Bug#644271: marked as done (iceweasel: krb5 negotiation relies on dns to normalize GSS requests )

Tue, 16 Sep 2025 20:15:59 -0700 

Your message dated Wed, 17 Sep 2025 05:12:26 +0200
with message-id <[email protected]>
and subject line iceweasel has been superseded by firefox-esr
has caused the Debian Bug report #644271,
regarding iceweasel: krb5 negotiation relies on dns to normalize GSS requests  
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
644271: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=644271
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: iceweasel
Version: 7.0.1-1
Severity: normal

I'm connecting to a web server at foo.example.org which uses Negotiate
HTTP authentication (SPNEGO/GSSAPI/krb5).  The reverse dns lookup for
the servers's IP address is bar.example.org.

..example.org is listed in the iceweasel profile's
network.negotiate-auth.trusted-uris setting.

Iceweasel (or the underlying gss libs?) appears to use a reverse DNS
lookup to normalize foo.example.org to bar.example.org, so that the
krb5 ticket fetched is for HTTP/bar.example.org, even though i'm
connecting to https://foo.example.org ("...foo..." is displayed in the URL
bar, and bar is never displayed to the user anywhere).

This seems problematic -- poisoned DNS could effectively cause the
user to authenticate to a service without their knowledge.

FWIW, the analogous dns-canonicalization when using GSSAPI in debian's
OpenSSH is turned off by default.  From ssh_config(5):

    GSSAPITrustDns
             Set to “yes to indicate that the DNS is trusted to securely
             canonicalize” the name of the host being connected to. If “no,
             the hostname entered on the” command line will be passed
             untouched to the GSSAPI library.  The default is “no”.  This
             option only applies to protocol version 2 connections using GSS‐
             API.

Perhaps iceweasel should follow OpenSSH's lead here?

If you think this bug belongs somewhere lower in the stack than
iceweasel, feel free to re-assign of course.

Thanks for all your work on iceweasel and friends in debian.  It's
much appreciated.

Regards,

        --dkg

-- Package-specific info:


-- Addons package information

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 3.0.0-1-686-pae (SMP w/1 CPU core)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages iceweasel depends on:
ii  debianutils         4.0.2     
ii  fontconfig          2.8.0-3   
ii  libc6               2.13-21   
ii  libgcc1             1:4.6.1-4 
ii  libgdk-pixbuf2.0-0  2.24.0-1  
ii  libglib2.0-0        2.28.6-1  
ii  libgtk2.0-0         2.24.4-3  
ii  libnspr4-0d         4.8.9-1   
ii  libstdc++6          4.6.1-4   
ii  procps              1:3.2.8-11
ii  xulrunner-7.0       7.0.1-1   

iceweasel recommends no packages.

Versions of packages iceweasel suggests:
ii  libgssapi-krb5-2    1.9.1+dfsg-1
ii  mozplugger          <none>      
ii  ttf-lyx             2.0.1-1     
ii  ttf-mathematica4.1  <none>      
ii  xfonts-mathml       4           

Versions of packages xulrunner-7.0 depends on:
ii  libasound2                1.0.24.1-4      
ii  libatk1.0-0               2.0.1-2         
ii  libbz2-1.0                1.0.5-7         
ii  libc6                     2.13-21         
ii  libcairo2                 1.10.2-6.1      
ii  libdbus-1-3               1.4.16-1        
ii  libevent-1.4-2            1.4.14b-stable-1
ii  libfontconfig1            2.8.0-3         
ii  libfreetype6              2.4.6-2         
ii  libgcc1                   1:4.6.1-4       
ii  libgdk-pixbuf2.0-0        2.24.0-1        
ii  libglib2.0-0              2.28.6-1        
ii  libgtk2.0-0               2.24.4-3        
ii  libhunspell-1.2-0         1.2.14-4        
ii  libjpeg8                  8c-2            
ii  libmozjs7d                7.0.1-1         
ii  libnspr4-0d               4.8.9-1         
ii  libnss3-1d                3.12.11-3       
ii  libpango1.0-0             1.28.4-3        
ii  libpixman-1-0             0.22.2-1        
ii  libreadline6              6.2-4           
ii  libsqlite3-0              3.7.7-2         
ii  libstartup-notification0  0.12-1          
ii  libstdc++6                4.6.1-4         
ii  libvpx0                   0.9.7.p1-1      
ii  libx11-6                  2:1.4.4-2       
ii  libxext6                  2:1.3.0-3       
ii  libxrender1               1:0.9.6-2       
ii  libxt6                    1:1.1.1-2       
ii  zlib1g                    1:1.2.3.4.dfsg-3

Versions of packages xulrunner-7.0 suggests:
ii  libcanberra0      0.28-1    
ii  libdbus-glib-1-2  0.94-4    
ii  libgconf2-4       2.32.4-1  
ii  libgnomeui-0      2.24.5-2  
ii  libgnomevfs2-0    1:2.24.4-1
ii  libnotify4        0.7.4-1   

-- no debconf information

--- End Message ---
--- Begin Message --- 
Version: 115.12.0esr-1+rm
src:iceweasel has been superseded by src:firefox-esr in version 45.0esr-1 in March 2016. Transitional packages to ease upgrades were provided in the wheezy, jessie, stretch and buster releases. The transitional packages have been removed finally before the bullseye release in August 2021. After regular security support for buster ended in August 2022 and LTS support ended in June 2024, I'm closing the remaining bug reports now. 

Andreas

--- End Message ---

Reply via email to