[SECURITY] [DLA 4331-1] https-everywhere security update

To: debian-lts-announce <debian-lts-announce@lists.debian.org>
Subject: [SECURITY] [DLA 4331-1] https-everywhere security update
From: Markus Koschany <apo@debian.org>
Date: Tue, 14 Oct 2025 17:08:03 +0200
Message-id: <[🔎] 152edc21bd5dbefa00a534952aa9b97183af027f.camel@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4331-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                      Markus Koschany
October 14, 2025                              https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package        : https-everywhere
Version        : 2025.10.14-0+deb11u1
Debian Bug     : 1118030 1118045

The Firefox extension HTTPS Everywhere used to enforce encryption over HTTPS in
major web browsers, a feature which has become obsolete because a HTTPS-only
mode is built-in nowadays. Consequently HTTPS Everywhere has been removed from
Debian in 2023.  

The extension requires up-to-date https rules which are obtained from the
domain https-rulesets.org. This domain is no longer controlled by the original
upstream developers and registered by a third party now. Requests are
redirected to a known malware site. This poses a severe risk for users of HTTPS
Everywhere.

As a first step to remedy this problem, version 2025.10.14-0+deb11u1 will
completely remove all files associated with HTTPS Everywhere and only install a
README file to raise the awareness for this security problem. The Debian
packages parl-desktop and progress-linux-desktop will no longer depend on
webext-https-everywhere.

The source package https-everywhere and the binary package webext-https-
everywhere will be removed from Debian in a subsequent step.

We recommend to avoid using HTTPS Everywhere and to use web browsers, e.g.
Firefox, which support HTTPS only instead. For more information, please refer
to Debian bugs #1118030 and #1118045.

For Debian 11 bullseye, this problem has been fixed in version
2025.10.14-0+deb11u1.

We recommend that you upgrade your https-everywhere packages.

For the detailed security status of https-everywhere please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/https-everywhere

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

Prev by Date: [SECURITY] [DLA 4330-1] ghostscript security update
Next by Date: [SECURITY] [DLA 4332-1] distro-info-data database update
Previous by thread: [SECURITY] [DLA 4330-1] ghostscript security update
Next by thread: [SECURITY] [DLA 4332-1] distro-info-data database update
Index(es):
- Date
- Thread