Fedora has issued an advisory on October 6: https://lists.fedoraproject.org/pipermail/package-announce/2013-October/119053.html The patch Fedora added doesn't look valid for us, as they don't use openssl, but use nss_compat_ossl (not sure what that is exactly, but I guess it's some way of using nss) which their patch depends on. The upstream change to fix this with openssl does not apply cleanly to pre5 or pre6 (which we should update to BTW): http://pkgs.fedoraproject.org/cgit/elinks.git/tree/elinks-0.12pre6-ssl-hostname.patch http://repo.or.cz/w/elinks.git/commitdiff/0c3f3e09 https://bugzilla.redhat.com/show_bug.cgi?id=881411 https://bugzilla.redhat.com/show_bug.cgi?id=881399 Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO, MGA2TOO
Blocks: (none) => 11726
Removing Mageia 2 from the whiteboard due to EOL. http://blog.mageia.org/en/2013/11/21/farewell-mageia-2/
Whiteboard: MGA3TOO, MGA2TOO => MGA3TOO
Hi David, (In reply to David Walser from comment #1) > Removing Mageia 2 from the whiteboard due to EOL. > > http://blog.mageia.org/en/2013/11/21/farewell-mageia-2/ this should be fixed in the Cauldron svn repository in: [Q] Path: . Working Copy Root Path: /home/shlomif/Download/unpack/Mageia/elinks URL: svn+ssh://svn.mageia.org/svn/packages/cauldron/elinks/current Relative URL: ^/cauldron/elinks/current Repository Root: svn+ssh://svn.mageia.org/svn/packages Repository UUID: 01bf705a-734c-4999-978a-dc8ab10ec44d Revision: 564555 Node Kind: directory Schedule: normal Last Changed Author: shlomif Last Changed Rev: 564555 Last Changed Date: 2014-01-04 13:54:33 +0200 (Sat, 04 Jan 2014) [/Q] What I did was update to -pre6 and forward-port the patch (which was somewhat time consuming but doable). Should it be tested now? Should I submit it as a freeze request? Regards, -- Shlomi Fish
CC: (none) => shlomif
(In reply to Shlomi Fish from comment #2) > What I did was update to -pre6 and forward-port the patch (which was > somewhat time consuming but doable). Should it be tested now? Should I > submit it as a freeze request? I assume you mean the upstream patch. Yes, send a freeze push request for Cauldron. Thank you so much for working on this! You could also make the same changes in Mageia 3 SVN and build it in updates_testing there, to help it get wider testing (and obviously that'll be needed so that we can do the security update for Mageia 3).
Hi David, (In reply to David Walser from comment #3) > (In reply to Shlomi Fish from comment #2) > > What I did was update to -pre6 and forward-port the patch (which was > > somewhat time consuming but doable). Should it be tested now? Should I > > submit it as a freeze request? > > I assume you mean the upstream patch. Yes, the one from git. > Yes, send a freeze push request for > Cauldron. I sent it. Thanks. > Thank you so much for working on this! You could also make the > same changes in Mageia 3 SVN and build it in updates_testing there, to help > it get wider testing (and obviously that'll be needed so that we can do the > security update for Mageia 3). Done: http://pkgsubmit.mageia.org/ - elinks-0.12-1.mga3 was now uploaded to core/updatest_testing (after I did an svn merge). Regards, -- Shlomi Fish
Just noting that it's now elinks-0.12-3.1.mga3 in updates_testing.
elinks-0.12-7.mga4 uploaded for Cauldron.
Version: Cauldron => 3Blocks: 11726 => (none)Whiteboard: MGA3TOO => (none)
Advisory: ======================== Updated elinks package fixes security vulnerability: When verifying SSL certificates, elinks fails to warn the user if the hostname of the certificate does not match the hostname of the website. The elinks package has been updated to version 0.12-pre6 and patched to fix this issue. References: https://lists.fedoraproject.org/pipermail/package-announce/2013-October/119053.html ======================== Updated packages in core/updates_testing: ======================== elinks-0.12-3.1.mga3 from elinks-0.12-3.1.mga3.src.rpm
Assignee: bugsquad => qa-bugs
working on it
CC: (none) => ennael1
Tested mga3-64. Attempted to go to https://tv.eurosport.com, which has an expired certificate--error replied. Https://bugs.mageia.org loads normally for a text-based browser.
CC: (none) => wrw105Whiteboard: (none) => mga3-64-OK
ok I let it down then
tested mga3-32 as in comment 9. replies as above. Sorry Anne! MrsB recommended that I take a look at this this morning as part of our "clean out updates" push! Ready for advisory upload to svn and validation.
Whiteboard: mga3-64-OK => mga3-64-OK mga3-32-ok
Is there a CVE for this, it's given a Grave security rating at debian? http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=694658 Advisory uploaded without CVE. Validating Could sysadmin please push from 3 core/updates_testing to updates Thanks
Keywords: (none) => validated_updateWhiteboard: mga3-64-OK mga3-32-ok => advisory mga3-64-OK mga3-32-okCC: (none) => sysadmin-bugs
Thanks. No CVE that I'm aware of.
Update pushed: http://advisories.mageia.org/MGASA-2014-0014.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED