Bug#672880: Midori
Henri Salo
henri at nerv.fi
Sat Sep 8 10:26:05 UTC 2012
I think Midori is indeed affected as I went to site, which used self-signed HTTPS sertificate and Midori didn't say anything about it. If I am correct this needs new bug-report and update to security tracker. Please note a comment from bugzilla.redhat.com:
"""Dan Winship 2012-05-01 10:45:08 EDT
The CVE is wrong. The bug is in Midori. It is telling libsoup to trust all SSL certificates, and so then libsoup reports that all SSL certificates are trusted, just like Midori asked.
To the extent that this is libsoup's fault, it's because it supports the feature Midori is trying to implement here, but doesn't document how to do it correctly. But it is *possible* to do it correctly, as seen in epiphany.
The SUSE patch is just wrong, as I'm sure they will notice shortly... (eg, it will completely break https in evolution)."""
I tested using midori 0.2.4-3 (squeeze).
- Henri Salo
More information about the pkg-gnome-maintainers
mailing list