Detections
Analytics

Debian dla-4331 : webext-https-everywhere - security update

high Nessus Plugin ID 270460

Language:

Synopsis

The remote Debian host is missing a security-related update.

Description

The remote Debian 11 host has a package installed that is affected by a vulnerability as referenced in the dla-4331 advisory.

 ------------------------------------------------------------------------- Debian LTS Advisory DLA-4331-1 [email protected] https://www.debian.org/lts/security/ Markus Koschany October 14, 2025 https://wiki.debian.org/LTS
 -------------------------------------------------------------------------

 Package : https-everywhere Version : 2025.10.14-0+deb11u1 Debian Bug : 1118030 1118045

 The Firefox extension HTTPS Everywhere used to enforce encryption over HTTPS in major web browsers, a feature which has become obsolete because a HTTPS-only mode is built-in nowadays. Consequently HTTPS Everywhere has been removed from Debian in 2023.

 The extension requires up-to-date https rules which are obtained from the domain https-rulesets.org. This domain is no longer controlled by the original upstream developers and registered by a third party now. Requests are redirected to a known malware site. This poses a severe risk for users of HTTPS Everywhere.

 As a first step to remedy this problem, version 2025.10.14-0+deb11u1 will completely remove all files associated with HTTPS Everywhere and only install a README file to raise the awareness for this security problem. The Debian packages parl-desktop and progress-linux-desktop will no longer depend on webext-https-everywhere.

 The source package https-everywhere and the binary package webext-https- everywhere will be removed from Debian in a subsequent step.

 We recommend to avoid using HTTPS Everywhere and to use web browsers, e.g.
 Firefox, which support HTTPS only instead. For more information, please refer to Debian bugs #1118030 and #1118045.

 For Debian 11 bullseye, this problem has been fixed in version 2025.10.14-0+deb11u1.

 We recommend that you upgrade your https-everywhere packages.

 For the detailed security status of https-everywhere please refer to its security tracker page at:
 https://security-tracker.debian.org/tracker/https-everywhere

 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS Attachment:
 signature.asc Description: This is a digitally signed message part

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Upgrade the webext-https-everywhere packages.

See Also

http://www.nessus.org/u?279789a4

https://packages.debian.org/source/bullseye/https-everywhere

Plugin Details

Severity: High

ID: 270460

File Name: debian_DLA-4331.nasl

Version: 1.1

Type: local

Agent: unix

Published: 10/15/2025

Updated: 10/15/2025

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus

Vulnerability Information

CPE: cpe:/o:debian:debian_linux:11.0, p-cpe:/a:debian:debian_linux:webext-https-everywhere

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 10/14/2025

Vulnerability Publication Date: 10/14/2025