w3m supports insecure cypher suites

Bug #1325674 reported by J G Miller
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
w3m (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

PRETTY_NAME="Ubuntu 14.04 LTS"
VERSION="14.04, Trusty Tahr"

Package: w3m
Priority: optional
Section: text
Origin: Ubuntu
Maintainer: Ubuntu Developers <email address hidden>
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Version: 0.5.3-15
Supported: 5y

Using w3m to visit the site

<https://www.howsmyssl.COM/>

reveals the following security issue --

QUOTE

 Insecure Cipher Suites

Bad Your client supports cipher suites that are known to be insecure:

  * TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA: This cipher uses keys smaller than 128 bits in its encryption.
  * TLS_DHE_DSS_WITH_DES_CBC_SHA: This cipher uses keys smaller than 128 bits in its encryption.
  * TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA: This cipher uses keys smaller than 128 bits in its encryption.
  * TLS_DHE_RSA_WITH_DES_CBC_SHA: This cipher uses keys smaller than 128 bits in its encryption.
  * TLS_RSA_EXPORT_WITH_DES40_CBC_SHA: This cipher uses keys smaller than 128 bits in its encryption.
  * TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5: This cipher uses keys smaller than 128 bits in its encryption.
  * TLS_RSA_EXPORT_WITH_RC4_40_MD5: This cipher uses keys smaller than 128 bits in its encryption.
  * TLS_RSA_WITH_DES_CBC_SHA: This cipher uses keys smaller than 128 bits in its encryption.

UNQUOTE

J G Miller (jgmiller)
information type: Private Security → Public Security
Changed in w3m (Ubuntu):
status: New → Confirmed
Revision history for this message
Tatsuya Kinoshita (tats-debian) wrote :

To fix this bug, I've uploaded w3m 0.5.3-16 to Debian unstable,
with the attached patch (330_Disable-weak-ciphers.patch).

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "330_Disable-weak-ciphers.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package w3m - 0.5.3-16

---------------
w3m (0.5.3-16) unstable; urgency=low

  [ Tatsuya Kinoshita ]
  * New patch 330_Disable-weak-ciphers.patch (LP: #1325674)
  * Update 015_debian-version.patch to 0.5.3+debian-16
  * Update 900_ChangeLog.patch

  [ Daniel Schepler ]
  * Update debian/rules to bootstrap without libimlib2-dev (closes: #738208)

 -- Tatsuya Kinoshita <email address hidden> Mon, 23 Jun 2014 23:15:22 +0900

Changed in w3m (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers