Debian released an update for links in July 2010 to correct this issue. According to Gentoo, it was finally fixed upstream in 2.6 (which is in Mageia 2): http://www.gentoo.org/security/en/glsa/glsa-201206-32.xml I have applied the patch from Debian for 2.2 to work around it for Mageia 1. Advisory: ======================== Updated links packages fix security vulnerability: A security issue has been discovered in Links, which can be exploited by malicious people to conduct spoofing attacks. The problem is that the certificate presented by a server at the beginning of an SSL session is not verified. This can be exploited to spoof valid servers via a man-in-the-middle attack (SA33391). References: http://secunia.com/Advisories/33391/ ======================== Updated packages in core/updates_testing: ======================== links-2.2-10.1.mga1 links-graphic-2.2-10.1.mga1 links-common-2.2-10.1.mga1 from links-2.2-10.1.mga1.src.rpm
OK on mga1 x86_64 Test Procedure Confirmed bug in original links by connecting to a site under my control which does not have a valid SSL certificate links https://www.cabinpainting.co.uk links does not complain about the SSL cert Upgraded to links-2.2-10.1mga1 and repeated. Links says "Error loadimg https://www.cabinpainting.co.uk SSL error" However the bad news is that if I repeat the test on mga2 with links-2.6-1.mga2 then links does not complain, so it seems mga2 is affected after all.
CC: (none) => derekjennWhiteboard: (none) => mga1-64-OK
Oh my! Thanks for checking Derek. I re-diffed the patch for links 2.6. Advisory: ======================== Updated links packages fix security vulnerability: A security issue has been discovered in Links, which can be exploited by malicious people to conduct spoofing attacks. The problem is that the certificate presented by a server at the beginning of an SSL session is not verified. This can be exploited to spoof valid servers via a man-in-the-middle attack (SA33391). References: http://secunia.com/Advisories/33391/ ======================== Updated packages in core/updates_testing: ======================== links-2.2-10.1.mga1 links-graphic-2.2-10.1.mga1 links-common-2.2-10.1.mga1 links-2.6-1.1.mga2 links-graphic-2.6-1.1.mga2 links-common-2.6-1.1.mga2 from SRPMS: links-2.2-10.1.mga1.src.rpm links-2.6-1.1.mga2.src.rpm
Version: 1 => 2Summary: links 2.2 does not verify SSL certificates => links does not verify SSL certificatesWhiteboard: mga1-64-OK => MGA1TOO mga1-64-OK
Thats better! Thanks David Validated for Mageia 1 64 and 32 bit, and Mageia2 64 and 32 bit Could someone from sysadmin please push links-2.2-10.1.mga1.src.rpm from Mageia 1 core/updates/testing to mageia 1 core/updates and links-2.2-10.1.mga1.src.rpm from mageia2 core/updates/testing to mageia2 core/updates Advisory: ======================== Updated links packages fix security vulnerability: A security issue has been discovered in Links, which can be exploited by malicious people to conduct spoofing attacks. The problem is that the certificate presented by a server at the beginning of an SSL session is not verified. This can be exploited to spoof valid servers via a man-in-the-middle attack (SA33391). References: http://secunia.com/Advisories/33391/
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: MGA1TOO mga1-64-OK => MGA1TOO mga1-64-OK mga1-32-OK mga2-32-OK mga2-64-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0150
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED