[Pkg-chromium-maint] Bug#785412: chromium: MUST NOT negotiate RC4
brian m. carlson
sandals at crustytoothpaste.net
Fri May 15 22:33:36 UTC 2015
Package: chromium
Version: 42.0.2311.135-2
Severity: normal
Chromium negotiates RC4 despite RFC 7465 stating that clients MUST NOT
do so, as it is insecure.
Iceweasel and Firefox have disabled it for most sites, but not all
sites, and on the whitelisted sites, mark it as broken. Not only does
Chromium negotiate RC4, it displays it with a happy green lock, as if
the connection were actually secure. This is misleading.
Please disable RC4, as it provides less security than an export cipher.
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.0.0-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages chromium depends on:
ii libasound2 1.0.28-1
ii libc6 2.19-18
ii libcairo2 1.14.2-2
ii libcap2 1:2.24-8
ii libcups2 1.7.5-11
ii libdbus-1-3 1.8.18-1
ii libexpat1 2.1.0-6+b3
ii libfontconfig1 2.11.0-6.3
ii libfreetype6 2.5.2-4
ii libgdk-pixbuf2.0-0 2.31.1-2+b1
ii libglib2.0-0 2.44.0-3
ii libgnome-keyring0 3.12.0-1+b1
ii libgtk2.0-0 2.24.25-3
ii libharfbuzz0b 0.9.40-2
ii libjpeg62-turbo 1:1.4.0-7
ii libnspr4 2:4.10.8-1
ii libnspr4-0d 2:4.10.8-1
ii libnss3 2:3.19-1
ii libpango-1.0-0 1.36.8-3
ii libpangocairo-1.0-0 1.36.8-3
ii libpci3 1:3.2.1-3
ii libspeechd2 0.8-7
ii libspeex1 1.2~rc1.2-1
ii libsrtp0 1.4.5~20130609~dfsg-1.1
ii libstdc++6 5.1.1-5
ii libx11-6 2:1.6.3-1
ii libxcomposite1 1:0.4.4-1
ii libxcursor1 1:1.1.14-1+b1
ii libxdamage1 1:1.1.4-2+b1
ii libxext6 2:1.3.3-1
ii libxfixes3 1:5.0.1-2+b2
ii libxi6 2:1.7.4-1+b2
ii libxml2 2.9.2+dfsg1-3
ii libxrandr2 2:1.4.2-1+b1
ii libxrender1 1:0.9.8-1+b1
ii libxslt1.1 1.1.28-2+b2
ii libxss1 1:1.2.2-1
ii libxtst6 2:1.2.2-1+b1
ii x11-utils 7.7+3
ii xdg-utils 1.1.0~rc1+git20111210-7.4
chromium recommends no packages.
Versions of packages chromium suggests:
pn chromium-l10n <none>
-- no debconf information
--
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-chromium-maint/attachments/20150515/65848f6c/attachment-0001.sig>
More information about the Pkg-chromium-maint
mailing list