Bug 25378

Advisory
========

Security bug fixed: when links was connected to tor, it would send real dns requests outside the tor network when the displayed page contains <link rel="dns-prefetch" href="http://host.domain/">.


References
==========

http://links.twibright.com/download/ChangeLog


Files
=====

Uploaded to core/updates_testing

links-2.20-1.mga7
links-graphic-2.20-1.mga7
links-common-2.20-1.mga7

from links-2.20-1.mga7.src.rpm

Advisory
========

Security bug fixed: when links was connected to tor, it would send real dns requests outside the tor network when the displayed page contains <link rel="dns-prefetch" href="http://host.domain/">.


References
==========

http://links.twibright.com/download/ChangeLog


Files
=====

Uploaded to core/updates_testing

links-2.20-1.mga6
links-graphic-2.20-1.mga6
links-common-2.20-1.mga6

from links-2.20-1.mga6.src.rpm

Assignee: smelror => qa-bugs

Installed and tested without issues.

Tested with and without a tor proxy. Tried to use online DNS leak tests but none of the one I tried worked, probably due to lack of javascript or some other incompatibility.

Since I have a local DNS server, I checked if if the local address where visible and when using tor they where not visible. Also used wireshark to check for DNS requests and didn't see any when using a tor proxy.

For now that is the best I can do to check for any DNS leaks. If anyone has a better method, I will try it.


System: Mageia 7, x86_64, Intel CPU.


$ uname -a
Linux marte 5.2.10-desktop-1.mga7 #1 SMP Sun Aug 25 17:14:00 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | egrep ^links
links-2.19-1.mga7
links-common-2.19-1.mga7

CC: (none) => mageia
Whiteboard: MGA6TOO => MGA6TOO MGA7-64-OK

A links 2.20.1 hotfix (dealing with its interaction with libevent) came out.  It's being updated in Cauldron now.  We should probably update the update candidate too.

Dropping ok until 2.20.1 is built / tested

Whiteboard: MGA6TOO MGA7-64-OK => MGA6TOO
CC: (none) => tmb

MGA6-64 Plasma on Lenovo B50
Installing 2.20 versions without issues
First used links-text as is, works OK.
Then installed and activated Tor and used links-graphics.
Pointing to www.google.be results in a page mentioning unusual operations, and I couldn't get any further.
Pointed then to my own pages on my own desktop running httpd with for all purposes default settings (except Document root): access was simply refused.
Pointed then to my webspace onmy ISP's sites: worked flawlessly.
So I cann't see anything wrong with links. The fact that wheb Tor is activated, some sites block this off seems as far as this update is concerned not a problem.

Whiteboard: MGA6TOO => MGA6TOO MGA6-64-OK
CC: (none) => herman.viaene

In Mageia 7 Plasma, 64-bit:

The following 3 packages are going to be installed:

- links-2.20-1.mga7.x86_64
- links-common-2.20-1.mga7.x86_64
- links-graphic-2.20-1.mga7.x86_64

Install was clean. I don't use links, so wouldn't know a regression if it hit me in the nose. But, based on it working in Comment 6, and a clean install in Mageia 7, I am OKing it for M7 and validating. Advisories in Comments 2 and 3.

Whiteboard: MGA6TOO MGA6-64-OK => MGA6TOO, MGA7-64-OK MGA6-64-OK
Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0270.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED