Bug#702976: epiphany-browser: domainname not checked on https
Michael Gilbert
mgilbert at debian.org
Sat Mar 16 20:04:38 UTC 2013
control: tag -1 confirmed
On Wed, Mar 13, 2013 at 12:29 PM, Christoph Anton Mitterer wrote:
> It seems that epiphany does at least not check the domainname correctly
> when connection to a site via https.
>
> For example, when I go to:
> https://physik.lmu.de/~mitterer/
> it redirects me automatically to
> https://homepages.physik.uni-muenchen.de/~mitterer/
> without any complaining.
I'll confirm that this is indeed an issue. chromium/iceweasel do
detect this as badness, and appropriately warn the user, so epiphany's
behavior is certainly wrong. However, webkit (and thus webkit-based
browsers) are not supported security-wise in debian (due to a lack of
an upstream security process):
http://www.debian.org/releases/testing/i386/release-notes/ch-information.en.html#browser-security
The bug severity was downgraded since due to that.
You may want to consider a CVE request.
Best wishes,
Mike
More information about the pkg-gnome-maintainers
mailing list