[ASA-202005-5] qutebrowser: certificate verification bypass
foxboron at archlinux.org
Mon May 11 18:10:44 UTC 2020
Arch Linux Security Advisory ASA-202005-5
Date : 2020-05-07
CVE-ID : CVE-2020-11054
Package : qutebrowser
Type : certificate verification bypass
Remote : Yes
Link : https://security.archlinux.org/AVG-1152
The package qutebrowser before version 1.11.1-1 is vulnerable to
certificate verification bypass.
Upgrade to 1.11.1-1.
# pacman -Syu "qutebrowser>=1.11.1-1"
The problem has been fixed upstream in version 1.11.1.
* Treat any host with a certificate exception as insecure, ignoring the
* Or set content.ssl_strict to True (instead of 'ask'), preventing
certificate exceptions in the configuration
In qutebrowser before version 1.11.1 there is an issue where after a
certificate error was overridden by the user, qutebrowser displays the
URL as yellow (colors.statusbar.url.warn.fg). However, when the
affected website was subsequently loaded again, the URL was mistakenly
displayed as green (colors.statusbar.url.success_https). While the user
already has seen a certificate error prompt at this point (or set
content.ssl_strict to false which is not recommended), this could still
provide a false sense of security.
The user might think the webpage is secure, when in reality it has an
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: not available
More information about the arch-security