Bug 8252

Summary: lynx new security issue CVE-2012-5821
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: major    
Priority: Normal CC: sysadmin-bugs, tmb
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/527723/
Whiteboard: MGA1TOO mga2-32-OK mga2-64-OK mga1-32-OK mga1-64-OK
Source RPM: lynx-2.8.7-4.mga1.src.rpm CVE:
Status comment:

Description David Walser 2012-11-30 17:24:22 CET 
Ubuntu has issued an advisory on November 29:
http://www.ubuntu.com/usn/usn-1642-1/

Updated package uploaded for Cauldron.

Patched package uploaded for Mageia 1 and Mageia 2.

Advisory:
========================

Updated lynx package fixes security vulnerability:

Lynx does not verify that the server's certificate is signed by a trusted
certification authority, which allows man-in-the-middle attackers to spoof
SSL servers via a crafted certificate, related to improper use of a certain
GnuTLS function (CVE-2012-5821).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5821
http://www.ubuntu.com/usn/usn-1642-1/
========================

Updated packages in core/updates_testing:
========================
lynx-2.8.7-4.1.mga1
lynx-2.8.7-4.1.mga2

from SRPMS:
lynx-2.8.7-4.1.mga1.src.rpm
lynx-2.8.7-4.1.mga2.src.rpm
David Walser 2012-11-30 17:24:40 CET

Whiteboard: (none) => MGA1TOO

Comment 1 claire robinson 2012-11-30 17:55:03 CET 
No PoC so just checking lynx with https
Comment 2 claire robinson 2012-11-30 18:01:36 CET 
Testing complete mga2 32 & 64

Tested with properly signed and self signed https
claire robinson 2012-11-30 18:02:11 CET

Whiteboard: MGA1TOO => MGA1TOO mga2-32-OK mga2-64-OK

Comment 3 claire robinson 2012-11-30 18:14:28 CET 
Testing complete mga1 32 & 64 same way

Validating

Advisory and srpms for mga1 & 2 in comment 0

Could sysadmin please push from core/updates_testing to core/updates

Thanks!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: MGA1TOO mga2-32-OK mga2-64-OK => MGA1TOO mga2-32-OK mga2-64-OK mga1-32-OK mga1-64-OK

David Walser 2012-11-30 20:16:00 CET

URL: (none) => http://lwn.net/Vulnerabilities/527723/

Comment 4 Thomas Backlund 2012-11-30 23:36:32 CET 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0351

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED