Package: kiwix Version: 2.0.5-2 Severity: important Tags: security I noticed that the data feed is not downloaded using https, so network attackers could modify the data feed to change my choice of downloads to something I didn't want to download.
Also most of the datasets point at http instead of https URLs even though the servers do support https. It would be good if kiwix had a list of download servers that support https and then always use https to contact those download servers. $ kiwix-desktop QSocketNotifier: Can only be used with threads started with QThread Compiled with Qt Version 5.15.1 Runtime Qt Version 5.15.2 add widget (kiwix-desktop:1410327): GLib-GObject-WARNING **: 23:11:12.766: The property GtkSettings:gtk-fallback-icon-theme is deprecated and shouldn't be used anymore. It will be removed in a future version. Downloading "http://library.kiwix.org:80/catalog/search?lang=eng&count=0"; session saved -- System Information: Debian Release: bullseye/sid APT prefers testing-debug APT policy: (900, 'testing-debug'), (900, 'testing'), (800, 'unstable-debug'), (800, 'unstable'), (790, 'buildd-unstable'), (700, 'experimental-debug'), (700, 'experimental'), (690, 'buildd-experimental') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-2-amd64 (SMP w/4 CPU threads) Kernel taint flags: TAINT_FIRMWARE_WORKAROUND Locale: LANG=en_AU.utf8, LC_CTYPE=en_AU.utf8 (charmap=UTF-8), LANGUAGE=en_AU:en Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages kiwix depends on: ii libc6 2.31-9 ii libgcc-s1 10.2.1-6 ii libkiwix9 9.4.1+dfsg-1 ii libqt5core5a 5.15.2+dfsg-2 ii libqt5gui5 5.15.2+dfsg-2 ii libqt5network5 5.15.2+dfsg-2 ii libqt5printsupport5 5.15.2+dfsg-2 ii libqt5webchannel5 5.15.2-2 ii libqt5webenginecore5 5.15.2+dfsg-3 ii libqt5webenginewidgets5 5.15.2+dfsg-3 ii libqt5widgets5 5.15.2+dfsg-2 ii libstdc++6 10.2.1-6 kiwix recommends no packages. kiwix suggests no packages. -- no debconf information -- bye, pabs https://wiki.debian.org/PaulWise
signature.asc
Description: This is a digitally signed message part
