[Secure-testing-team] Bug#818875: konqueror: green SSL checkbox despite expired server certificate

Thorsten Glaser tg at mirbsd.de
Mon Mar 21 10:03:13 UTC 2016 

Package: konqueror
Version: 4:15.08.3-1
Severity: grave
Tags: security
Justification: user security hole

See attached screenshot – konqueror does not error out when the
certificate is expired and even shows a green checkbox. (I may
or may not have ACK’d the certificate in an earlier session, I
don’t know right now, but showing a green checkbox is still
wrong.)

-- System Information:
Debian Release: stretch/sid
  APT prefers unreleased
  APT policy: (500, 'unreleased'), (500, 'buildd-unstable'), (500, 'unstable')
Architecture: x32 (x86_64)
Foreign Architectures: i386, amd64

Kernel: Linux 4.4.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/lksh
Init: sysvinit (via /sbin/init)

Versions of packages konqueror depends on:
ii  install-info            6.1.0.dfsg.1-5
ii  kde-baseapps-bin        4:15.08.3-1
ii  kde-baseapps-data       4:15.08.3-1
ii  kde-runtime             4:15.08.3-1+b1
ii  libc6                   2.22-3
ii  libkcmutils4            4:4.14.14-1+b1
ii  libkde3support4         4:4.14.14-1+b1
ii  libkdecore5             4:4.14.14-1+b1
ii  libkdesu5               4:4.14.14-1+b1
ii  libkdeui5               4:4.14.14-1+b1
ii  libkfile4               4:4.14.14-1+b1
ii  libkhtml5               4:4.14.14-1+b1
ii  libkio5                 4:4.14.14-1+b1
ii  libkonq5abi1            4:15.08.3-1
ii  libkonqsidebarplugin4a  4:15.08.3-1
ii  libkparts4              4:4.14.14-1+b1
ii  libqt4-dbus             4:4.8.7+dfsg-6
ii  libqt4-qt3support       4:4.8.7+dfsg-6
ii  libqt4-xml              4:4.8.7+dfsg-6
ii  libqtcore4              4:4.8.7+dfsg-6
ii  libqtgui4               4:4.8.7+dfsg-6
ii  libstdc++6              5.3.1-12
ii  libx11-6                2:1.6.3-1

Versions of packages konqueror recommends:
pn  dolphin4             <none>
ii  kfind                4:15.08.3-1
pn  konqueror-nsplugins  <none>
ii  kpart-webkit         1.3.4-2

Versions of packages konqueror suggests:
ii  konq-plugins  4:15.08.3-1

-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: konqsslfail.png
Type: image/png
Size: 27082 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20160321/57862025/attachment-0001.png>

More information about the Secure-testing-team mailing list