Ubuntu
w3m package

w3m supports insecure cypher suites

Bug #1325674 reported by J G Miller
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
w3m (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

PRETTY_NAME="Ubuntu 14.04 LTS"
VERSION="14.04, Trusty Tahr"

Package: w3m
Priority: optional
Section: text
Origin: Ubuntu
Maintainer: Ubuntu Developers <email address hidden>
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Version: 0.5.3-15
Supported: 5y

Using w3m to visit the site

<https://www.howsmyssl.COM/>

reveals the following security issue --

QUOTE

 Insecure Cipher Suites

Bad Your client supports cipher suites that are known to be insecure:

  * TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA: This cipher uses keys smaller than 128 bits in its encryption.
  * TLS_DHE_DSS_WITH_DES_CBC_SHA: This cipher uses keys smaller than 128 bits in its encryption.
  * TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA: This cipher uses keys smaller than 128 bits in its encryption.
  * TLS_DHE_RSA_WITH_DES_CBC_SHA: This cipher uses keys smaller than 128 bits in its encryption.
  * TLS_RSA_EXPORT_WITH_DES40_CBC_SHA: This cipher uses keys smaller than 128 bits in its encryption.
  * TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5: This cipher uses keys smaller than 128 bits in its encryption.
  * TLS_RSA_EXPORT_WITH_RC4_40_MD5: This cipher uses keys smaller than 128 bits in its encryption.
  * TLS_RSA_WITH_DES_CBC_SHA: This cipher uses keys smaller than 128 bits in its encryption.

UNQUOTE

J G Miller (jgmiller)
information type: Private Security → Public Security
Marc Deslauriers (mdeslaur)
Changed in w3m (Ubuntu):
status: New → Confirmed
Revision history for this message
Tatsuya Kinoshita (tats-debian) wrote :

To fix this bug, I've uploaded w3m 0.5.3-16 to Debian unstable,
with the attached patch (330_Disable-weak-ciphers.patch).

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "330_Disable-weak-ciphers.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package w3m - 0.5.3-16

---------------
w3m (0.5.3-16) unstable; urgency=low

  [ Tatsuya Kinoshita ]
  * New patch 330_Disable-weak-ciphers.patch (LP: #1325674)
  * Update 015_debian-version.patch to 0.5.3+debian-16
  * Update 900_ChangeLog.patch

  [ Daniel Schepler ]
  * Update debian/rules to bootstrap without libimlib2-dev (closes: #738208)

 -- Tatsuya Kinoshita <email address hidden> Mon, 23 Jun 2014 23:15:22 +0900

Changed in w3m (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.