[Secure-testing-team] Bug#744024: chromium: check for server certificate revocation is not enabled by default

Vincent Lefevre vincent at vinc17.net
Wed Apr 9 12:32:12 UTC 2014 

Package: chromium
Version: 33.0.1750.152-1
Severity: grave
Tags: security
Justification: user security hole

http://code.google.com/p/chromium/issues/detail?id=361568

What steps will reproduce the problem?
1. Go to the settings.
2. Choose advanced settings.
3. See HTTPS/SSL.

What is the expected result?
"Check for server certificate revocation" should be ticked by default.

What happens instead?
It isn't ticked by default (see attached snapshot).

Checking for server certificate revocation is crucial, in particular
after the OpenSSL heartbleed bug: keys may have been compromised, and
many certificates will be revoked.

Another user has noticed the issue about this setting:
  https://twitter.com/cbrocas/status/453799729638297600

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.11-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages chromium depends on:
ii  chromium-inspector   33.0.1750.152-1
ii  gconf-service        3.2.6-2
ii  libasound2           1.0.27.2-3
ii  libatk1.0-0          2.12.0-1
ii  libc6                2.18-4
ii  libcairo2            1.12.16-2
ii  libcap2              1:2.22-1.2
ii  libcups2             1.7.1-12
ii  libdbus-1-3          1.8.0-3
ii  libexpat1            2.1.0-4
ii  libfontconfig1       2.11.0-5
ii  libfreetype6         2.5.2-1
ii  libgcc1              1:4.8.2-19
ii  libgconf-2-4         3.2.6-2
ii  libgcrypt11          1.5.3-4
ii  libgdk-pixbuf2.0-0   2.30.6-1
ii  libglib2.0-0         2.40.0-2
ii  libgnome-keyring0    3.8.0-2
ii  libgtk2.0-0          2.24.23-1
ii  libjpeg8             8d-2
ii  libnspr4             2:4.10.4-1
ii  libnss3              2:3.16-1
ii  libpango-1.0-0       1.36.3-1
ii  libpangocairo-1.0-0  1.36.3-1
ii  libspeechd2          0.8-6
ii  libspeex1            1.2~rc1.1-1
ii  libstdc++6           4.8.2-19
ii  libudev1             204-8
ii  libx11-6             2:1.6.2-1
ii  libxcomposite1       1:0.4.4-1
ii  libxdamage1          1:1.1.4-1
ii  libxext6             2:1.3.2-1
ii  libxfixes3           1:5.0.1-1
ii  libxi6               2:1.7.2-1
ii  libxml2              2.9.1+dfsg1-3
ii  libxrender1          1:0.9.8-1
ii  libxslt1.1           1.1.28-2
ii  libxss1              1:1.2.2-1
ii  libxtst6             2:1.2.2-1
ii  xdg-utils            1.1.0~rc1+git20111210-7

chromium recommends no packages.

Versions of packages chromium suggests:
pn  chromium-l10n  <none>
pn  mozplugger     <none>

-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: settings.png
Type: image/png
Size: 3794 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20140409/71d49c81/attachment.png>

More information about the Secure-testing-team mailing list