Debian alert DLA-4331-1 (https-everywhere)
| From: | Markus Koschany <apo@debian.org> | |
| To: | debian-lts-announce <debian-lts-announce@lists.debian.org> | |
| Subject: | [SECURITY] [DLA 4331-1] https-everywhere security update | |
| Date: | Tue, 14 Oct 2025 17:08:03 +0200 | |
| Message-ID: | <152edc21bd5dbefa00a534952aa9b97183af027f.camel@debian.org> |
------------------------------------------------------------------------- Debian LTS Advisory DLA-4331-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany October 14, 2025 https://wiki.debian.org/LTS ------------------------------------------------------------------------- Package : https-everywhere Version : 2025.10.14-0+deb11u1 Debian Bug : 1118030 1118045 The Firefox extension HTTPS Everywhere used to enforce encryption over HTTPS in major web browsers, a feature which has become obsolete because a HTTPS-only mode is built-in nowadays. Consequently HTTPS Everywhere has been removed from Debian in 2023. The extension requires up-to-date https rules which are obtained from the domain https-rulesets.org. This domain is no longer controlled by the original upstream developers and registered by a third party now. Requests are redirected to a known malware site. This poses a severe risk for users of HTTPS Everywhere. As a first step to remedy this problem, version 2025.10.14-0+deb11u1 will completely remove all files associated with HTTPS Everywhere and only install a README file to raise the awareness for this security problem. The Debian packages parl-desktop and progress-linux-desktop will no longer depend on webext-https-everywhere. The source package https-everywhere and the binary package webext-https- everywhere will be removed from Debian in a subsequent step. We recommend to avoid using HTTPS Everywhere and to use web browsers, e.g. Firefox, which support HTTPS only instead. For more information, please refer to Debian bugs #1118030 and #1118045. For Debian 11 bullseye, this problem has been fixed in version 2025.10.14-0+deb11u1. We recommend that you upgrade your https-everywhere packages. For the detailed security status of https-everywhere please refer to its security tracker page at: https://security-tracker.debian.org/tracker/https-everywhere Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
Attachment: signature.asc (type=application/pgp-signature)
-----BEGIN PGP SIGNATURE----- iQKTBAABCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmjuZ1NfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeTvzRAAqGEy1uImbU9B9TvwTC9ndhtNoVNKACB2WEXZMC58dv7+sIuDtxpgoFs+ H+JWzPQDVMbXpiy0Jqk3WPL/6+RiC/NE+/y27Lce/4j/61XWqIH//WZWL3Zb+Jk9 QPkjoRWJkWwv0d3Gsi/M1UGgPmX1OxBwuwADliYLWx25Y8RNJOCuj9y+ZTqZLf58 scMaV5EmWUn3tZahV4EWUlqJjiY70fpnYdFSkhXG7CKMwujNKZiwTHy3uuFxHz89 x8dveXiiaGYjQEy5TtN+GTAUVbgCCsnjzchkJ4nQoCPu4UfFPyZ/ewnMZ9Wbrgus S0I+9uf+fBUwjKFjc7RPi/1UuoMdiobBb0+7mjYKMe4RglF23RAZBgB9dTIR6Fcs L4TEPWDtZ7cBRchYfg9+KMB6Tkz9UmVEeH3koLCY2ucnhKgSKyEFWrQvOun7wBOT oxFqk6PBAkeiTpgp02rQl6hT9haG9lRUHDjxiO5Cd25n8Olo6dTb3TttGfbm9W1m ulC8osG5uKCHfT8BQZCtRfjAWym55tWE4JDbhVFiKnboQqgeHPkShMwrqJmSvDGs ATxSauq/uFG6wTkrfFLvquO4pxHHZtBI+lj0f5MCyjYe7dPaTyQDV196kBb6s+Xk 6xja+rUBF+Nhp5ecyrIwC8kCmcPJGAB4HCyMh4bGLgbKRaaaDcs= =PQfx -----END PGP SIGNATURE-----