Report forwarded
to debian-bugs-dist@lists.debian.org, Rob Browning <rlb@defaultvalue.org>: Bug#861106; Package emacs25.
(Mon, 24 Apr 2017 17:30:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Antoine Beaupre <anarcat@debian.org>:
New Bug report received and forwarded. Copy sent to Rob Browning <rlb@defaultvalue.org>.
(Mon, 24 Apr 2017 17:30:04 GMT) (full text, mbox, link).
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: emacs25 uses SHA-1 to pin untrusted X509 certificates
Date: Mon, 24 Apr 2017 13:27:37 -0400
Package: emacs25
Version: 25.1+1-3+b1
Severity: normal
I'm getting this when running emacs -q after adding adding the
Marmalade repo (https://marmalade-repo.org/packages/):
https://paste.anarc.at/snaps/snap-2017.04.24-12.53.11.png
This is after running package-list-packages with the Marmalade repo
configured, running under emacs -q. Hitting "always" in that dialog
creates the following file in .emacs.d/network-security.data:
(
(:id "sha1:85457c729378cc93c732b6a3941c8e4f9c2e60f3" :fingerprint "sha1:ab:a6:d7:6a:b3:d3:63:fa:19:0d:65:41:60:23:6e:ef:d3:2a:46:dc" :host "marmalade-repo.org:443" :conditions (:unknown-ca :invalid))
)
There are two distinct problems here:
1. the marmalade-repo.org should be trusted. it works in Firefox and
Chromium - this is probably out of scope here and has been
reported in:
https://github.com/nicferrier/elmarmalade/issues/144
2. the exception shouldn't use a SHA-1 exception, which is now well
known to be weak
Of course, marmelade now seems like it's dead and we should move on,
but this may happen on other repositories and it seems like a bad idea
to store exceptions in SHA-1.
Thanks,
A.
-- System Information:
Debian Release: 9.0
APT prefers testing
APT policy: (500, 'testing'), (1, 'unstable')
Architecture: amd64
(x86_64)
Foreign Architectures: armhf
Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages emacs25 depends on:
ii emacs25-bin-common 25.1+1-3+b1
ii gconf-service 3.2.6-4+b1
ii libacl1 2.2.52-3+b1
ii libasound2 1.1.3-5
ii libatk1.0-0 2.22.0-1
ii libc6 2.24-9
ii libcairo-gobject2 1.14.8-1
ii libcairo2 1.14.8-1
ii libdbus-1-3 1.10.18-1
ii libfontconfig1 2.11.0-6.7+b1
ii libfreetype6 2.6.3-3.1
ii libgconf-2-4 3.2.6-4+b1
ii libgdk-pixbuf2.0-0 2.36.5-2
ii libgif7 5.1.4-0.4
ii libglib2.0-0 2.50.3-2
ii libgnutls30 3.5.8-5
ii libgomp1 6.3.0-14
ii libgpm2 1.20.4-6.2+b1
ii libgtk-3-0 3.22.11-1
ii libice6 2:1.0.9-2
ii libjpeg62-turbo 1:1.5.1-2
ii libm17n-0 1.7.0-3+b1
ii libmagickcore-6.q16-3 8:6.9.7.4+dfsg-6
ii libmagickwand-6.q16-3 8:6.9.7.4+dfsg-6
ii libotf0 0.9.13-3+b1
ii libpango-1.0-0 1.40.4-1
ii libpangocairo-1.0-0 1.40.4-1
ii libpng16-16 1.6.28-1
ii librsvg2-2 2.40.16-1+b1
ii libselinux1 2.6-3+b1
ii libsm6 2:1.2.2-1+b3
ii libtiff5 4.0.7-6
ii libtinfo5 6.0+20161126-1
ii libx11-6 2:1.6.4-3
ii libx11-xcb1 2:1.6.4-3
ii libxcb1 1.12-1
ii libxfixes3 1:5.0.3-1
ii libxft2 2.3.2-1+b2
ii libxinerama1 2:1.1.3-1+b3
ii libxml2 2.9.4+dfsg1-2.2
ii libxpm4 1:3.5.12-1
ii libxrandr2 2:1.5.1-1
ii libxrender1 1:0.9.10-1
ii zlib1g 1:1.2.8.dfsg-5
emacs25 recommends no packages.
Versions of packages emacs25 suggests:
ii emacs25-common-non-dfsg 25.1+1-1
-- no debconf information
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
