Package: iceweasel
Version: 4.0.1-2
Severity: important
Tags: security
It looks like when Iceweasel loads an HTTPS page from cache, it doesn't
verify if its certificate is (still) valid. Here's how to reproduce this
bug:
1. Try to visit https://kitenet.net/. Iceweasel (correctly) displays
scary warning about the untrusted connection. Click "I Understand The
Risks", click "Add Exception", uncheck "Permanently store this
exception", click "Confirm Security Exception". Iceweasel shows contents
of the page.
2. Close the browser. The kitenet.net's certificate should be no longer
consider valid past this point.
3. Start Iceweasel again. Try to visit https://kitenet.net/. The browser
happily shows contents of the page (presumably loaded from cache), even
though its certificate is not valid anymore.
4. For added fun, try to refresh the page. Iceweasel displays scary
warning about the untrusted connection. Click "I Understand The Risks",
click "Add Exception". The browser says that "This site provides valid,
verified identification" and doesn't allow you to confirm security
exception. So it turns out the certificate is both valid and invalid at
the same time...
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Kernel: Linux 2.6.38-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages iceweasel depends on:
ii debianutils 4 Miscellaneous utilities specific t
ii fontconfig 2.8.0-2.2 generic font configuration library
ii libc6 2.13-4 Embedded GNU C Library: Shared lib
ii libgcc1 1:4.6.0-7 GCC support library
ii libgdk-pixbuf2.0-0 2.23.3-3 GDK Pixbuf library
ii libglib2.0-0 2.28.6-2 GLib library of C routines
ii libgtk2.0-0 2.24.4-3 The GTK+ graphical user interface
ii libnspr4-0d 4.8.7-2 NetScape Portable Runtime Library
ii libstdc++6 4.6.0-7 The GNU Standard C++ Library v3
ii procps 1:3.2.8-10 /proc file system utilities
ii xulrunner-2.0 2.0.1-2 XUL + XPCOM application runner
Versions of packages xulrunner-2.0 depends on:
ii libasound2 1.0.23-4 shared library for ALSA applicatio
ii libatk1.0-0 2.0.0-1 The ATK accessibility toolkit
ii libbz2-1.0 1.0.5-6 high-quality block-sorting file co
ii libc6 2.13-4 Embedded GNU C Library: Shared lib
ii libcairo2 1.10.2-6 The Cairo 2D vector graphics libra
ii libdbus-1-3 1.5.0-2 simple interprocess messaging syst
ii libevent-1.4-2 1.4.13-stable-1 An asynchronous event notification
ii libfontconfig1 2.8.0-2.2 generic font configuration library
ii libfreetype6 2.4.4-1 FreeType 2 font engine, shared lib
ii libgcc1 1:4.6.0-7 GCC support library
ii libgdk-pixbuf2.0 2.23.3-3 GDK Pixbuf library
ii libglib2.0-0 2.28.6-2 GLib library of C routines
ii libgtk2.0-0 2.24.4-3 The GTK+ graphical user interface
ii libhunspell-1.2- 1.3.1-1 spell checker and morphological an
ii libjpeg62 6b1-1 The Independent JPEG Group's JPEG
ii libmozjs4d 2.0.1-2 The Mozilla SpiderMonkey JavaScrip
ii libnspr4-0d 4.8.7-2 NetScape Portable Runtime Library
ii libnss3-1d 3.12.9.with.ckbi.1.82-1 Network Security Service libraries
ii libpango1.0-0 1.28.3-6 Layout and rendering of internatio
ii libpixman-1-0 0.21.8-1 pixel-manipulation library for X a
ii libreadline6 6.2-2 GNU readline and history libraries
ii libsqlite3-0 3.7.6.2-1 SQLite 3 shared library
ii libstartup-notif 0.12-1 library for program launch feedbac
ii libstdc++6 4.6.0-7 The GNU Standard C++ Library v3
ii libvpx0 0.9.6-1 VP8 video codec (shared library)
ii libx11-6 2:1.4.3-1 X11 client-side library
ii libxext6 2:1.3.0-1 X11 miscellaneous extension librar
ii libxrender1 1:0.9.6-1 X Rendering Extension client libra
ii libxt6 1:1.1.1-1 X11 toolkit intrinsics library
ii zlib1g 1:1.2.5.dfsg-1 compression library - runtime
--
Jakub Wilk
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
