium recommends no packages.

Versions of packages chromium suggests:
pn  chromium-l10n  <none>

-- no debconf information

-- 
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | https://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-chromium-maint/attachments/20151213/a2063a18/attachment.sig>

More information about the Pkg-chromium-maint mailing list