Bug 6593

Summary: links does not verify SSL certificates
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: derekjenn, sysadmin-bugs, tmb
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/503591/
Whiteboard: MGA1TOO mga1-64-OK mga1-32-OK mga2-32-OK mga2-64-OK
Source RPM: links-2.2-10.mga1.src.rpm CVE:
Status comment:

Description David Walser 2012-06-27 00:25:43 CEST 
Debian released an update for links in July 2010 to correct this issue.

According to Gentoo, it was finally fixed upstream in 2.6 (which is in Mageia 2):
http://www.gentoo.org/security/en/glsa/glsa-201206-32.xml

I have applied the patch from Debian for 2.2 to work around it for Mageia 1.

Advisory:
========================

Updated links packages fix security vulnerability:

A security issue has been discovered in Links, which can be exploited
by malicious people to conduct spoofing attacks. The problem is that
the certificate presented by a server at the beginning of an SSL
session is not verified. This can be exploited to spoof valid servers
via a man-in-the-middle attack (SA33391).

References:
http://secunia.com/Advisories/33391/
========================

Updated packages in core/updates_testing:
========================
links-2.2-10.1.mga1
links-graphic-2.2-10.1.mga1
links-common-2.2-10.1.mga1

from links-2.2-10.1.mga1.src.rpm
Comment 1 Derek Jennings 2012-07-03 12:24:42 CEST 
OK on mga1 x86_64

Test Procedure
Confirmed bug in original links by connecting to a site under my control which does not have a valid SSL certificate

links https://www.cabinpainting.co.uk

links does not complain about the SSL cert

Upgraded to links-2.2-10.1mga1 and repeated.
Links says "Error loadimg https://www.cabinpainting.co.uk SSL error"

However the bad news is that if I repeat the test on mga2 with links-2.6-1.mga2 then links does not complain, so it seems mga2 is affected after all.

CC: (none) => derekjenn
Whiteboard: (none) => mga1-64-OK

Comment 2 David Walser 2012-07-03 15:17:23 CEST 
Oh my!  Thanks for checking Derek.  I re-diffed the patch for links 2.6.

Advisory:
========================

Updated links packages fix security vulnerability:

A security issue has been discovered in Links, which can be exploited
by malicious people to conduct spoofing attacks. The problem is that
the certificate presented by a server at the beginning of an SSL
session is not verified. This can be exploited to spoof valid servers
via a man-in-the-middle attack (SA33391).

References:
http://secunia.com/Advisories/33391/
========================

Updated packages in core/updates_testing:
========================
links-2.2-10.1.mga1
links-graphic-2.2-10.1.mga1
links-common-2.2-10.1.mga1
links-2.6-1.1.mga2
links-graphic-2.6-1.1.mga2
links-common-2.6-1.1.mga2

from SRPMS:
links-2.2-10.1.mga1.src.rpm
links-2.6-1.1.mga2.src.rpm

Version: 1 => 2
Summary: links 2.2 does not verify SSL certificates => links does not verify SSL certificates
Whiteboard: mga1-64-OK => MGA1TOO mga1-64-OK

Comment 3 Derek Jennings 2012-07-03 17:13:08 CEST 
Thats better! Thanks David
Validated for Mageia 1 64 and 32 bit, and Mageia2 64 and 32 bit

Could someone from sysadmin please push  links-2.2-10.1.mga1.src.rpm from Mageia 1 core/updates/testing to mageia 1 core/updates
and links-2.2-10.1.mga1.src.rpm from mageia2 core/updates/testing to mageia2 core/updates

Advisory:
========================

Updated links packages fix security vulnerability:

A security issue has been discovered in Links, which can be exploited
by malicious people to conduct spoofing attacks. The problem is that
the certificate presented by a server at the beginning of an SSL
session is not verified. This can be exploited to spoof valid servers
via a man-in-the-middle attack (SA33391).

References:
http://secunia.com/Advisories/33391/

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: MGA1TOO mga1-64-OK => MGA1TOO mga1-64-OK mga1-32-OK mga2-32-OK mga2-64-OK

Comment 4 Thomas Backlund 2012-07-10 01:01:34 CEST 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0150

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED