Bug 25378 - links 2.20 fixes security issue leaking DNS queries when used with Tor
Summary: links 2.20 fixes security issue leaking DNS queries when used with Tor
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6TOO, MGA7-64-OK MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-08-29 13:15 CEST by David Walser
Modified: 2019-09-12 21:11 CEST (History)
5 users (show)

See Also:
Source RPM: links-2.19-1.mga7.src.rpm
CVE:
Status comment: Fixed upstream in 2.20


Attachments

Description David Walser 2019-08-29 13:15:03 CEST
Links 2.20 has been released on August 26:
http://links.twibright.com/download/ChangeLog

It fixes one security issue.

Mageia 6 is also affected.
David Walser 2019-08-29 13:15:23 CEST

Whiteboard: (none) => MGA6TOO
Status comment: (none) => Fixed upstream in 2.20

Comment 1 Stig-Ørjan Smelror 2019-08-29 14:10:42 CEST
Advisory
========

Security bug fixed: when links was connected to tor, it would send real dns requests outside the tor network when the displayed page contains <link rel="dns-prefetch" href="http://host.domain/">.


References
==========

http://links.twibright.com/download/ChangeLog


Files
=====

Uploaded to core/updates_testing

links-2.20-1.mga7
links-graphic-2.20-1.mga7
links-common-2.20-1.mga7

from links-2.20-1.mga7.src.rpm
Comment 2 Stig-Ørjan Smelror 2019-08-29 14:11:29 CEST
Advisory
========

Security bug fixed: when links was connected to tor, it would send real dns requests outside the tor network when the displayed page contains <link rel="dns-prefetch" href="http://host.domain/">.


References
==========

http://links.twibright.com/download/ChangeLog


Files
=====

Uploaded to core/updates_testing

links-2.20-1.mga6
links-graphic-2.20-1.mga6
links-common-2.20-1.mga6

from links-2.20-1.mga6.src.rpm

Assignee: smelror => qa-bugs

Comment 3 PC LX 2019-09-04 12:55:24 CEST
Installed and tested without issues.

Tested with and without a tor proxy. Tried to use online DNS leak tests but none of the one I tried worked, probably due to lack of javascript or some other incompatibility.

Since I have a local DNS server, I checked if if the local address where visible and when using tor they where not visible. Also used wireshark to check for DNS requests and didn't see any when using a tor proxy.

For now that is the best I can do to check for any DNS leaks. If anyone has a better method, I will try it.


System: Mageia 7, x86_64, Intel CPU.


$ uname -a
Linux marte 5.2.10-desktop-1.mga7 #1 SMP Sun Aug 25 17:14:00 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | egrep ^links
links-2.19-1.mga7
links-common-2.19-1.mga7

CC: (none) => mageia
Whiteboard: MGA6TOO => MGA6TOO MGA7-64-OK

Comment 4 David Walser 2019-09-05 14:07:02 CEST
A links 2.20.1 hotfix (dealing with its interaction with libevent) came out.  It's being updated in Cauldron now.  We should probably update the update candidate too.
Comment 5 Thomas Backlund 2019-09-06 20:12:49 CEST
Dropping ok until 2.20.1 is built / tested

Whiteboard: MGA6TOO MGA7-64-OK => MGA6TOO
CC: (none) => tmb

Comment 6 Herman Viaene 2019-09-09 11:06:20 CEST
MGA6-64 Plasma on Lenovo B50
Installing 2.20 versions without issues
First used links-text as is, works OK.
Then installed and activated Tor and used links-graphics.
Pointing to www.google.be results in a page mentioning unusual operations, and I couldn't get any further.
Pointed then to my own pages on my own desktop running httpd with for all purposes default settings (except Document root): access was simply refused.
Pointed then to my webspace onmy ISP's sites: worked flawlessly.
So I cann't see anything wrong with links. The fact that wheb Tor is activated, some sites block this off seems as far as this update is concerned not a problem.

Whiteboard: MGA6TOO => MGA6TOO MGA6-64-OK
CC: (none) => herman.viaene

Comment 7 Thomas Andrews 2019-09-11 22:44:04 CEST
In Mageia 7 Plasma, 64-bit:

The following 3 packages are going to be installed:

- links-2.20-1.mga7.x86_64
- links-common-2.20-1.mga7.x86_64
- links-graphic-2.20-1.mga7.x86_64

Install was clean. I don't use links, so wouldn't know a regression if it hit me in the nose. But, based on it working in Comment 6, and a clean install in Mageia 7, I am OKing it for M7 and validating. Advisories in Comments 2 and 3.

Whiteboard: MGA6TOO MGA6-64-OK => MGA6TOO, MGA7-64-OK MGA6-64-OK
Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2019-09-12 19:04:28 CEST

Keywords: (none) => advisory

Comment 8 Mageia Robot 2019-09-12 21:11:37 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0270.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.