GNU bug report logs -
#27823
26.0.50; nsm in paranoid mode always saves fingerprint in session-only mode
Previous Next
Reported by: Robert Pluim <rpluim <at> gmail.com>
Date: Tue, 25 Jul 2017 14:58:02 UTC
Severity: normal
Tags: fixed, security
Found in version 26.0.50
Fixed in version 27.1
Done: Lars Ingebrigtsen <larsi <at> gnus.org>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 27823 in the body.
You can then email your comments to 27823 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#27823; Package
emacs.
(Tue, 25 Jul 2017 14:58:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Robert Pluim <rpluim <at> gmail.com>:
New bug report received and forwarded. Copy sent to
bug-gnu-emacs <at> gnu.org.
(Tue, 25 Jul 2017 14:58:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
; This is with the HEAD of master
; Make sure that network-security.data doesn't contain the fingerprint
for lists.gnu.org, which for me is sha1:e9248aef3ac9bcbba8d57fa471a07073adb88cbd
emacs -Q
(setq network-security-level 'paranoid)
M-x eww RET
https://lists.gnu.org RET
; Answer 'session only' to the prompt
C-x C-c
emacs -Q
(setq network-security-level 'paranoid)
M-x eww RET
https://lists.gnu.org RET
; Be very surprised that you're not reprompted to accept the
certificate, and see that its fingerprint has been added to
network-security.data
If I've said 'session only', I expect emacs to save nothing about the
connection at all.
Regards
Robert
In GNU Emacs 26.0.50 (build 4, x86_64-pc-linux-gnu, GTK+ Version 3.18.9)
of 2017-07-25 built on rpluim-ubuntu
Repository revision: 4e619aaa163f771c0ce271671c2b6fde09f8ba81
Windowing system distributor 'The X.Org Foundation', version 11.0.11804000
System Description: KDE neon LTS User Edition 5.8
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#27823; Package
emacs.
(Mon, 15 Jul 2019 18:33:01 GMT)
Full text and
rfc822 format available.
Message #8 received at 27823 <at> debbugs.gnu.org (full text, mbox):
Robert Pluim <rpluim <at> gmail.com> writes:
> emacs -Q
> (setq network-security-level 'paranoid)
> M-x eww RET
> https://lists.gnu.org RET
> ; Answer 'session only' to the prompt
> C-x C-c
> emacs -Q
> (setq network-security-level 'paranoid)
> M-x eww RET
> https://lists.gnu.org RET
>
> ; Be very surprised that you're not reprompted to accept the
> certificate, and see that its fingerprint has been added to
> network-security.data
>
> If I've said 'session only', I expect emacs to save nothing about the
> connection at all.
Yup. Looks like the error was in the NSM saving the fingerprint once
more after it had already been saved in the correct temporary storage.
This should now be fixed on the trunk.
--
(domestic pets only, the antidote for overdose, milk.)
bloggy blog: http://lars.ingebrigtsen.no
Added tag(s) fixed.
Request was from
Lars Ingebrigtsen <larsi <at> gnus.org>
to
control <at> debbugs.gnu.org.
(Mon, 15 Jul 2019 18:33:02 GMT)
Full text and
rfc822 format available.
bug marked as fixed in version 27.1, send any further explanations to
27823 <at> debbugs.gnu.org and Robert Pluim <rpluim <at> gmail.com>
Request was from
Lars Ingebrigtsen <larsi <at> gnus.org>
to
control <at> debbugs.gnu.org.
(Mon, 15 Jul 2019 18:33:02 GMT)
Full text and
rfc822 format available.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Tue, 13 Aug 2019 11:24:06 GMT)
Full text and
rfc822 format available.
This bug report was last modified 4 years and 258 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.