Bug#783579: epiphany-browser: leaks DNS queries when used with Tor
Michael Biebl
biebl at debian.org
Mon Jun 1 18:55:45 UTC 2015
Am 01.06.2015 um 18:49 schrieb Christoph Anton Mitterer:
> On Mon, 2015-06-01 at 05:30 +0200, Michael Biebl wrote:
>> Please file this issue upstream and report back with the bug number.
> I kindly ask someone else to report this upstream.
>
> My past experience has shown that upstream has no interest in security,
> e.g. when I reported the extremely critical bug that each of epiphany's
> TLS connections can be immediately hacked by simply redirecting.
> That was denied at first and IIRC is still not solved.
>
> I've just noted this further security issue by accident and reported it
> for the benefit of other Debian users, e.g. the package description
> could warn about the great security deficiencies in epiphany (at least
> if the TLS bug is still open) or the product could be removed from
> Debian altogether.
> That being said, I consider contributing upstream a waste of time since
> there seem to be no interest in security, which is why I'd ask someone
> else to take these struggles.
Too bad you see it that way.
>> control: severity -1 important
> Oh and I don't think that this is appropriate.
> It basically means that this bug is hidden away unless people manually
> search the BTS (apt-listbugs won't show it with just important).
> And since a non working Tor can mean much more critical things to some
> people than anything our severities covers, from torture to death,
hyperbole, eh? I'm sure it kills kittens, too.
we
> should rather employ the loudest bells and whistles to inform anyone
> that epiphany cannot be securely used with Tor.
Feel free to talk to the debian security team. If they confirm your
assessment of the severity, I have no objections to raise the severity
again.
--
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnome-maintainers/attachments/20150601/6c359ad5/attachment.sig>
More information about the pkg-gnome-maintainers
mailing list