[qutebrowser] qutebrowser v1.11.1 released (with minor security fix)
Florian Bruhin
me at the-compiler.org
Thu May 7 17:54:11 CEST 2020
Hey,
I just released qutebrowser v1.11.1, with the only change being a low-severity
security fix:
After a certificate error was overridden by the user, qutebrowser displays the
URL as yellow (colors.statusbar.url.warn.fg). However, when the affected
website was subsequently loaded again, the URL was mistakenly displayed as
green (colors.statusbar.url.success_https). While the user already has seen a
certificate error prompt at this point (or set content.ssl_strict to false
which is not recommended), this could still provide a false sense of security.
This is now fixed.
After discovering this issue, I found about two other projects using
QtWebEngine with similar issues (always showing a secure connection on
certificate exceptions, even on the first load). I've reported this to the
respective projects as well, and contacted Qt about adding a proper API to
avoid issues like this.
More details can be found in the associated security advisory:
https://github.com/qutebrowser/qutebrowser/security/advisories/GHSA-4rcq-jv2f-898j
This issue has been assigned CVE-2020-11054.
Florian
--
me at the-compiler.org (Mail/XMPP) | https://www.qutebrowser.org
https://bruhin.software/ | https://github.com/sponsors/The-Compiler/
GPG: 916E B0C8 FD55 A072 | https://the-compiler.org/pubkey.asc
I love long mails! | https://email.is-not-s.ms/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://listi.jpberlin.de/pipermail/qutebrowser/attachments/20200507/fc5f92c6/attachment.asc>
More information about the qutebrowser
mailing list