Debian has issued an advisory on November 30: http://www.debian.org/security/2013/dsa-2807 The issue was fixed upstream in 2.8, which we have in Cauldron. Patched package uploaded for Mageia 3. As the Debian advisory suggests, only the links-graphic subpackage is affected. Advisory: ======================== Updated links packages fix security vulnerability: Mikulas Patocka discovered an integer overflow in the parsing of HTML tables in the Links web browser. This can only be exploited when running Links in graphical mode (CVE-2013-6050). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6050 http://www.debian.org/security/2013/dsa-2807 ======================== Updated packages in core/updates_testing: ======================== links-2.7-4.1.mga3 links-graphic-2.7-4.1.mga3 links-common-2.7-4.1.mga3 from links-2.7-4.1.mga3.src.rpm Reproducible: Steps to Reproduce:
Advisory 11855.adv committed to svn.
CC: (none) => davidwhodginsWhiteboard: (none) => advisory
Testing complete on Mageia 3 i586 and x86_64. Someone from the sysadmin team please push 11855.adv to updates.
Keywords: (none) => validated_updateWhiteboard: advisory => advisory MGA3-64-OK MGA3-32-OKCC: (none) => sysadmin-bugs
Update pusned: http://advisories.mageia.org/MGASA-2013-0364.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
links-hacked-0.0.031220-35.mga3.src.rpm is unaffected?
CC: (none) => oe
(In reply to Oden Eriksson from comment #4) > links-hacked-0.0.031220-35.mga3.src.rpm is unaffected? I have no idea. The upstream website looks like it hasn't been updated in years, you can't get a directory listing of the upstream downloads directory, or anything else with a listing of versions, the source tarball has no URL. I'm not a big fan of packaging strange forks like this. There's also elinks...