From me at the-compiler.org Wed Jun 3 08:27:07 2015 From: me at the-compiler.org (Florian Bruhin) Date: Wed, 3 Jun 2015 08:27:07 +0200 Subject: This week's qutebrowser updates Message-ID: <20150603062707.GL26357@tonks> Hi, This has been a crazy week with many contributions! :) Thanks a lot again to Carpetsmoker and antonyo for them! I've been busy with writing more tests, and reviewing PRs and issues, but the amount of contributions is probably at a record high :) It seems people would like a new release[1] - I wanted to do so only after tests/refactoring/config migration, but since that'll still take a while I'll probably cut a new release when the open contributions are in (or at least the ones expected to be done soon). [1] https://github.com/voidlinux/void-packages/pull/1696 Overview -------- Excluding merges, 5 authors have pushed 54 commits to master and 90 commits to all branches. On master, 31 files have changed and there have been 539 additions and 224 deletions. 6 Pull requests merged by 3 people 7 Pull requests proposed by 4 people 13 Issues closed by 2 people 15 Issues created by 5 people https://github.com/The-Compiler/qutebrowser/pulse Added ----- - :scroll-page now has --{top,bottom}-navigate options so a key can be bound to scroll down and automatically load the next page. - Return is now bound to a new :select-follow command, which follows the link currently selected (e.g. via /searching). - There's a new ui -> modal-js-dialog setting to use the normal modal dialogs instead of the statusbar for javascript dialogs. - Numpad enter now should work everywhere where Return does. - New setting colors -> webpage.bg to set the color for websites without a background color set. Changed ------- - Temporary files/directories now use a qutebrowser-editor- and qutebrowser-basedir- prefix. - Some QXcbWindow warnings (e.g. on Enlightment) are now hidden. Fixed ----- - Fix a crash when executing "qutebrowser :set" from the commandline. Under the hood -------------- - Lots of improvements related to tests. - link_pyqt.py now only links/copies files if needed, which should speed up repeated tox runs. - Some small doc improvements. Florian -- http://www.the-compiler.org | me at the-compiler.org (Mail/XMPP) GPG: 916E B0C8 FD55 A072 | http://the-compiler.org/pubkey.asc I love long mails! | http://email.is-not-s.ms/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 819 bytes Desc: not available URL: From me at the-compiler.org Wed Jun 3 16:42:29 2015 From: me at the-compiler.org (Florian Bruhin) Date: Wed, 3 Jun 2015 16:42:29 +0200 Subject: Fwd: [USN-2626-1] Qt vulnerabilities Message-ID: <20150603144229.GT26357@tonks> Hi, I'm actually amazed Ubuntu managed to take so long to backport those packages... IIRC, Debian, Arch (and maybe others) had already applied them for a while. The first issue is from April 2014... Gah. (Though that one seems to apply to Qt 4 only) So if you're on Ubuntu, please update (or, you know, don't use Ubuntu). Florian ----- Forwarded message from Marc Deslauriers ----- ========================================================================== Ubuntu Security Notice USN-2626-1 June 03, 2015 qt4-x11, qtbase-opensource-src vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 15.04 - Ubuntu 14.10 - Ubuntu 14.04 LTS - Ubuntu 12.04 LTS Summary: Qt could be made to crash or run programs as your login if it opened a specially crafted file. Software Description: - qt4-x11: Qt 4 libraries - qtbase-opensource-src: Qt 5 libraries Details: Wolfgang Schenk discovered that Qt incorrectly handled certain malformed GIF images. If a user or automated system were tricked into opening a specially crafted GIF image, a remote attacker could use this issue to cause Qt to crash, resulting in a denial of service. This issue only applied to Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-0190) Fabian Vogt discovered that Qt incorrectly handled certain malformed BMP images. If a user or automated system were tricked into opening a specially crafted BMP image, a remote attacker could use this issue to cause Qt to crash, resulting in a denial of service. (CVE-2015-0295) Richard Moore and Fabian Vogt discovered that Qt incorrectly handled certain malformed BMP images. If a user or automated system were tricked into opening a specially crafted BMP image, a remote attacker could use this issue to cause Qt to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2015-1858) Richard Moore and Fabian Vogt discovered that Qt incorrectly handled certain malformed ICO images. If a user or automated system were tricked into opening a specially crafted ICO image, a remote attacker could use this issue to cause Qt to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2015-1859) Richard Moore and Fabian Vogt discovered that Qt incorrectly handled certain malformed GIF images. If a user or automated system were tricked into opening a specially crafted GIF image, a remote attacker could use this issue to cause Qt to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2015-1860) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 15.04: libqt5gui5 5.4.1+dfsg-2ubuntu4.1 libqtgui4 4:4.8.6+git64-g5dc8b2b+dfsg-3~ubuntu6.1 Ubuntu 14.10: libqt5gui5 5.3.0+dfsg-2ubuntu9.1 libqtgui4 4:4.8.6+git49-gbc62005+dfsg-1ubuntu1.1 Ubuntu 14.04 LTS: libqt5gui5 5.2.1+dfsg-1ubuntu14.3 libqtgui4 4:4.8.5+git192-g085f851+dfsg-2ubuntu4.1 Ubuntu 12.04 LTS: libqtgui4 4:4.8.1-0ubuntu4.9 After a standard system update you need to restart your session to make all the necessary changes. References: http://www.ubuntu.com/usn/usn-2626-1 CVE-2014-0190, CVE-2015-0295, CVE-2015-1858, CVE-2015-1859, CVE-2015-1860 Package Information: https://launchpad.net/ubuntu/+source/qt4-x11/4:4.8.6+git64-g5dc8b2b+dfsg-3~ubuntu6.1 https://launchpad.net/ubuntu/+source/qtbase-opensource-src/5.4.1+dfsg-2ubuntu4.1 https://launchpad.net/ubuntu/+source/qt4-x11/4:4.8.6+git49-gbc62005+dfsg-1ubuntu1.1 https://launchpad.net/ubuntu/+source/qtbase-opensource-src/5.3.0+dfsg-2ubuntu9.1 https://launchpad.net/ubuntu/+source/qt4-x11/4:4.8.5+git192-g085f851+dfsg-2ubuntu4.1 https://launchpad.net/ubuntu/+source/qtbase-opensource-src/5.2.1+dfsg-1ubuntu14.3 https://launchpad.net/ubuntu/+source/qt4-x11/4:4.8.1-0ubuntu4.9 -- ubuntu-security-announce mailing list ubuntu-security-announce at lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce ----- End forwarded message ----- -- http://www.the-compiler.org | me at the-compiler.org (Mail/XMPP) GPG: 916E B0C8 FD55 A072 | http://the-compiler.org/pubkey.asc I love long mails! | http://email.is-not-s.ms/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 819 bytes Desc: not available URL: From me at the-compiler.org Fri Jun 5 08:17:00 2015 From: me at the-compiler.org (Florian Bruhin) Date: Fri, 5 Jun 2015 08:17:00 +0200 Subject: Qt 5.4.2 released! Message-ID: <20150605061700.GF26357@tonks> Hi, On Tuesday, Qt 5.4.2 has finally been released: http://blog.qt.io/blog/2015/06/02/qt-5-4-2-released/ The Arch packages in my debug repo got rebuilt yesterday. This release brings many fixes which are relevant to qutebrowser: http://code.qt.io/cgit/qt/qtwebkit.git/tree/dist/changes-5.4.2?h=5.4.2 https://bugreports.qt.io/browse/QTBUG-46233?jql=component%20%3D%20WebKit%20and%20fixVersion%20%3D%205.4.2%20order%20by%20created%20desc Notably, the crash/high memory usage on pages like DuckDuckGo, LinkedIn or Kotaku has been fixed. Florian -- http://www.the-compiler.org | me at the-compiler.org (Mail/XMPP) GPG: 916E B0C8 FD55 A072 | http://the-compiler.org/pubkey.asc I love long mails! | http://email.is-not-s.ms/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 819 bytes Desc: not available URL: From me at the-compiler.org Wed Jun 10 21:27:48 2015 From: me at the-compiler.org (Florian Bruhin) Date: Wed, 10 Jun 2015 21:27:48 +0200 Subject: This week's qutebrowser updates Message-ID: <20150610192748.GX26357@tonks> Hi, Another week with some contributions (thanks to Carpetsmoker, lamarpavel and ProtractorNinja) and some other progress :) Overview -------- Excluding merges, 5 authors have pushed 69 commits to master and 108 commits to all branches. On master, 44 files have changed and there have been 799 additions and 452 deletions. 8 Pull requests merged by 4 people 7 Pull requests proposed by 2 people 10 Issues closed by 1 person 7 Issues created by 2 people https://github.com/The-Compiler/qutebrowser/pulse Added ----- - New (hidden) command `:clear-keychain` to clear a partially entered keychain (bound to `` by default, in addition to clearing search). - Many new color settings (foreground setting for every background setting) Changed ------- - The `ui -> user-stylesheet` setting now also takes file paths relative to the config directory. - The `content -> cookies-accept` setting now has new `no-3rdparty` (default) and `no-unknown-3rdparty` values to block third-party cookies. The `default` value got renamed to `all`. Deprecated ---------- - Support for Qt installations without SSL support was dropped. Fixed ----- - Fixed horrible completion performance when the `shrink` option was set. Under the hood -------------- - The tests now run on Travis[1] and AppVeyor[2] so pull requests should get near-immediate feedback. - Various small fixes related to running the tests on Windows and Ubuntu Trusty. Florian [1] http://www.travis-ci.org/ [2] http://www.appveyor.com/ -- http://www.the-compiler.org | me at the-compiler.org (Mail/XMPP) GPG: 916E B0C8 FD55 A072 | http://the-compiler.org/pubkey.asc I love long mails! | http://email.is-not-s.ms/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 819 bytes Desc: not available URL: From me at the-compiler.org Fri Jun 12 15:50:12 2015 From: me at the-compiler.org (Florian Bruhin) Date: Fri, 12 Jun 2015 15:50:12 +0200 Subject: Fwd: [arch-security] [ASA-201506-3] openssl: multiple issues Message-ID: <20150612135012.GK26357@tonks> Hi, please update your OpenSSL to get protected against LogJam (see http://weakdh.org/ ). (I experimented with blacklisting those ciphers in qutebrowser, but the Qt API doesn't provide a way to get the DH bits used - so I decided to just wait for OpenSSL to be updated instead of blacklisting *all* DH keys). Florian ----- Forwarded message from Levente Polyak ----- Arch Linux Security Advisory ASA-201506-3 ========================================= Severity: High Date : 2015-06-12 CVE-ID : CVE-2015-1788 CVE-2015-1789 CVE-2015-1790 CVE-2015-1791 CVE-2015-1792 CVE-2015-4000 Package : openssl Type : multiple issues Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package openssl before version 1.0.2.b-1 is vulnerable to multiple issues including but not limited to man-in-the-middle via cipher downgrade, double free and denial of service. Resolution ========== Upgrade to 1.0.2.b-1. # pacman -Syu "openssl>=1.0.2.b-1" The problems have been fixed upstream in version 1.0.2.b. Workaround ========== None. Description =========== - CVE-2015-1788 (denial of service) When processing an ECParameters structure OpenSSL enters an infinite loop if the curve specified is over a specially malformed binary polynomial field. This can be used to perform denial of service against any system which processes public keys, certificate requests or certificates. This includes TLS clients and TLS servers with client authentication enabled. - CVE-2015-1789 (out-of-bounds read) X509_cmp_time does not properly check the length of the ASN1_TIME string and can read a few bytes out of bounds. In addition, X509_cmp_time accepts an arbitrary number of fractional seconds in the time string. An attacker can use this to craft malformed certificates and CRLs of various sizes and potentially cause a segmentation fault, resulting in a DoS on applications that verify certificates or CRLs. TLS clients that verify CRLs are affected. TLS clients and servers with client authentication enabled may be affected if they use custom verification callbacks. - CVE-2015-1790 (denial of service) The PKCS#7 parsing code does not handle missing inner EncryptedContent correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with missing content and trigger a NULL pointer dereference on parsing. Applications that decrypt PKCS#7 data or otherwise parse PKCS#7 structures from untrusted sources are affected. OpenSSL clients and servers are not affected. - CVE-2015-1791 (double free) If a NewSessionTicket is received by a multi-threaded client when attempting to reuse a previous ticket then a race condition can occur potentially leading to a double free of the ticket data. - CVE-2015-1792 (denial of service) When verifying a signedData message the CMS code can enter an infinite loop if presented with an unknown hash function OID. This can be used to perform denial of service against any system which verifies signedData messages using the CMS code. - CVE-2015-4000 (cipher downgrade) A vulnerability in the TLS protocol allows a man-in-the-middle attacker to downgrade vulnerable TLS connections using ephemeral Diffie-Hellman key exchange to 512-bit export-grade cryptography. This vulnerability is known as Logjam. OpenSSL has added protection for TLS clients by rejecting handshakes with DH parameters shorter than 768 bits. This limit will be increased to 1024 bits in a future release. Impact ====== A remote attacker is able to perform man-in-the-middle via cipher downgrade, denial of service or possibly have other unspecified impact via various vectors. References ========== https://www.openssl.org/news/secadv_20150611.txt https://access.redhat.com/security/cve/CVE-2015-1788 https://access.redhat.com/security/cve/CVE-2015-1789 https://access.redhat.com/security/cve/CVE-2015-1790 https://access.redhat.com/security/cve/CVE-2015-1791 https://access.redhat.com/security/cve/CVE-2015-1792 https://access.redhat.com/security/cve/CVE-2015-4000 ----- End forwarded message ----- -- http://www.the-compiler.org | me at the-compiler.org (Mail/XMPP) GPG: 916E B0C8 FD55 A072 | http://the-compiler.org/pubkey.asc I love long mails! | http://email.is-not-s.ms/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 819 bytes Desc: not available URL: From me at the-compiler.org Thu Jun 18 12:05:05 2015 From: me at the-compiler.org (Florian Bruhin) Date: Thu, 18 Jun 2015 12:05:05 +0200 Subject: This week's qutebrowser updates Message-ID: <20150618100505.GF22364@tonks> Hi, Another week (or more) has passed, of course not without some qutebrowser commits! ;) Overview -------- Excluding merges, 3 authors have pushed 49 commits to master and 72 commits to all branches. On master, 49 files have changed and there have been 2,947 additions and 503 deletions. 3 Pull requests merged by 3 people 2 Pull requests proposed by 2 people 11 Issues closed by 1 person 6 Issues created by 2 people https://github.com/The-Compiler/qutebrowser/pulse Added ----- - New flag `-d`/`--detach` for `:spawn` to detach the spawned process so it's not closed when qutebrowser is. - New flag `-v`/`--verbose` for `:spawn` to print informations when the process started/exited successfully. -q/--quiet got removed. - New command `:jseval` to run a javascript snippet on the current page. Thanks to Carpetsmoker for the contribution! Changed ------- - Improved startup time by reading the webpage history while qutebrowser is open. - The way `:spawn` splits its commandline has been changed slightly to allow commands with flags. Deprecated ---------- - The -q/--quiet argument to :spawn got removed. Fixed ----- - Fixed wrong cursor position when completing the first item in the completion. Under the hood -------------- - The tests now also run on OS X Mavericks on Travis. - Many tests for qutebrowser.utils.{utils,version,standarddir,qtutils} have been added or improved. Florian -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 819 bytes Desc: not available URL: From me at the-compiler.org Sun Jun 28 18:31:16 2015 From: me at the-compiler.org (Florian Bruhin) Date: Sun, 28 Jun 2015 18:31:16 +0200 Subject: qutebrowser v0.3.0 released! Message-ID: <20150628163116.GD22364@tonks> Hi! I'm happy to announce qutebrowser v0.3.0 was released today - with a lot of new features and some bugfixes. Note a breaking change for userscripts was necessary: $QUTE_HTML and $QUTE_TEXT now contain a filename instead of the HTML/text content. Also, if you have an userscript which could be useful for the public, please consider contributing it to the new `misc/userscripts` directory! This is the full changelog compared to v0.2.1: Added ~~~~~ - New commands `:message-info`, `:message-error` and `:message-warning` to show messages in the statusbar, e.g. from an userscript. - New command `:scroll-px` which replaces `:scroll` for pixel-exact scrolling. - New command `:jseval` to run a javascript snippet on the current page. - New (hidden) command `:follow-selected` (bound to `Enter`/`Ctrl-Enter` by default) to follow the link which is currently selected (e.g. after searching via `/`). - New (hidden) command `:clear-keychain` to clear a partially entered keychain (bound to `` by default, in addition to clearing search). - New setting `ui -> smooth-scrolling`. - New setting `content -> webgl` to enable/disable WebGL. - New setting `content -> css-regions` to enable/disable support for CSS Regions. - New setting `content -> hyperlink-auditing` to enable/disable support for hyperlink auditing. - New setting `tabs -> mousewheel-tab-switching` to control mousewheel behavior on the tab bar. - New arguments `--datadir` and `--cachedir` to set the data/cache location. - New arguments `--basedir` and `--temp-basedir` (intended for debugging) to set a different base directory for all data, which allows multiple invocations. - New argument `--no-err-windows` to suppress all error windows. - New arguments `--top-navigate` and `--bottom-navigate` (`-t`/`-b`) for `:scroll-page` to specify a navigation action (e.g. automatically go to the next page when arriving at the bottom). - New flag `-d`/`--detach` for `:spawn` to detach the spawned process so it's not closed when qutebrowser is. - New flag `-v`/`--verbose` for `:spawn` to print informations when the process started/exited successfully. - Many new color settings (foreground setting for every background setting). - New setting `ui -> modal-js-dialog` to use the standard modal dialogs for javascript questions instead of using the statusbar. - New setting `colors -> webpage.bg` to set the background color to use for websites which don't set one. - New setting `completion -> auto-open` to only open the completion when tab is pressed (if set to false). - New visual/caret mode (bound to `v`) to select text by keyboard. - There are now some example userscripts in `misc/userscripts`. - Support for Qt 5.5 and tox 2.0 Changed ~~~~~~~ - *Breaking change for userscripts:* `QUTE_HTML` and `QUTE_TEXT` for userscripts now don't store the contents directly, and instead contain a filename. - The `content -> geolocation` and `notifications` settings now support a `true` value to always allow those. However, this is *not recommended*. - New bindings `` (rapid), `` (foreground) and `` (background) to switch hint modes while hinting. - `` and numpad-enter are now bound by default for bindings where `` was bound. - `:hint tab` and `F` now respect the `background-tabs` setting. To enforce a foreground tab (what `F` did before), use `:hint tab-fg` or `;f`. - `:scroll` now takes a direction argument (`up`/`down`/`left`/`right`/`top`/`bottom`/`page-up`/`page-down`) instead of two pixel arguments (`dx`/`dy`). The old form still works but is deprecated. - The `ui -> user-stylesheet` setting now also takes file paths relative to the config directory. - The `content -> cookies-accept` setting now has new `no-3rdparty` (default) and `no-unknown-3rdparty` values to block third-party cookies. The `default` value got renamed to `all`. - Improved startup time by reading the webpage history while qutebrowser is open. - The way `:spawn` splits its commandline has been changed slightly to allow commands with flags. - The default for the `new-instance-open-target` setting has been changed to `tab`. - Sessions now store zoom/scroll-position separately for each entry. Deprecated ~~~~~~~~~~ - `:scroll` with two pixel-arguments is now deprecated - `:scroll-px` should be used instead. Removed ~~~~~~~ - The `--no-crash-dialog` argument which was intended for debugging only was removed as it's replaced by `--no-err-windows` which suppresses all error windows. - Support for Qt installations without SSL support was dropped. Fixed ~~~~~ - Scrolling should now work more reliably on some pages where arrow keys worked but `hjkl` didn't. - Small improvements when checking if an input is an URL or not. - Fixed wrong cursor position when completing the first item in the completion. - Fixed exception when using search engines with {foo} in their name. - Fixed a bug where the same title was shown for all tabs on some systems. - Don't install the scripts package when installing qutebrowser. - Fixed searching for terms starting with a hyphen (e.g. `/-foo`) - Proxy authentication credentials are now remembered between different tabs. - Fixed updating of the tab title on pages without title. - Fixed AssertionError when closing many windows quickly. - Various fixes for deprecated key bindings and auto-migrations. - Workaround for qutebrowser not starting when there are NUL-bytes in the history (because of a currently unknown bug). - Fixed handling of keybindings containing Ctrl/Meta on OS X. - Fixed crash when downloading an URL without filename (e.g. magnet links) via "Save as...". - Fixed exception when starting qutebrowser with `:set` as argument. - Fixed horrible completion performance when the `shrink` option was set. - Sessions now store zoom/scroll-position correctly. Thanks to all contributors! The contributors since v0.2.0 were: - Martin Tournoij - Lamar Pavel - Austin Anderson - Bruno Oliveira - Artur Shaik - Antoni Boucher - Raphael Pierzina - Zach-Button - Tobias Patzl - Fritz V155 Reichwald - Franz Fellner Florian -- http://www.the-compiler.org | me at the-compiler.org (Mail/XMPP) GPG: 916E B0C8 FD55 A072 | http://the-compiler.org/pubkey.asc I love long mails! | http://email.is-not-s.ms/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 819 bytes Desc: not available URL: