[Pkg-mozext-maintainers] Bug#1118045: RM: https-everywhere -- ROM; obsolete; poses a security risk;
Markus Koschany
apo at debian.org
Tue Oct 14 10:11:30 BST 2025
Package: ftp.debian.org
Severity: important
User: ftp.debian.org at packages.debian.org
Usertags: remove
X-Debbugs-Cc: https-everywhere at packages.debian.org, apo at debian.org
Control: affects -1 + src:https-everywhere
Hi,
please remove the source package https-everywhere and its
corresponding binary package webext-https-everywhere from bullseye.
I am the former maintainer of https-everywhere and was just informed
[1](#1118030) that the current package in bullseye poses a security risk to
users which cannot be fixed by the LTS team because
a) https-everywhere is obsolete and discontinued
b) upstream, the Electronic Frontier Foundation, apparently let the
https-rulesets.org domain expire which was the source for up-to-date
https-rules and a third party registered said domain. The browser
addon obtained new rules from this domain and trusts it
unconditionally.
It appears https-rulesets.org redirects to a known malware site
now. For users in bullseye this may pose a severe security risk.
Since we cannot restore the old functionality, removal is the only
viable option.
[1] https://bugs.debian.org/1118030
Regards,
Markus
More information about the Pkg-mozext-maintainers
mailing list