Your message dated Fri, 19 Sep 2025 23:22:00 +0200
with message-id <[email protected]>
and subject line iceweasel has been superseded by firefox-esr
has caused the Debian Bug report #752188,
regarding xulrunner-29: strict-transport-security implementation too strict
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
752188: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=752188
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: xulrunner-29
Version: 29.0.1-2
Severity: normal
Dear Maintainer,
to reproduce a particular instance of this problem:
1) remove trust from 'DigiCert High Assurance EV Root CA'
2) add exception for certificate from https://js.stripe.com
(ultimately signed by above root CA)
3) keep trust on 'AddTrust External CA Root' or add exception for
certificate from https://www.humblebundle.com
3) open https://www.humblebundle.com/store
(sourcing js from js.stripe.com)
result:
Site doesn't load, because connection to https://js.stripe.com fails
(it both sends Strict-Transport-Security headers and is present in the
STS preload list).
expected result:
The site should load, because the certificate chain is valid and there
is trust on the particular certificate used by https://js.stripe.com.
workaround:
1) open libxul.so in your favorite hex editor and patch the string
Strict-Transport-Security
(or alternatively find another way to hide this header from gecko's
network layer)
2) disable the use of the builtin STS preload list
3) remove any accumulated sts/* permissions from permissions.sqlite in
your profile
Discussion:
HSTS isn't new and it's implementation in gecko isn't either, but in
earlier versions the implementation problems weren't noticeable
(probably because fewer sites were using the header).
Arguable HSTS itself is broken because it works around the syptoms
rather than addressing the root issue, namely a broken standard web
site architecture (section 2.3.1.3. of RFC 6797 admits as much), and
a 'No user recourse' policy (section 12.1 of the RFC) is definitelyi
the wrong way to handle security, but this is outside of the scope of
this request.
It could also be argued to be an upstream bug, because an acceptable
solution would be to separate trust and validity inside gecko's
certificate verifier. But the current trust model where trust is
assigned on the CA level and individual trust is the exception is a
conscious design decision that is widely adopted and has become a
business model that is not going to change even (though it is even
more horribly broken from a security perspective).
Since Debian isn't encumbered by or profiting from business decisions
concerning certificate authorities or web advertising and its Social
Contract has users and freedom as high priorities I think it is a
Debian bug to ship the build as is.
The solution could be as simple as disabling the disabling of the
certificate exception processing for sts sites. Since by default
gecko doesn't present an exception dialog for sts sites there is
still no click through vulnerability, i.e. no (easy) user recourse.
Best regards
Juergen Ruehle
-- System Information:
Debian Release: jessie/sid
APT prefers testing-updates
APT policy: (500, 'testing-updates'), (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 3.14-1-686-pae (SMP w/8 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages xulrunner-29 depends on:
ii libasound2 1.0.27.2-4
ii libatk1.0-0 2.12.0-1
ii libbz2-1.0 1.0.6-5
ii libc6 2.19-1
ii libcairo2 1.12.16-2
ii libdbus-1-3 1.8.4-1
ii libdbus-glib-1-2 0.102-1
ii libevent-2.0-5 2.0.21-stable-1
ii libffi6 3.1-2
ii libfontconfig1 2.11.0-5
ii libfreetype6 2.5.2-1
ii libgcc1 1:4.9.0-6
ii libgdk-pixbuf2.0-0 2.30.7-1
ii libglib2.0-0 2.40.0-3
ii libgtk2.0-0 2.24.23-1
ii libhunspell-1.3-0 1.3.3-1
ii libnspr4 2:4.10.6-1
ii libnss3 2:3.16.1-1
ii libpango-1.0-0 1.36.3-1
ii libsqlite3-0 3.8.4.3-3
ii libstartup-notification0 0.12-3
ii libstdc++6 4.9.0-6
ii libvpx1 1.3.0-2
ii libx11-6 2:1.6.2-2
ii libxext6 2:1.3.2-1
ii libxrender1 1:0.9.8-1
ii libxt6 1:1.1.4-1
ii zlib1g 1:1.2.8.dfsg-1
xulrunner-29 recommends no packages.
Versions of packages xulrunner-29 suggests:
ii libcanberra0 0.30-2
pn libgnomeui-0 <none>
-- no debconf information
--- End Message ---
--- Begin Message ---
Version: 115.12.0esr-1+rm
src:iceweasel has been superseded by src:firefox-esr in version
45.0esr-1 in March 2016. Transitional packages to ease upgrades were
provided in the wheezy, jessie, stretch and buster releases. The
transitional packages have been removed finally before the bullseye
release in August 2021.
After regular security support for buster ended in August 2022 and LTS
support ended in June 2024, I'm closing the remaining bug reports now.
Andreas
--- End Message ---
