Disclaimer: I normally just look at Qt stuff, so I don't have a broad view on the issue nor an authoritative say in this. On domingo, 15 de enero de 2017 20:55:52 ART Didier 'OdyX' Raboud wrote: > Le lundi, 21 mars 2016, 11.03:13 h CET Thorsten Glaser a écrit : > > Package: konqueror > > Version: 4:15.08.3-1 > > Severity: grave > > Tags: security > > Justification: user security hole > > > > See attached screenshot – konqueror does not error out when the > > certificate is expired and even shows a green checkbox. (I may > > or may not have ACK’d the certificate in an earlier session, I > > don’t know right now, but showing a green checkbox is still > > wrong.) > > https://expired.identrustssl.com/ is an online example to test that > use-case, which I can reproduce. > > konqueror is RC-buggy in stretch because of that (IMHO rightful) bug. It is > also plagued by other bugs, I wonder if konqueror should really be shipped > in stretch. How feasible is it to remove it ? Well, konqueror is part of kde-baseapps. One could imagine not shipping the binary and maybe some desktop files, but that source package also provides konqueror-related libs, and removing them will definitely be hard. And I don't know for sure if those bugs are really related to the front end konqueror is or the libs themselves. As far as I understand konqueror is not supported by Debian's security team since ages, and we have always been recommending it for local/safe stuff. Moreover, on the same grounds, I personally tried to remove Qt4's webkit: https://wiki.debian.org/Qt4WebKitRemoval but when I asked the security team they simply say something along "we don't support it, we don't care" which is fairly understandable. So, all in all, I don't think it will be easy and before getting konqueror out I'll prefer removing Qt4' webkit. But then again, I should not be considerer an authoritative voice here. Maxy should probably know much better than I. Kinds rgeards, Lisandro. -- Los estadounidenses no tienen la culpa, la guerra tiene la culpa. La falta de voluntad de la gente para comprender a aquellos que tienen valores diferentes, eso es lo que tiene la culpa. Shinji Mikamo <http://www.lanacion.com.ar/1716475-el-cataclismo-nuclear-de-hiroshima-narrado-por-un-superviviente> Lisandro Damián Nicanor Pérez Meyer http://perezmeyer.com.ar/ http://perezmeyer.blogspot.com/
Attachment:
signature.asc
Description: This is a digitally signed message part.