Bug#702976: epiphany-browser: domainname not checked on https

2013-07-02 Thread Moritz Muehlenhoff
severity 702976 important thanks On Mon, Jul 01, 2013 at 03:38:13PM +0200, Christoph Anton Mitterer wrote: I'm adding the security team now, which I ask to investigate into this,... Unfortunately this totally broken version leaked into wheezy as well. Michael Gilbert is a member of the

Bug#702976: epiphany-browser: domainname not checked on https

2013-07-02 Thread Christoph Anton Mitterer
On Tue, 2013-07-02 at 08:39 +0200, Moritz Muehlenhoff wrote: severity 702976 important Wow... must really look bad security wise in Debian... Not only is it not obviously documented that webkit browsers are not security supported at all http://www.debian.org/security/

Bug#702976: epiphany-browser: domainname not checked on https

2013-07-02 Thread Moritz Muehlenhoff
On Tue, Jul 02, 2013 at 02:35:15PM +0200, Christoph Anton Mitterer wrote: On Tue, 2013-07-02 at 08:39 +0200, Moritz Muehlenhoff wrote: severity 702976 important Wow... must really look bad security wise in Debian... Not only is it not obviously documented that webkit browsers are not

Bug#702976: epiphany-browser: domainname not checked on https

2013-07-01 Thread Christoph Anton Mitterer
severity 702976 critical stop Hi Julien. I've just seen that you lowered the severity of this bug (already months ago) without giving any further explanation (which I consider quite rude, to be hones), and apparently without understanding it's criticality at all... As it was shown by examples,

Bug#702976: epiphany-browser: domainname not checked on https

2013-03-16 Thread Michael Gilbert
control: tag -1 confirmed On Wed, Mar 13, 2013 at 12:29 PM, Christoph Anton Mitterer wrote: It seems that epiphany does at least not check the domainname correctly when connection to a site via https. For example, when I go to: https://physik.lmu.de/~mitterer/ it redirects me automatically

Bug#702976: epiphany-browser: domainname not checked on https

2013-03-13 Thread Christoph Anton Mitterer
Package: epiphany-browser Version: 3.4.2-2.1 Severity: critical Tags: security Justification: breaks unrelated software Hi. Marking this as critical/breask-unrealted-software, as it may allow attackers to spoof people into downloading forged software/etc. It seems that epiphany does at least

Bug#702976: epiphany-browser: domainname not checked on https

2013-03-13 Thread Josselin Mouette
Le mercredi 13 mars 2013 à 17:29 +0100, Christoph Anton Mitterer a écrit : It seems that epiphany does at least not check the domainname correctly when connection to a site via https. For example, when I go to: https://physik.lmu.de/~mitterer/ it redirects me automatically to

Bug#702976: epiphany-browser: domainname not checked on https

2013-03-13 Thread Christoph Anton Mitterer
On Wed, 2013-03-13 at 23:23 +0100, Josselin Mouette wrote: I don’t even see it as a bug. Of course it is... Otherwise I could easily mitm every connection... o.O Epiphany treats the first site as a self-signed one, which thus has the same level of security as a non-encrypted connection. And