Package: iceweasel Version: 7.0.1-1 Severity: normal I'm connecting to a web server at foo.example.org which uses Negotiate HTTP authentication (SPNEGO/GSSAPI/krb5). The reverse dns lookup for the servers's IP address is bar.example.org.
..example.org is listed in the iceweasel profile's network.negotiate-auth.trusted-uris setting. Iceweasel (or the underlying gss libs?) appears to use a reverse DNS lookup to normalize foo.example.org to bar.example.org, so that the krb5 ticket fetched is for HTTP/bar.example.org, even though i'm connecting to https://foo.example.org ("...foo..." is displayed in the URL bar, and bar is never displayed to the user anywhere). This seems problematic -- poisoned DNS could effectively cause the user to authenticate to a service without their knowledge. FWIW, the analogous dns-canonicalization when using GSSAPI in debian's OpenSSH is turned off by default. From ssh_config(5): GSSAPITrustDns Set to “yes to indicate that the DNS is trusted to securely canonicalize” the name of the host being connected to. If “no, the hostname entered on the” command line will be passed untouched to the GSSAPI library. The default is “no”. This option only applies to protocol version 2 connections using GSS‐ API. Perhaps iceweasel should follow OpenSSH's lead here? If you think this bug belongs somewhere lower in the stack than iceweasel, feel free to re-assign of course. Thanks for all your work on iceweasel and friends in debian. It's much appreciated. Regards, --dkg -- Package-specific info: -- Addons package information -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 3.0.0-1-686-pae (SMP w/1 CPU core) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages iceweasel depends on: ii debianutils 4.0.2 ii fontconfig 2.8.0-3 ii libc6 2.13-21 ii libgcc1 1:4.6.1-4 ii libgdk-pixbuf2.0-0 2.24.0-1 ii libglib2.0-0 2.28.6-1 ii libgtk2.0-0 2.24.4-3 ii libnspr4-0d 4.8.9-1 ii libstdc++6 4.6.1-4 ii procps 1:3.2.8-11 ii xulrunner-7.0 7.0.1-1 iceweasel recommends no packages. Versions of packages iceweasel suggests: ii libgssapi-krb5-2 1.9.1+dfsg-1 ii mozplugger <none> ii ttf-lyx 2.0.1-1 ii ttf-mathematica4.1 <none> ii xfonts-mathml 4 Versions of packages xulrunner-7.0 depends on: ii libasound2 1.0.24.1-4 ii libatk1.0-0 2.0.1-2 ii libbz2-1.0 1.0.5-7 ii libc6 2.13-21 ii libcairo2 1.10.2-6.1 ii libdbus-1-3 1.4.16-1 ii libevent-1.4-2 1.4.14b-stable-1 ii libfontconfig1 2.8.0-3 ii libfreetype6 2.4.6-2 ii libgcc1 1:4.6.1-4 ii libgdk-pixbuf2.0-0 2.24.0-1 ii libglib2.0-0 2.28.6-1 ii libgtk2.0-0 2.24.4-3 ii libhunspell-1.2-0 1.2.14-4 ii libjpeg8 8c-2 ii libmozjs7d 7.0.1-1 ii libnspr4-0d 4.8.9-1 ii libnss3-1d 3.12.11-3 ii libpango1.0-0 1.28.4-3 ii libpixman-1-0 0.22.2-1 ii libreadline6 6.2-4 ii libsqlite3-0 3.7.7-2 ii libstartup-notification0 0.12-1 ii libstdc++6 4.6.1-4 ii libvpx0 0.9.7.p1-1 ii libx11-6 2:1.4.4-2 ii libxext6 2:1.3.0-3 ii libxrender1 1:0.9.6-2 ii libxt6 1:1.1.1-2 ii zlib1g 1:1.2.3.4.dfsg-3 Versions of packages xulrunner-7.0 suggests: ii libcanberra0 0.28-1 ii libdbus-glib-1-2 0.94-4 ii libgconf2-4 2.32.4-1 ii libgnomeui-0 2.24.5-2 ii libgnomevfs2-0 1:2.24.4-1 ii libnotify4 0.7.4-1 -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
