Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 04 Mar 2014 18:42:22 +0000
From: Moritz Naumann <info@...itz-naumann.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request?: konqueror - https uses all ciphers,
 even weak ones

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Felix Eckhofer:
> On Ubuntu, both Google Chrome 33.0.1750.146 from the official
> Google repo as well as Chromium 32.0.1700.107 from Ubuntu's repo
> crashes when trying to open the demo site and also when trying to
> open a page with an image embedded such as
> https://dump.tribut.de/democmrgnet.html


Ubuntu 13.10 x86_64 backtrace (incomplete due to missing
net/ssl/ssl_info.cc):

http://pastebin.com/JKbGez4n


Here's a "test" with various web browsers and operating systems (I do
not expect all of these systems to have the latest security updates
installed):

http://browsershots.org/https://demo.cmrg.net:443/

According to this, Safari 6.1.2 (AppleWebKit 537.74.9) on Mac OS X
10.8 (Mountain Lion), connects without a warning, too:
http://browsershots.org/screenshots/ba96ee74531204523d00c6becc1911af

Moritz
-----BEGIN PGP SIGNATURE-----

iQJ8BAEBCgBmBQJTFh6CXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXREMEEwRkYzMTUwODdEMEUzQkU0QzVGMkVC
RDk2RUNBRDkzNDUwMEIwAAoJEL2W7K2TRQCwrfQP/A1hCDortjSfTgUMBptXJLVi
bsc0vc87LDmM4Wq5tJ9JEt5r11aZPNwP9xcL3sXPfrg1WIRhFh2E+utCkXTCsXcP
eHP7rJlAjpo1nIO2DI3sjZozkPdiW5d/8clKY37cziQq4PnO6PgWhJwd/sftDWnX
edH3ZG2//BYL9ueSy8LXaPjjTQ+WHKNJ+SleFLz57Pc7vGQuc3bgdwRmjoZFQfMc
wfBrqau2jnoIDCksHTGzZXaJQSkjtHc/UIsIdr/qYSaL/qUxbu9iDoMsmjqVLIEr
4zlSPZudoddoaR1SEUdQMGRgz+/pN4jLjEz8iK1YufDFyMrYx6kJNoQgCeh0VKe5
vpiU+6H/UTRKnOF6HvNXhe+cikL2aFbax94JCP5NxjFCwlY3/fdn/scN2r73eJih
GkXrMqEQdjvYERDm89zjKAm7HG9MHZgTzrbZaG0Txfsd/sxvh30Y0nwcd4TSB1KO
P6lumzBi2SYTucJPF5f6dsYiL3yapYDjBa51uxQasDUtUqYtjps+RZjPsBFA7SVn
YmSRGxquMXkUsKEa0cDfRGF3CTIx99YOOGKeZXG0RBUU/xkcP9NK602MudSqLvuE
PIUWoggf/58CjnF7cJkYg19q7OInmX9uig6EOLV6wE0IyJeoNBwz54X7/gQIjOJU
c9bmPcCcqkeRDWFSTJV3
=d0oK
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.