Bug 8252 - lynx new security issue CVE-2012-5821
: lynx new security issue CVE-2012-5821
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/527723/
: MGA1TOO mga2-32-OK mga2-64-OK mga1-32...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-11-30 17:24 CET by David Walser
Modified: 2012-11-30 23:36 CET (History)
2 users (show)

See Also:
Source RPM: lynx-2.8.7-4.mga1.src.rpm
CVE:


Attachments

Description David Walser 2012-11-30 17:24:22 CET
Ubuntu has issued an advisory on November 29:
http://www.ubuntu.com/usn/usn-1642-1/

Updated package uploaded for Cauldron.

Patched package uploaded for Mageia 1 and Mageia 2.

Advisory:
========================

Updated lynx package fixes security vulnerability:

Lynx does not verify that the server's certificate is signed by a trusted
certification authority, which allows man-in-the-middle attackers to spoof
SSL servers via a crafted certificate, related to improper use of a certain
GnuTLS function (CVE-2012-5821).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5821
http://www.ubuntu.com/usn/usn-1642-1/
========================

Updated packages in core/updates_testing:
========================
lynx-2.8.7-4.1.mga1
lynx-2.8.7-4.1.mga2

from SRPMS:
lynx-2.8.7-4.1.mga1.src.rpm
lynx-2.8.7-4.1.mga2.src.rpm
Comment 1 claire robinson 2012-11-30 17:55:03 CET
No PoC so just checking lynx with https
Comment 2 claire robinson 2012-11-30 18:01:36 CET
Testing complete mga2 32 & 64

Tested with properly signed and self signed https
Comment 3 claire robinson 2012-11-30 18:14:28 CET
Testing complete mga1 32 & 64 same way

Validating

Advisory and srpms for mga1 & 2 in comment 0

Could sysadmin please push from core/updates_testing to core/updates

Thanks!
Comment 4 Thomas Backlund 2012-11-30 23:36:32 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0351

Note You need to log in before you can comment on or make changes to this bug.