From me at the-compiler.org Thu May 7 17:54:11 2020 From: me at the-compiler.org (Florian Bruhin) Date: Thu, 7 May 2020 17:54:11 +0200 Subject: [qutebrowser-announce] qutebrowser v1.11.1 released (with minor security fix) Message-ID: <20200507155411.kvxxpp7mlxci7i5c@hooch.localdomain> Hey, I just released qutebrowser v1.11.1, with the only change being a low-severity security fix: After a certificate error was overridden by the user, qutebrowser displays the URL as yellow (colors.statusbar.url.warn.fg). However, when the affected website was subsequently loaded again, the URL was mistakenly displayed as green (colors.statusbar.url.success_https). While the user already has seen a certificate error prompt at this point (or set content.ssl_strict to false which is not recommended), this could still provide a false sense of security. This is now fixed. After discovering this issue, I found about two other projects using QtWebEngine with similar issues (always showing a secure connection on certificate exceptions, even on the first load). I've reported this to the respective projects as well, and contacted Qt about adding a proper API to avoid issues like this. More details can be found in the associated security advisory: https://github.com/qutebrowser/qutebrowser/security/advisories/GHSA-4rcq-jv2f-898j This issue has been assigned CVE-2020-11054. Florian -- me at the-compiler.org (Mail/XMPP) | https://www.qutebrowser.org https://bruhin.software/ | https://github.com/sponsors/The-Compiler/ GPG: 916E B0C8 FD55 A072 | https://the-compiler.org/pubkey.asc I love long mails! | https://email.is-not-s.ms/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: