Bug 6593 - links does not verify SSL certificates
: links does not verify SSL certificates
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/503591/
: MGA1TOO mga1-64-OK mga1-32-OK mga2-32...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-06-27 00:25 CEST by David Walser
Modified: 2012-07-10 01:01 CEST (History)
3 users (show)

See Also:
Source RPM: links-2.2-10.mga1.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2012-06-27 00:25:43 CEST
Debian released an update for links in July 2010 to correct this issue.

According to Gentoo, it was finally fixed upstream in 2.6 (which is in Mageia 2):
http://www.gentoo.org/security/en/glsa/glsa-201206-32.xml

I have applied the patch from Debian for 2.2 to work around it for Mageia 1.

Advisory:
========================

Updated links packages fix security vulnerability:

A security issue has been discovered in Links, which can be exploited
by malicious people to conduct spoofing attacks. The problem is that
the certificate presented by a server at the beginning of an SSL
session is not verified. This can be exploited to spoof valid servers
via a man-in-the-middle attack (SA33391).

References:
http://secunia.com/Advisories/33391/
========================

Updated packages in core/updates_testing:
========================
links-2.2-10.1.mga1
links-graphic-2.2-10.1.mga1
links-common-2.2-10.1.mga1

from links-2.2-10.1.mga1.src.rpm
Comment 1 Derek Jennings 2012-07-03 12:24:42 CEST
OK on mga1 x86_64

Test Procedure
Confirmed bug in original links by connecting to a site under my control which does not have a valid SSL certificate

links https://www.cabinpainting.co.uk

links does not complain about the SSL cert

Upgraded to links-2.2-10.1mga1 and repeated.
Links says "Error loadimg https://www.cabinpainting.co.uk SSL error"

However the bad news is that if I repeat the test on mga2 with links-2.6-1.mga2 then links does not complain, so it seems mga2 is affected after all.
Comment 2 David Walser 2012-07-03 15:17:23 CEST
Oh my!  Thanks for checking Derek.  I re-diffed the patch for links 2.6.

Advisory:
========================

Updated links packages fix security vulnerability:

A security issue has been discovered in Links, which can be exploited
by malicious people to conduct spoofing attacks. The problem is that
the certificate presented by a server at the beginning of an SSL
session is not verified. This can be exploited to spoof valid servers
via a man-in-the-middle attack (SA33391).

References:
http://secunia.com/Advisories/33391/
========================

Updated packages in core/updates_testing:
========================
links-2.2-10.1.mga1
links-graphic-2.2-10.1.mga1
links-common-2.2-10.1.mga1
links-2.6-1.1.mga2
links-graphic-2.6-1.1.mga2
links-common-2.6-1.1.mga2

from SRPMS:
links-2.2-10.1.mga1.src.rpm
links-2.6-1.1.mga2.src.rpm
Comment 3 Derek Jennings 2012-07-03 17:13:08 CEST
Thats better! Thanks David
Validated for Mageia 1 64 and 32 bit, and Mageia2 64 and 32 bit

Could someone from sysadmin please push  links-2.2-10.1.mga1.src.rpm from Mageia 1 core/updates/testing to mageia 1 core/updates
and links-2.2-10.1.mga1.src.rpm from mageia2 core/updates/testing to mageia2 core/updates

Advisory:
========================

Updated links packages fix security vulnerability:

A security issue has been discovered in Links, which can be exploited
by malicious people to conduct spoofing attacks. The problem is that
the certificate presented by a server at the beginning of an SSL
session is not verified. This can be exploited to spoof valid servers
via a man-in-the-middle attack (SA33391).

References:
http://secunia.com/Advisories/33391/
Comment 4 Thomas Backlund 2012-07-10 01:01:34 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0150

Note You need to log in before you can comment on or make changes to this bug.