[Bug 1302886] [NEW] w3m -- ssl security check reveals flaws

J G Miller miller at yoyo.ORG
Fri Apr 4 23:09:37 UTC 2014 

*** This bug is a security vulnerability ***

Public security bug reported:


PRETTY_NAME="Ubuntu 13.10"
VERSION="13.10, Saucy Salamander"

Package: w3m
Origin: Ubuntu
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Architecture: i386
Multi-Arch: foreign
Version: 0.5.3-11


Using w3m to browse the SSL checking site  

 https://www.howsmyssl.com/

reveals the following two security issues --


Version
Improvable

Your client is using TLS 1.1. It would be better to be TLS 1.2, but at
least it isn't susceptible to the BEAST attack. But, it also doesn't
have the AES-GCM cipher suite available.


Insecure Cipher Suites
Bad

Your client supports cipher suites that are known to be insecure:

  • TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA: This cipher uses keys smaller than 128 bits in its encryption.
  • TLS_DHE_DSS_WITH_DES_CBC_SHA: This cipher uses keys smaller than 128 bits in its encryption.
  • TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA: This cipher uses keys smaller than 128 bits in its encryption.
  • TLS_DHE_RSA_WITH_DES_CBC_SHA: This cipher uses keys smaller than 128 bits in its encryption.
  • TLS_RSA_EXPORT_WITH_DES40_CBC_SHA: This cipher uses keys smaller than 128 bits in its encryption.
  • TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5: This cipher uses keys smaller than 128 bits in its encryption.
  • TLS_RSA_EXPORT_WITH_RC4_40_MD5: This cipher uses keys smaller than 128 bits in its encryption.
  • TLS_RSA_WITH_DES_CBC_SHA: This cipher uses keys smaller than 128 bits in its encryption.

** Affects: w3m (Ubuntu)
     Importance: Undecided
         Status: New

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to w3m in Ubuntu.
https://bugs.launchpad.net/bugs/1302886

Title:
  w3m -- ssl security check reveals flaws

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/w3m/+bug/1302886/+subscriptions

More information about the Ubuntu-server-bugs mailing list