Debian has issued an advisory today (December 28): http://www.debian.org/security/2012/dsa-2592 Patched package uploaded for Mageia 2 and Cauldron. Patch also checked into Mageia 1 SVN. Advisory: ======================== Updated elinks package fixes security vulnerability: Marko Myllynen discovered that ELinks, a powerful text-mode browser, incorrectly delegates user credentials during GSS-Negotiate (CVE-2012-4545). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4545 http://www.debian.org/security/2012/dsa-2592 ======================== Updated packages in core/updates_testing: ======================== elinks-0.12-1.1.mga2 from elinks-0.12-1.1.mga2.src.rpm
I've never heard of GSS-Negotiate before. Found a description at https://datatracker.ietf.org/doc/rfc4559/ There's no POC, that I can find. For testing, just confirming simple web pages are working. Testing complete on Mageia 2 i586 and x86-64. Could someone from the sysadmin team push the srpm elinks-0.12-1.1.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates. Advisory: Updated elinks package fixes security vulnerability: Marko Myllynen discovered that ELinks, a powerful text-mode browser, incorrectly delegates user credentials during GSS-Negotiate (CVE-2012-4545). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4545 http://www.debian.org/security/2012/dsa-2592 https://bugs.mageia.org/show_bug.cgi?id=8543
Keywords: (none) => validated_updateCC: (none) => davidwhodgins, sysadmin-bugsWhiteboard: (none) => MGA2-64-OK MGA2-32-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0373
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED