Fedora 32 : qutebrowser (2020-f0812d6aad)

2020-09-2100:00:00

www.tenable.com

3.6 Low

AI Score

Confidence

High

JSON

We missed a few upstream releases but there’s not breaking changes as far as I know. Lot of bug fixes and minor changes.

Addresses CVE-2020-11054: After a certificate error was overridden by the user, qutebrowser displays the URL as yellow (colors.statusbar.url.warn.fg). However, when the affected website was subsequently loaded again, the URL was mistakenly displayed as green (colors.statusbar.url.success_https). While the user already has seen a certificate error prompt at this point (or set content.ssl_strict to false which is not recommended), this could still provide a false sense of security. This is now fixed.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Fedora Security Advisory FEDORA-2020-f0812d6aad.
#

include('compat.inc');

if (description)
{
  script_id(140676);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/02/20");

  script_cve_id("CVE-2020-11054");
  script_xref(name:"FEDORA", value:"2020-f0812d6aad");

  script_name(english:"Fedora 32 : qutebrowser (2020-f0812d6aad)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Fedora host is missing a security update.");
  script_set_attribute(attribute:"description", value:
"We missed a few upstream releases but there's not breaking changes as
far as I know. Lot of bug fixes and minor changes.

----

Addresses CVE-2020-11054: After a certificate error was overridden by
the user, qutebrowser displays the URL as yellow
(colors.statusbar.url.warn.fg). However, when the affected website was
subsequently loaded again, the URL was mistakenly displayed as green
(colors.statusbar.url.success_https). While the user already has seen
a certificate error prompt at this point (or set content.ssl_strict to
false which is not recommended), this could still provide a false
sense of security. This is now fixed.

Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as
possible without introducing additional issues.");
  script_set_attribute(attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2020-f0812d6aad");
  script_set_attribute(attribute:"solution", value:
"Update the affected qutebrowser package.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-11054");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/05/07");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/09/21");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/09/21");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:qutebrowser");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:32");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Fedora Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2020-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
os_ver = os_ver[1];
if (! preg(pattern:"^32([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 32", "Fedora " + os_ver);

if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);


cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);


flag = 0;
if (rpm_check(release:"FC32", reference:"qutebrowser-1.13.1-1.fc32")) flag++;


if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_WARNING,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "qutebrowser");
}

VendorProductVersionCPE
fedoraprojectfedoraqutebrowserp-cpe:/a:fedoraproject:fedora:qutebrowser
fedoraprojectfedora32cpe:/o:fedoraproject:fedora:32

Vendor	Product	Version	CPE
fedoraproject	fedora	qutebrowser	p-cpe:/a:fedoraproject:fedora:qutebrowser
fedoraproject	fedora	32	cpe:/o:fedoraproject:fedora:32

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11054

bodhi.fedoraproject.org/updates/FEDORA-2020-f0812d6aad

3.6 Low

AI Score

Confidence

High

JSON

Related for FEDORA_2020-F0812D6AAD.NASL