Bug#510348: marked as done (dillo silently accepts expired https certificates)

[Debian Bug Tracking System]

Your message dated Wed, 21 Apr 2010 17:16:10 +0200
with message-id <4bcf16ba....@phys.ethz.ch>
and subject line dillo has been removed
has caused the Debian Bug report #510348,
regarding dillo silently accepts expired https certificates
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
510348: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510348
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: dillo
Version: 0.8.6-3
Severity: grave
Justification: user security hole
Tags: security


dillo silently accepts expired https certificates, an example can be seen at
https://i.broke.the.internet.and.all.i.got.was.this.t-shirt.phreedom.org/
Considering this, i suspect dillo likely also doesnt do other checks on the
certificate, but I did not test this as i dont have a collection of such
certificates.
And accepting expired certifcates alone is already a security issue.


-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
Architecture: i386 (i686)

Kernel: Linux 2.6
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

ii  libssl0.9.8            0.9.8g-10         SSL shared libraries

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

I hate to see young programmers poisoned by the kind of thinking
Ulrich Drepper puts forward since it is simply too narrow -- Roman Shaposhnik

signature.asc
Description: Digital signature

--- End Message ---

--- Begin Message ---

thus the bug is not relevant anymore.

(it's not likely it's coming back since, the old dillo used to use gtk 1.x which was getting replaced with gtk 2, and nowadays dillo wants fltk a version that's not in debian)
--- End Message ---